Suspicious until proven guilty — the mantra of mandatory data retention regimes. They work on the presumption of guilt and probe your private life deep and far under the pretext of crime prevention and national security. If you raise your voice, they’ll hammer you with the “nothing to hide” argument: If you’ve got nothing to hide, you’ve got nothing to fear.
Governments across the globe use internet service providers (ISPs) and telecommunication companies as pawns to get to your internet and communications data. It’s not just your name or billing address that’s at stake here. Everything you do on the internet — the websites you visit, the time you spend surfing and gaming, the calls you make to your friends, and whatever you download — goes through your ISP, which, in turn, passes through the government’s telescopic eyes.
Just because you’ve got nothing to hide doesn’t mean you must share everything. CyberGhost VPN is committed to defending your right to privacy and online freedom. Use CyberGhost VPN to create a private and impenetrable tunnel for your internet traffic and shield your personal data from third parties like your ISP, the government, and big data companies.
What is Data Retention?
Simply put, data retention is storing specific sets of data and records for set periods of time, using specific collection and storage methods. All businesses and organizations need to keep certain data sets to meet business and legal obligations. These data sets can vary from company to company.
For instance, a cab company needs to retain records, such as:
- Drivers’ information
- Available Cabs
- Current and past trips’ data
- Tax records
And much more.
A manufacturing company, on the other hand, will have to retain:
- Employees’ data
- Production data
- Selling and purchasing activities
- Clients’ information
- Tax records
Government policies and laws control data retention practices, including the data to be stored, the security measures companies should implement, and retention periods.
All data retention isn’t bad. Businesses, organizations, and government departments can’t operate without it. That said, some companies and governments go overboard in collecting and retaining identifiable private data for their own gains. For instance, if the hypothetical cab company above starts storing passengers’ data along with each route they ever took for an unlimited time period, it will be a blatant breach of its customers’ privacy.
In ICT (information communication technology), data retention refers to ICT service providers keeping telecommunication and internet traffic data for a set duration. Governments and state authorities around the globe notoriously mandate broad and excessive ICT data retention to exercise control and conduct mass surveillance.
What is a Data Retention Policy?
Companies must dispose of the data they keep for file keeping, compliance, and other business obligations periodically, so it doesn’t pile up. As records grow in volume, data security and management become expensive. It can jeopardize individuals’ privacy.
That’s why businesses draft data retention policies and procedures to categorize data, state the purpose of retained data, and establish retention periods for each category. These policies are also helpful in maintaining compliance with local and international data protection laws, such as the GDPR (General Data Protection Regulation) in the EU and CCPA (California Consumer Privacy Act) or VCDPA (Virginia Consumer Data Protection Act) in the U.S.
Global data protection regulations stipulate that businesses should only retain the data they need for no longer than required for specified business operations. For instance, your ISP keeps track of your IP address and the data you’ve consumed online to bill you. Your ISP won’t need this record once you’ve cleared your dues, so deleting it seems to be the next logical thing to do. That’s not what typically happens, though.
Most governments impose data retention laws to force ISPs to log and store much more than necessary and for longer than needed.
What are Data Retention Laws?
Governments enact mandatory data retention laws to oblige communication service providers to store users’ data and provide it to government authorities on order. Data retention laws specify the data to be retained, retention periods, access procedures, and penalties for non-compliance.
In most countries, the data ISPs must store includes:
- Name and address of the subscriber
- Subscription identifier
- Time and duration of online sessions
- Device type and model
- Websites and web services accessed
- Calls made and received online
- Duration of calls
- Emails sent and received
- Location data
Unfortunately, data retention isn’t always limited to telecom or internet traffic data, a.k.a metadata. Some draconian mandatory data retention regimes (take Russia, for instance) even store the content of communications and internet traffic.
What is Data Preservation?
Since blanket data retention mandates treat all individuals with suspicion and violate their privacy on mere assumptions, many countries have adopted data preservation instead. Data preservation means service providers preserve the data they already have to assist criminal investigations.
For instance, law enforcement agencies (LEAs) can request an ISP to preserve the records of a prime suspect in a criminal case. Unlike data retention, data preservation won’t give the authorities access to historical traffic, location, and subscriber data. On the downside, data preservation orders don’t exempt communication content like most data retention regulations.
Like data retention, authorities and malicious entities can still misuse and abuse data preservation. Without independent oversight and transparency, data preservation orders are just as intrusive as bulk data retention.
What Countries Have Data Retention Laws?
Many countries have implemented mandatory data retention laws that supersede data protection and privacy laws. Data protection legislation like GDPR and CCPA stipulate that businesses and authorities can’t store more than what’s needed and longer than necessary. Yet, they leave enough room for data retention regimes to dance around judicial exceptions to justify blanket and prolonged data retention.
For example, The European Court of Justice (ECJ) invalidated its bulk Data Retention Directive (Directive 2006/24/EC) in 2014 because it violated the EU’s Charter of Fundamental Rights. Many regimes are still holding on to their illegal practices in the name of combating crimes and national security threats.
Many countries, like Australia, France, and Denmark, have drafted formal and transparent data retention legislation. Others, like the U.S., covertly indulge in data retention without implementing a proper data retention regime. As we explore data retention laws across the globe, remember that a mere absence of data retention mandates in a country doesn’t necessarily make it anti-surveillance or privacy-friendly.
