In today’s fast-paced digital world, where physical boundaries between countries are increasingly porous, many believe that data should be collected to help protect national security, while others see data retention as inherently intrusive and often merely as an exertion of state power. Whatever your opinion, it’s clear that government attitudes to data are changing, all too often at the expense of a citizen’s right to privacy and freedom from criminal suspicion.
Over the last two years it has become apparent that many influential governments, including those in Australia, the UK, the US, Russia, and others, have brought in measures to retain data on a mass scale. Perhaps the most significant instance in this development came in 2013 when whistleblower Edward Snowden revealed the extensive spying operations of the NSA and GCHQ in the UK. This disclosure led to widespread concern, first and foremost, about the privacy of sensitive citizen data, and second, about whether or not citizens can trust their governments.
Since then, there has been an almost continual stream of confusing legislation on data retention, including constant amendments and oppositions, as it is becoming more unclear how and why governments retain data. To help clarify current data retention laws, we’ve put together this guide on government, and in some cases corporate, access, collection, storage, and transfer of data.
First, we’ll look at those governments with the worst data retention policies, and then we’ll turn to those where data retention is minimal or non-existent. To help us distinguish between the two we’ve referred to several articles and studies published by the Electronic Frontier Foundation, the leading nonprofit organization protecting digital rights across the globe, as well as the EU data retention laws laid out here.
Note, the EU list is up-to-date as of July 2015. Keep an eye out for our news updates concerning major legislative changes.
Countries with the worst data retention laws
Australia has been tightening its data retention laws over the past few years, as well as its approach to alleged copyright infringement and piracy.
In March 2015 a mandatory data retention bill was passed into law whereby all internet data may be retained for up to two years without judicial warrant, except for the controversial ‘journalist information warrant’.
The Australian government has also brought in anti-piracy laws in recent months. In June 2015, the Senate voted in favor of allowing traditional copyright holders to take suspected piracy websites to court. The legislation has been labelled Australia’s ‘second internet filter’ by Greens Senator Scott Ludlam with reference to the section 313 legislation, which allows federal agencies to block certain websites deemed criminal.
The latest data retention bill builds on ‘The Privacy Act’ amendments, which came into force on 12 March 2014 and extended the investigatory powers of the state’s Privacy Commissioner.
Mainland China has tough legislation in place that requires all providers of internet content with servers in the country to retain data, as well as nationwide censorship and the power to restrict online access and block communications entirely.
All ISPs must retain website content data, user data, such as subscriber access counts, account numbers of subscribers, and other information, for a period of 60 days. Law enforcement agencies can then request this information at will. Online publishing, news, and electronic notice services must keep records of content, domain names and times, as well as user account and telephone details, for a period of 60 days.
Many other aspects of online activity are also monitored by the state, including online gaming, which is closed off entirely to foreign investment, and music and video, providers of which must obtain special licenses before posting online.
In July 2015 China’s Ministry of Public Security temporarily blocked Reddit and have in the past blocked numerous other social networks and media sources.
In Finland, internet service providers (ISPs) are obliged to share user data with the government, which can be accessed by ‘competent authorities’ without a judicial warrant. Retained data is stored for twelve months.
The Data Retention Directive, which oversees