|Country||Applicable Law||Data to be retained||Retention period||Conditions for access|
|Australia||Telecommunications (Interception and Access) Amendment (Data Retention) Act, 2015||Telecom and internet metadata||Three years||The Attorney General grants access without judicial warrants.|
|Russia||The Yarovaya Law, 2016||Telecom and internet metadata +contents of communication||– Three years for metadata – Six months for voice recordings||Judicial warrant required|
|France||French Postal and Electronic Communications Code (CPCE)||Telecom and internet metadata||One year||Administrative authorities and intelligence services can access data without court orders.|
|Italy||Italian Data Protection Code||Telecom and internet metadata||Up to six years||No judicial authorization required|
|Spain||Spanish Data Retention law Act, 2007||All electronic communication metadata||Up to two years||Judicial warrant required|
|Poland||Telecommunications Law, the Code of Criminal Procedure||Communication metadata||One year||No judicial oversight required|
|Ukraine||Law on Electronic Communications||Personal data + communication metadata||One year||LEAs can access data 71 hours before receiving a judicial warrant.|
|Kazakhstan||Law No.94-V ZRK on the Protection of Personal Data||Communication metadata + billing details||Two years||Only Prosecutor Generals’ approval required|
|Sweden||Swedish Data Retention Act 2012||Communications metadata||Six months|
|Czech Republic||The Electronic Communication Act 2005||Communication metadata||Six months||No judicial authorization required|
|Greece||Law No 3917/2011 on Retention of Data||Communication metadata||One year|
|Hungary||The Hungarian Electronic Communications Act 2004||Communication metadata||– Six months for unsuccessful calls – One year for other metadata||No judicial authorization required|
|Belarus||2015 presidential decree on combat against drug trafficking||Personal data + communication metadata||At least one year||No judicial oversight required|
|Switzerland||The Federal Act on Surveillance of the Post and Telecommunications (SPTA), Ordinance on Surveillance of the Post and Telecommunications (OSPT)||Communication metadata||Six months|
|Serbia||Law on Electronic Communications, 2010||Communication metadata||One year||Judicial warrant required|
|Bulgaria||The Electronic Communications Act||Communication metadata||Six months||Subject to court orders|
|Denmark||The Data Retention Executive Order||Personal data + communication metadata||One year||No judicial warrant required|
|Finland||Electronic Communications Services Act||Communication metadata||– Nine months for internet traffic data- One year for telephone data- Six months for VoIP|
|Brazil||The Brazilian Civil Rights Framework for the Internet, Law 12.850 on Organized Crime||Electronic communication metadata||– One year for internet traffic data – Five years for telephone calls data|
|Mexico||2014 Telecommunications Law||Internet traffic data||Two years||Subject to judicial authorization|
|Colombia||Decree 1704 (2012)||Communication metadata||Five years||No judicial warrant required|
|Peru||Decree 1182||Communication metadata||Three years||No judicial warrant required|
|Venezuela||CONATEL’s 2017 administrative ruling||Communication metadata||Unspecified||No judicial warrant required|
|Chile||The Code of Criminal Procedure||Personal information + communication metadata||Two years|
|Nigeria||The Cybercrimes (Prohibition, Prevention, ETC) Act, NCC Guidelines for the Provision of Internet Service||Personal information + traffic data + content of internet communications||– Two years for personal and traffic data- at least 12 months for content of communications||No judicial oversight required|
|Ethiopia||Computer Crime Proclamation, 2016||Communication metadata||12 months||No judicial oversight required|
|Egypt||Cybercrime Law, 2018||Users’ information + traffic data||180 days||No judicial oversight required|
|South Africa||South African Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA)||Communication metadata||Three to five years||Subject to judicial warrant, but no transparency|
|Kenya||Information and Communications Act||Users’ information + call logs||– Unspecified for users’ information- At least three years for call logs||No judicial oversight|
|Angola||Law on Protection of Information Networks and System, 2017||Communication metadata||At least one year||Subject to approval from Prosecutor General or a Magistrate|
|Cameroon||Law on Cybersecurity and Cybercrime in Cameroon||Communication metadata||Ten years|
|China||Measures for Managing Internet Information Services||Communication metadata||60 days||No judicial warrant required|
|India||Information Technology Act, 2000||Personal information + Communication metadata||180 days||No judicial warrant required|
|Indonesia||MCI Regulation 20/2016, MCI Regulation 5/2021||Personal information + Telecommunication metadata||– Five years for all personal details- Three months for telecommunication logs||No judicial warrant required|
|Pakistan||Prevention of Electronic Crimes Act 2016||Personal information + communication metadata||At least one year||Subject to court orders|
|Vietnam||Law on Cyber Information Security (‘LCS’)||Personal information + activity logs||– personal data for as long as the user remains active- activity logs for Three years||No judicial warrant required|
|Iran||Cyber Crime Law, Collection of Electronic Evidence||Communication metadata + content of communication||15 days to six months after the subscription ends|
|North Korea||Unclear||government monitors all electronic communications and intranet activity||unclear||No free internet access for citizens|
Which Countries Don’t Have Data Retention Laws?
|Papua New Guinea||Right to privacy||Targeted data retention is allowed if there’s a judicial warrant.|
|New Zealand||Right to privacy||Targeted data retention is allowed if there’s a police warrant.|
|Fiji||Poor legislation||LEAs can access voluntarily retained data with a judicial warrant.|
|Turkey||To present a false privacy-friendly image.||ISPs share traffic data with authorities by the hour.|
|Germany||Law on hold after court orders||Amendments are in progress.|
|United Kingdom||Incompatibility with privacy laws||The Home Secretary can issue retention notices.|
|Romania||Right to privacy|
|Netherlands||Right to privacy|
|Belgium||Suspended by court||Data retention is still mandatory in high-crime areas.|
|Azerbaijan||Poor legislation||State security services access service providers’ facilities and equipment without judicial oversight.|
|Portugal||Right to privacy, suspended by the court|
|Austria||Right to privacy, suspended by the court.|
|Slovakia||Right to privacy, suspended by the court|
|Norway||Right to privacy||Data retention mandates are under discussion.|
|Ireland||Suspended by ECJ||The government has proposed a ‘quick-freeze’ approach to preserve and retain an individual’s data in specified cases.|
|United States||To maintain a privacy-friendly image||The government and NSA can access traffic data that ISPs and companies retain voluntarily.|
|Argentina||Suspended by court||Authorities can intercept communications for 30 days if the court orders.|
|Canada||Right to privacy|
|Ecuador||Poor legislation||Telecommunications Regulatory and Control Agency (ARCOTEL) can inspect ISPs’ facilities and equipment anytime.|
|Algeria||To present a false privacy-friendly image||The government is known to frilly monitor citizens’ internet activities.|
|Benin||Right to privacy||Data preservation is legal|
|Burkina Faso||Right to privacy|
|Cape Verde||Right to privacy|
|Morocco||To comply with GDPR|
|Bangladesh||Right to privacy||Targeted data retention is allowed without judicial oversight.|
|Japan||Right to privacy|
|Philippines||Right to privacy||Targeted data retention and preservation are allowed. Access to retained data requires court orders.|
|Saudi Arabia||To maintain a false privacy-friendly image||Service providers likely intercept connections.|
|UAE||Service license agreements mandate metadata retention and access points installation.|
|Israel||To maintain a false privacy-friendly image||The ISA collects all communication metadata itself.|
|Hong Kong||Absence of relevant regulations||ISPs must provide data and impose censorship on authorities’ orders.|
|Singapore||Service agreements include data retention mandates.|
|Morocco||Right to privacy||Data preservation regulations are in place|
Data Retention Laws Around the World
Australia has one of the strictest and most invasive data retention regimes among developed nations. Australia’s Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 mandates mobile carriers and ISPs to retain their customer’s communications metadata for three years. Worse still, even private agencies can access this data at the Attorney General’s discretion without a judicial warrant.
It’s a shame that Australian law doesn’t recognize the absolute right to privacy. If you’re in Australia, expect the authorities to know your:
- Email address
- IP address
- Exact location
- When and with whom you communicate via text messages, email, web apps, and calls.
Fortunately, the law graciously excludes the contents of your communication from its data retention obligations. That’s good news if you ignore that privacy laws around the globe recognize metadata can reveal as much about the user as the content itself.
- Papua New Guinea
Papua New Guinea doesn’t have any blanket data retention law. The Cybercrime Code Act 2016 contains provisions relevant to cybersecurity and targeted data retention of criminal suspects. It obligates communication service providers to collect, retain, and produce user data if the court orders.
- New Zealand
The Privacy Act 2020 governs data retention policies for service providers in New Zealand. The law doesn’t mandate data retention, except with a warrant from police or other law enforcement agencies (LEAs).
The law in Fiji doesn’t impose mandatory and blanket data retention. On the downside, the country doesn’t have a general data protection law either. The Cybercrime Act 2021 specifies that LEAs need a judicial warrant to access the data ISPs store for business operations and to intercept real-time traffic and communications.
Russia ‘s blatant internet censorship and mass surveillance efforts are no secret. The Yarovaya Law 2016 imposes extreme and blanket data retention requirements on telecom companies and ISPs.
All mandatory data retention regimes collect communications metadata, but Russia takes it further to include the actual content of communications and voice recordings. Service providers must retain the voice recordings for six months and the metadata for three years.
If Russia’s internet surveillance and data retention mandates failed to give you the creeps, Turkey wouldn’t disappoint. Turkey’s Law on Protection of Personal Data 2016 doesn’t mandate data retention and prohibits non-consensual data collection and sharing. Unfortunately, the reality behind the rosy picture this constitution paints is appalling.
The Information and Communication Technologies Authority (ICTA-BTK) covertly forces ISPs to hand over their customer’s internet data, including:
- WhatsApp communications data
- Email data
- Websites visited
- Apps used
- Duration of internet sessions
- Location data
- Phone call data
Unlike typical data retention regimes that require ISPs to produce data when needed, Turkish ISPs continually share this data with the BTK on an hourly basis with the name and surname of the customer. The BTK can retain this data for as long as it wants since there’s no judicial oversight or transparency.
Germany’s data retention law has seen many twists and turns since its initial approval in 2015. The latest version of Section 113b of the German Telecommunications Act (Telekommunikationsgesetz) — required telecom companies to retain location data for four weeks and other traffic data for ten weeks.
Currently, the law is on hold since many courts declared Germany’s data retention laws incompatible with the European Union’s law. The ECJ also upheld its general and indiscriminate metadata retention ban in its April 2022 judgment in the Graham Dwyer case.
The government now wants to push a ‘quick-freeze’ procedure to retain data based on an initial suspicion. We’ll be keeping a close eye on the progress of these selective data retention efforts.
- The United Kingdom
The U.K. doesn’t have a general data retention mandate for telecom operators and ISPs. Still, the infamous Snoopers’ Charter grants government authorities unlimited surveillance powers.
The mandatory and blanket data retention aspects of The Investigatory Powers Act 2016, a.k.a the Snooper’s Charter, were mothballed in 2017 thanks to the ECJ’s ruling against general and indiscriminate metadata retention. Now, the Home Secretary can issue a retention notice to ISPs. It’s unlawful for the ISPs to disclose the existence of a retention notice, taking us back to square one.
Until June 2022, security services, including MI5, MI6, and GCHQ, could access the retained metadata without independent authorization. Then the High Court ruled against unauthorized access. Currently, LEAs need a judicial order to access the metadata, including telephone records, location history, and internet browsing history, that ISPs store to comply with a retention notice or for general business operations.
Under the French data retention regime, telecom operators and hosting providers must retain data, such as users’ IP addresses, location data, numbers called, and the time and duration of calls, for up to a year. The ECJ has already declared the French regime illegal, but the government still holds on to its data retention mandates insisting that France is currently under a national security threat.
Sadly, France’s security and privacy threats aren’t showing signs of abating soon. Despite ECJ’s numerous rulings against indiscriminate and bulk data retention, nothing substantial has changed for service providers in France.
Italy’s data retention regime imposed the most outrageous data retention periods in Europe. After the 2017 provisions in Article 132 of the Italian Data Protection Code, CSPs have no choice but to retain all traffic data for all subscribers for six years.
In Italy’s defense, the law does limit these obnoxious retention periods for serious criminal offenses like terrorism. It’s just that providers in Italy don’t have the foresight to predict whether an individual will be implicated in the specified serious crimes at some point in the future. So, of course, they resort to retaining all user data just in case.
Following France and Italy’s footsteps, Spanish legislators didn’t bother to modify the Spanish Data Retention law Act 25/2007 to abide by the ECJ rulings. Telecom operators and ISPs are obligated to indiscriminately retain bulk traffic and location data for up to two years.
One thing that offers some peace of mind is competent authorities need a judicial warrant to access this data. What happens if cybercriminals steal your private data from these troves though? I’ll leave that to your imagination.
Poland went above and beyond in implementing the EU’s Data Retention Directive across several laws, including the Telecommunications Law and the Code of Criminal Procedure. Telecom providers and ISPs had to retain all kinds of communication metadata for two years.
After several courts recognized the regime’s flaws and called for amendments, the maximum retention period was reduced to 12 months, and the data can only be used in criminal proceedings.
Still, more than nine intelligence agencies have the authority to access this data without real oversight. Polish law also recognizes crime prevention as a legitimate excuse for accessing retained data. This means authorities can demand your data even if you aren’t an official suspect.
Ukraine’s mandatory data retention regime seems to be at par with the Russian regime in that it also extends the scope of data retention to the content of communications. The Law on Electronic Communications 2020 mandates all electronic communication service providers to retain personal data, communication metadata, location data, and the content of all transmitted information for twelve months.
The Law on Intelligence also allows LEAs to access communications up to 72 hours before receiving a judicial warrant. The state also holds the technical ability and authority to access communications autonomously.
To make matters worse, the Russian government now reroutes internet traffic from the Russian-occupied areas through Russian networks, which means it’s also subjected to Russia’s extremely privacy-intrusive surveillance policies.
After several rounds of implementing and invalidating mandatory data retention laws to comply with the EU’s Data Retention Directive, Romania finally did away with compulsory data retention for good.
Romania hasn’t imposed any data retention since invalidating the second Romanian data retention law, a.k.a the Big Brother law in 2014. It’s one of the few jurisdictions where privacy rules supreme.
Kazakhstan takes after Russia in its implementation of SORM (The System for Operative Investigative Activities) technology, which provides the government with autonomous access to telecom operators’ networks in real-time. Who needs data retention when you’ve got SORM?
Still, Law No.94-V ZRK on the Protection of Personal Data requires ISPs and mobile service providers to retain users’ data for two years, including IP addresses, browsing history, and billing details. The providers must provide access to several security agencies within 24 hours if the Prosecutor General approves.
- The Netherlands
Another praiseworthy European jurisdiction, the Netherlands, currently has no data retention regime. The district court of The Hague invalidated Netherland’s 2009 Telecommunications Data Retention Act (TDRA), which mandated metadata retention for up to 12 months.
In April 2021, the Belgian Constitutional Court struck down the country’s data retention law, which mandated metadata retention for 12 months, for the second time. This year, in July, the Belgian parliament passed another law that replaced blanket data retention with targeted metadata retention.
It seems like a step in the right direction until you realize that the new law allows for mandatory data retention in areas with high crime rates. That effectively constitutes all major Belgian cities, allowing Belgium to impose its data retention regime without violating GDPR and the ECJ’s numerous anti-data retention rulings.
The Swedish Data Retention Act 2012 allows telecom operators and ISPs to retain communication metadata for six months, including failed call data and location data. A Stockholm Administrative District Court upheld the Swedish data retention law even after ECJ invalidated the EU’s Data Retention Directive in 2014.
- The Czech Republic
After several amendments, The Electronic Communications Act 2005 now requires ISPs and telecom providers to store a questionable amount of subscribers’ communication data for six months. Authorities need a judicial warrant to access this data, but specific provisions in the Police Act allow the police to use this data without court authorization.
Law No 3917/2011 on retention of data requires telecom operators and ISPs in Greece to retain communications metadata, including location data, for 12 months.
Azerbaijan doesn’t have a formal legal data retention policy. Still, Article 39 of the Law on Communication mandates service providers to provide government authorities with any subscriber data they retain for business operations on request.
Don’t be fooled by the absence of a mandatory data retention regime in Azerbaijan. State Security Service can access the facility and hardware of any telecom company on a whim. Communication service providers notoriously provide the content of subscribers’ communications without any warrant.
The Portuguese Constitutional Court (PCC) recently struck down specific provisions in Law no. 32/2008 mandating general and indiscriminate traffic and location data retention for one year. As of 19 April 2022, Portugal is no longer a mandatory data retention regime. It’s a remarkable win for privacy advocacy groups in the region.
The Hungarian Electronic Communications Act 2004 requires all communication service providers, including those providing encrypted services, to retain unsuccessful call data for six months and all other metadata for a year. National Security Services don’t need a court order to access this data.
If that’s not enough to send shivers down your spine, the National Security Services blatantly install backdoors in ISPs’ networks. You can never be sure of the extent to which Hungarian authorities autonomously intercept your internet traffic.
Belarus doesn’t have a formal data retention law, except for a 2015 presidential decree on combat against drug trafficking, which mandates ISPs to retain information, such as connection time and duration, data usage, IP addresses, and MAC addresses of users’ devices, for at least one year. Several government institutions can access this data, including the Presidential Administration’s Operations, Analysis Center, and Prosecutor General’s Office.
That’s just the formal legislation with data retention provisions. In practice, all telecommunication providers in Belarus must install surveillance equipment to allow government authorities to intercept their subscribers’ communications in real-time without any judicial oversight. That’s precisely what you’d expect from Europe’s last dictatorship.
After much criticism from civil societies and ECJ’s invalidation of the EU’s Data Retention Directive, in 2014, the Austrian Constitutional Court annulled the Austrian data retention law. Currently, Austria has no mandatory data retention law. The rest of the EU, take notes!
The Federal Act on Surveillance of the Post and Telecommunications (SPTA) and Ordinance on Surveillance of the Post and Telecommunications (OSPT) mandate internet and telecom service providers to retain communications metadata for six months.
The Serbian Law on Electronic Communications 2010 requires all ISPs and telecom operators to store all communication metadata for 12 months. In 2013, the Constitutional Court of Serbia ruled that authorities needed a judicial warrant to access retained data. Despite the ruling, Serbian authorities are known to access this information autonomously.
In 2015, Bulgaria’s Constitutional Court annulled Article 5 of the Electronic Communications Act, which required ISPs to retain communication data for 12 months and provide access to it without a judicial warrant. The Bulgarian parliament amended the law to explicitly exclude the content of communications and reduce retention periods to six months. LEAs also need a court order to access retained data.
Denmark’s Surveillance Law imposed a highly intrusive data retention regime to implement the EU’s Data Retention Directive. The ECJ’s subsequent rulings invalidated blanket data retention, except if there’s a severe national security threat. The Danish government leaned on this exception to keep its data retention law without going against the ECJ’s new rulings.
Section 786e of the new data retention law states that the Minister of Justice can issue general and indiscriminate data retention if Denmark faces a serious threat to national security. Lo and behold, threat assessments from Danish intelligence services have put Denmark under a constant threat from terrorism since the 2000s.
Currently, ISPs and telecom companies must retain communication metadata, including location data and IP addresses, for 12 months. Law enforcement agencies can access this data without prior court orders. As long as the blanket data retention orders are based on general information instead of concrete evidence suggesting security threats, the Danish data retention regime will remain a solid and constant threat to privacy.
Currently, Slovakia has no mandatory data retention regime. The Grand Chamber of the Constitutional Court invalidated the Slovakian data retention regime that required internet, email, and VoIP metadata retention for six months and all other types of communications for a year.
Finnish law, specifically the Electronic Communications Services Act, mandates metadata retention. ISPs, telecom, and internet telephone services must retain data for nine months, 12 months, and six months, respectively.
The Norwegian government has attempted to mandate data retention, but the legislation never went into force.
The government has proposed amendments to the Norwegian Electronic Communications Act to mandate storing subscribers’ IP address allocations, but they’re still under discussion and not enforced. Let’s hope Norway stays free of data retention baggage!
The Communications (Retention of Data) Act 2011 required ISPs and telecom operators to retain communication metadata for one and two years, respectively. Authorities could access this data with practically zero judicial oversight.
In April 2022, the ECJ passed its historic judgment in the Graham Dwyer Case against the Irish Data Retention law, effectively striking Ireland’s broad and blanket data retention regime.
Currently, the government has proposed amendments to the data retention regime. Under the Communications (Retention of Data) (Amendment) Bill 2022, general and indiscriminate data retention will only be allowed on national security grounds and will be subject to approval from a High Court Judge.
It also proposed a ‘quick-freeze’ system that allows judges to order service providers to preserve a person’s data only if they become a suspect in a serious crime. Under the new system, authorities will be able to apply for data retention for up to a year. Until the parliament passes the bill, Ireland is free of mandatory data retention.
- The United States
The U.S. doesn’t have any blanket data retention laws. The Stored Communications Act (SCA) and The Electronic Communication Transactional Records Act let the government access the data telecom operators and ISPs collect voluntarily or for business needs. These laws also mandate service providers to retain a user’s data for up to 180 days if the government asks.
Government entities need a court order to compel ISPs to share subscribers’ personal and communication data. That said, authorities don’t need a judicial warrant if the telecom company or the ISP shares this data voluntarily. The National Security Agency (NSA) collects all kinds of internet traffic data under a program called PRISM. The FBI can also issue a National Security Letter to US-based companies to obtain access to retained data without a warrant.
Still, some US states have decent data protection legislation that gives you some control over your private and internet traffic data. In Nevada, Minnesota, and Maine, your ISP needs explicit permission to grant access to your personal information. You can also request that service providers alter or delete your data if you’re in:
The Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet, or MCI) requires ISPs to retain subscribers’ connection data for 12 months. Application providers in Brazil also need to retain access records for six months. Law 12.850 on organized crime also includes data retention mandates, including retention of telephone call logs for five years.
The 2014 Telecommunications Law obligates ISPs to retain users’ traffic metadata for two years and provide access to security agencies as needed. Article 189 of the same law also compels ISPs to provide users’ location data to police, military, or other security agencies in real-time.
In 2016, a Supreme Court ruling upheld the mandatory data retention regime but restricted access to specific authorities, including federal prosecutors, police, and the agency in charge of imposing the National Security Law. Authorities also need a judicial order to access retained metadata, except in the case of an emergency.
Decree 1704 (2012) compels internet and telecom service providers in Colombia to retain subscriber data, including communication history, location data, and device identification, for a staggering five years. Yes, you read that right!
Article 2 of Decree 1704 also mandates ISPs to set up access points in their infrastructure to allow LEAs to access and capture traffic in real-time. And no, LEAs don’t need a judicial warrant for any of this.
If a country could beat Colombia’s outrageous retention periods, it’s Argentina. Luckily, the Supreme Court annulled the mandatory data retention provisions in the National Telecommunications Law of 2003. The law previously required ISPs to store traffic data for ten years.
Currently, Argentina doesn’t practice bulk data retention. The Criminal Procedure Code requires communication service providers to set up their infrastructure to immediately intercept an individual’s data for up to 30 days if a court orders them to do so.
Canada hasn’t imposed a mandatory data retention regime. The Canadian Department of Justice has tried to introduce a ‘data preservation’ approach numerous times. The system would allow authorities to preserve data of suspects in active criminal investigations, but kudos to the Canadian MPs who didn’t let data retention prevail in any form.
There’s a slight exception though. As of August 2021, the technical paper for harmful online content requires that Online Communications Service Providers (OCSPs) retain and share data about individuals who may have shared harmful content online.
Peruvian presidency enacted Decree 1182, a.k.a Ley Stalker, granting the national police the authority to access the location data of any device, anytime, without a judicial warrant. The decree also mandated communication service providers to retain communication metadata for three years.
The police can conveniently access this data and notify the district attorney later at any time within 24 hours. The attorney may take another 24 hours to notify a judge, and the judge can also take up to 24 hours to establish the legality of the access. If the access request turns out to be illegal, the police will still have had access to data for up to 72 hours. Talk about legal loopholes!
Forget about Colombia and Argentina; the Venezuelan data retention mandates don’t include any obligation to delete retained data ever. The National Commission of Telecommunications (CONATEL) issued an administrative ruling in 2017 that required telecom operators to collect users’ IP addresses, the time and duration of connections, location data, and call logs. Telecoms must provide this data to security services without a judicial order.
The Code of Criminal Procedure states that all ISPs must retain users’ IP address information, websites visited, date, time, and duration of the connection, billing history, and location history for two years.
Ecuador has no mandatory data retention regime. Still, the Organic Law of Telecommunications requires ISPs to oblige to any request for information from the Telecommunications Regulatory and Control Agency (ARCOTEL). ISPs must also allow ARCOTEL to conduct inspections of their facilities and equipment.
Judges can order ISPs to disclose the communication data they typically store to LEAs. Mobile operators are also obliged to implement geolocation to find out the accurate location of a device in case of an emergency.
Guatemala lacks comprehensive data protection legislation, with no mandatory or blanket data retention laws. Still, under the Ley Contra la Delincuencia Organizada (Law Against Organized Crime), the government can intercept the communications of any individual if it has a judicial warrant.
The Cybercrimes (Prohibition, Prevention, ETC) Act, 2015, mandates all electronic communication service providers in Nigeria to retain all subscribers’ information and traffic data for two years. Service providers are required to retain additional data, including the content of communications, on law enforcement authorities’ request.
As per the Guidelines for the Provision of Internet Service, the NCC (Nigerian Communications Commission) requires all ISPs to retain users’ identification data, traffic data, and content of communications for a minimum of 12 months.
Ethiopia enacted the Computer Crime Proclamation in 2016, which mandates all electronic communication service providers to retain communication metadata for a minimum of 12 months. Sadly, Ethiopia doesn’t have any formal data protection legislation, so there’s little transparency and oversight in its data access procedures.
The 2018 Cybercrime Law compels all telecoms and ISPs to retain users’ identification data and traffic data for 180 days. Authorities can access retained data without any judicial oversight. Although Egypt adopted the Personal Data Protection Law (PDPL) in 2020, it failed to address or repeal the data retention mandates set forth in the Cybercrime Law.
Overall, the state monitors all electronic communications and internet activities excessively through various surveillance technologies. These surveillance operations are a blatant violation of the country’s data protection law, yet authorities are never held accountable.
- South Africa
Section 30 of the 2002 South African Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) compels all telecoms and ISPs to retain communication metadata for three to five years. The law also forces ISPs to install interception technologies on their networks.
Law enforcement agencies need a judicial warrant to access retained data. In practice though, access mostly occurs without any transparency or judicial oversight.
Kenya’s Information and Communications Act, 1998, requires electronic communication service providers to retain call logs for at least three years and subscribers’ information for an unspecified time. Although excessive, the regulations seem to be like any other data retention regime at first glance. Except, independent reports indicate that Nigerian law enforcement and national security agencies maintain a physical presence in service providers’ facilities.
The government has a reputation for investing heavily in surveillance technologies and abuses the counter-terrorism exceptions specified in the 2019 Data Protection Act.
Algeria doesn’t have mandatory data retention laws. The Law on Specific Rules On the Prevention and Fight Against Information Technologies and Communication Crimes mandates ISPs and telecom operators to assist judicial police and authorities in conducting targeted surveillance and retaining data for six months or more. Authorities need a judicial order to access this data, which they can receive only on national security grounds or to combat terrorism.
Reports indicate that despite legislation, the government freely monitors internet activity without judicial oversight. The government uses surveillance to curtail freedom of speech and political activism.
Morocco doesn’t have mandatory data retention laws. Authorities can issue data preservation orders to electronic communication service providers for 90 days (subject to renewal on court orders) to gather electronic evidence in criminal investigations.
The 2017 Law on Protection of Information Networks and Systems requires telecom companies and ISPs to store traffic and location data for at least one year. Only the prosecutor general or a magistrate can grant access to retained data.
Benin doesn’t have a mandatory and blanket data retention law. The Intelligence Services Act in Benin allows authorities to request that ISPs retain traffic and location data only if it can aid in serious crime investigations. Access to this data requires written authorization from the National Commission to control surveillance measures.
Botswana doesn’t have mandatory data retention regulations. The Counter Terrorism Act allows judges to order interception and retention notices to communication service providers if the judge finds reasonable grounds to believe the intercepted data can prevent terrorism or reveal the location of a suspect.
Overall, Botswana’s legislation seems to be quite vague and lacking in that it doesn’t have any provisions for managing retained data. It also doesn’t specify a retention period.
- Burkina Faso
Burkina Faso has no mandatory data retention laws despite instability and security challenges. Law No. 61-2008 prohibits electronic communication service providers from retaining identifiable traffic or location data. However, providers can defer disposing of or anonymizing user data for up to a year for research,identification, or prosecution of criminal offenses.
Section 25 of the Law on Cybersecurity and Cybercrime in Cameroon mandates all electronic communications service providers to retain traffic data for an entire decade. To make matters worse, service providers must also set up mechanisms for monitoring traffic on their networks.
- Cape Verde
Cape Verde doesn’t impose mandatory data retention requirements. The 2017 Law on Cybercrime and the Collection of Electronic Evidence allows authorities to intercept and monitor communications data for investigating terrorism or highly-organized crimes. Surprisingly, the law doesn’t obligate intermediaries, such as ISPs or telecom operators to assist in monitoring or intercepting communications.
Chad doesn’t obligate bulk data retention on service providers. The Law on Cybersecurity and Cybercrime includes provisions for data preservation and lawful interception of communications in exceptional cases.
China’s draconian surveillance policies are no secret. Various laws and regulations outline data retention mandates for electronic communication service providers. Article 14 of Measures for Managing Internet Information Services stipulates all ISPs must retain user information, such as the user names, IP addresses, activity logs, and the type of device used, for 60 days and provide it to authorities on request, even without a judicial warrant.
Other laws, like the Measures for the Management of E-mail Services and CAC (Cyberspace Administration of China) rules, oblige email service providers and app providers to retain activity logs, communication metadata, and personal information for 60 days. Chinese authorities can physically access ISP facilities and equipment anytime on national security grounds or to assess cybersecurity practices.
India’s en route to becoming South Asia’s most intrusive surveillance regime. Earlier this year, the Indian Computer Emergency Response Team (CERT-In) issued several excessive and broad data retention directions under the Information Technology Act, 2000. ISPs and other service providers and intermediaries must enable and retain logs of their systems for 180 days.
VPN providers, cloud service providers (CSPs), data center operators, and crypto exchanges must retain user logs for at least five years. Service providers must hand over this data, including customers’ names, IP addresses, activity logs, and communication metadata, to authorities if they request it. Several VPN providers had to pull out of India to comply with their privacy policies.
Adding insult to injury, service license agreements in India mandate telecom operators and ISPs to install technology for centralized interception and monitoring. The 2011 Equipment Security Agreement requires communication service providers to install location tracking systems to accurately pinpoint subscribers’ current location if the licensor of a security agency demands so.
Ministry of Communications and Informatics (MCI) Regulation 20/2016 mandates that all telecom and internet infrastructure operators have to retain customers’ data for at least five years. In addition, MCI Regulation 5/2021 requires telecom operators to retain all customer logs for at least three months after user inactivity.
Notwithstanding international privacy standards, Ministerial Regulation 5 (MR5) puts a blanket obligation on all private electronic service operators (ESOs) in Indonesia to provide law enforcement agencies access to their facilities and equipment without a judicial warrant.
Prevention of Electronic Crimes Act 2016 (PECA) requires communication service providers to retain all traffic data for one year or more if a judge orders. Retained data must include:
- users’ names
- national identity card number
- mobile phone number
- session time and duration
- access logs
- IP and media access control (MAC) address of electronic devices
Service providers can face a one-year jail term or up to 10 million PKR in fines if they fail to comply with data retention and access requirements.
Bangladesh does not have mandatory blanket data retention laws. Still, the 2001 Bangladesh Telecommunication Regulatory Act allows the government to request telecom operators to retain an individual’s data for as long as required. The act allows the government to intercept communications and data without court orders on national security grounds.
Japanese law doesn’t enforce mandatory data retention. Four major ISPs drafted voluntary guidelines to inform police of subscribers that endorse suicide and other acts of self-harm on the internet. The state itself doesn’t mandate any data retention for ISPs.
The Philippines doesn’t impose blanket data retention, but the Cybercrime Prevention Act allows targeted data retention and preservation for cybercrime investigation. ISPs must preserve data for up to six months if law enforcement requests. However, LEAs require a judicial warrant to access retained data.
Vietnam released a draft decree in February 2021 about the Law on Cyber Information Security (‘LCS’), establishing a mandatory data retention regime. Service providers must store user data, including personal data and activity logs, and provide access to authorities without the data subject’s consent or even a judicial order.
Vietnam’s data retention periods are some of the longest in the region. Service providers must retain activity logs for 36 months and personal data for as long as the user remains a subscriber.
Within Asia, Iran’s draconian data retention regime is second only to China. Chapter 2 of Iran’s Cyber Crime Law, Collection of Electronic Evidence, addresses data retention mandates in detail. ISPs must retain subscribers’ internet traffic data, including the content of communications, and personal data, such as the IP address, geographical location, and identity information.
Retention periods vary from 15 days to 6 months after termination of the subscription. Providers may end up having to retain user data for decades.
- Saudi Arabia
Saudi legislation doesn’t have any blanket data retention mandates. If anything, The Electronic Transactions Law requires telecom operators and ISPs to respect and maintain the confidentiality of all data they obtain for business obligations. ISPs must also dispose of identifiable information once it has served its purpose.
Before we crown Saudi as the privacy champion of the world, let’s not forget that censorship and surveillance are pretty robust features of the Saudi regime. Many reports suggest that in practice, ISPs and telecom operators likely intercept communications and retain subscriber data for Saudi authorities and LEAs.
- North Korea
North Korea remains the undisputed champion of censorship and surveillance. The internet landscape in North Korea is the practical definition of living under the rock. Only some high-level government officials and certain universities enjoy monitored access to the global internet. Others can only access the country’s intranet — Kwangmyong.
While it’s unclear what North Korean legislation holds, the country consistently tops the list of privacy violators. The Ministry of Public Security (MPS) closely monitors each connection to Kwagmyong. Each mobile phone is a surveillance tool, allowing the government to access and retrieve the owner’s application usage data and browsing history.
UAE is another shining example of zero transparency. The law doesn’t include blanket data retention mandates, but reports suggest otherwise. Service providers in UAE are known to monitor individuals’ traffic for LEAs. Service license agreements also mandate service providers to store communication metadata and provide access points to authorities under the pretext of public interest, safety, and national security.
Israel doesn’t have official mandatory data retention provisions. That’s because Israel doesn’t need any — the ISA transfers and collects all communication metadata from telecoms and ISPs’ networks under a formerly classified counterterrorism metadata retention program, a.k.a the tool. Why ask ISPs to retain data when you can do it yourself?
The program came under public scrutiny only after the government repurposed it for COVID-19 contact tracing. Currently, it’s facing legal challenges but only in the context of COVID-19 contact tracing.
The Israeli Criminal Procedure (Telecommunications Data) Law also allows authorities to collect and store data from telecommunication and internet service providers to detect, investigate, or prevent serious crimes, save a human life, or locate an offender.
- Hong Kong
Hong Kong also doesn’t impose mandatory data retention regulations. Yet, under the 2020 National Security Law (NSL), the government and the police can intercept communications and secretly monitor individuals under the Chief Executive’s orders.
Although there’s no formal data retention law in Singapore, service licenses granted to telecom operators and ISPs contain data retention conditions. The scope of data to be retained and retention periods can vary, but in general:
- Data retention records include subscribers’ personal data and communication metadata.
- Providers must retain this data for 12 months.
Singapore’s Computer Misuse Act (CMA) and Cybersecurity Act are so broadly phrased that the government can obtain access to any retained data or compel ISPs to monitor individuals without a judicial warrant.
How Long Can ISPs and Companies Keep Data on Me?
Most jurisdictions, especially those that have implemented GDPR, require businesses to delete their employees’ and customers’ data as soon as it’s served the purpose they stored it for. Mandatory data retention regimes exempt electronic communication service providers, including ISPs, from prompt data disposal obligations.
Each country sets its own data retention periods, which determines how long ISPs can keep data on you. You’ve probably gathered from our compilation above that it could be a few years, even decades, before ISPs let go of your private data and browsing history.
Can Companies and ISPs Sell My Data to Other Parties?
Absolutely! ISPs worldwide are known to profit from their subscribers’ data. They sell it to third parties, like data brokers, independent advertisers, and government agencies. Data protection legislation prohibits them from selling personal data, but they often find legal workarounds. For instance, most countries allow data processing for legitimate interests. The term is subject to interpretation, and ISPs cash in on that.
If you’re in the U.S., the government suspended the FCC’s (Federal Communications Commission) Privacy Order that restricted ISPs from using your personal data. Currently, ISPs can legally sell your data unless you explicitly opt-out of their data processing and selling practices through their websites. Even then, some ISPs have caught heat for using subscribers’ data despite their privacy policies stating otherwise.
GDPR rules apply in the majority of the European market. ISPs can’t harvest your data for sale without your explicit and informed consent. You should be in the clear if you didn’t allow your ISP to process your data or if you revoked your consent later. Still, ISPs collect and sell anonymized data, i.e., data without identifiers such as your IP address. The only problem is third parties can re-identify anonymized data.
Data is such a valuable commodity in the modern business world that many service providers will secretly hold on to it despite the risk of facing heavy penalties.
Can Companies and ISPs Give My Data to the Government?
It might be illegal and tricky to sell your data to companies but selling it to the government is legal and straightforward in most countries. If you skim through our exhaustive list of data retention laws, you’ll find only a handful of jurisdictions wholly and explicitly prohibit ISPs from handing over your data to the government.
In most countries, criminal codes and electronic evidence laws push ISPs to store data on the government’s order. Access restrictions are mostly toothless, and ISPs have no choice but to comply. The government could be actively monitoring you for a while, only to conclude your innocence.
Some authoritarian regimes also play around with these laws to expand their powers beyond their existing scope and to mute defiant voices.
Does a VPN Prevent Data Retention?
Yes, a VPN can limit data retention simply because it encrypts your traffic end-to-end. Your ISP can’t see the websites you visit or your online activities when you’re using a VPN. That said, a VPN can’t completely prevent data retention, no matter what providers claim.
Your ISP assigns you an IP address, so it will know your original IP address and, in many cases, your router’s MAC address, too. Your ISP is your gateway to the internet. Even encrypted traffic must pass through its servers. That’s why your ISP will know when you’re using a VPN. Though it can’t see your online activities or the websites you visit, it can see your connection duration and the amount of data you consume.
That information, along with the personal details you handed over when you signed up, allows them to track or limit your bandwidth and data consumption and bill you accordingly. That’s just the nature of the internet services you consume.
To put it simply, here’s a table summarizing what your ISP can and can’t see:
|Data||With VPN||Without VPN|
|Content of communication||❌||✔️ (for HTTP websites) ❌(for HTTPS websites)|
|Downloads and uploads||❌||✔️ (for HTTP websites)❌ (for HTTPS websites)|
Essentially, your ISP can’t keep track of the websites you visit, the activities you do, and the data you send or receive online when you use a VPN. It will still have your personal data, location history, and billing details no matter what tools you use. That’s why we need better data protection legislation that prohibits data retention altogether.
Raise Your Voice to Retain Your Privacy
Governments claim logging online activities can help LEAs investigate crimes. Except, the majority of netizens aren’t hiding heinous criminal schemes. They’re simply unwilling to share their medical, financial, and relationship history with their internet service providers (ISPs) and government authorities.
Besides, those who genuinely need to hide something have ways to circumvent mass surveillance and data retention anyway. That’s no excuse to expose billions of law-abiding citizens to accidental exposure or organized data theft and extortion.
Privacy is already a rarity thanks to mass surveillance and blanket data retention. If we don’t raise our voices today, we might as well prepare for state cameras installed in houses and courtyards because state surveillance won’t stop here.
What is data retention?
Data retention is storing a user’s data for a specific time period. Companies need to keep their customers and employees’ personal data for business operations, such as payroll management, billing, and service customization.
For years, governments have pushed telecommunication and internet service providers (ISPs) to retain the data they have access to, including subscribers’:
- Identification data
- IP addresses
- Call and activity logs
- Browsing history
- Connection duration
- Device information
ISPs only need to retain some of this data for a couple of billing cycles, but data retention laws compel them to store everything for much longer.
Does data retention differ from one country to another?
Yes, each country has its own data retention regulations, as specified in its data protection laws. Each country may have different retention periods for different data categories. Typically, data protection regulations, such as the GDPR and CCPA, allow companies to retain only the data they absolutely need and delete it as soon as it has served its purpose.
Many countries have additional data retention laws pertaining to ISPs. They allow ISPs to store more than they need for business operations and for much longer. The data ISPs must retain and retention periods all vary from country to country.
What do data retention policies apply to?
Data retention policies apply to all types of personal data companies hold on their employees and customers. For telecom and internet service providers, subscribers’ data includes everything from their personal information to call logs and location data.
Companies need to form their data retention policies based on the data protection laws applicable to them. Telecoms and ISPs must also consider the data retention laws of the country they’re operating in. Otherwise, they can lose their licenses and face sanctions.
How can I keep the government and ISPs from collecting my data?
A few simple steps can limit data retention as much as technically possible.
- Always use a reliable VPN with a state-of-the-art server infrastructure and encryption technology when you connect to the internet.
- Stick to HTTPS websites only when browsing the web.
- Learn about the data protection laws in your state. In many states, you can opt out of your ISP’s data retention practices or request ISPs to delete the data they have on you.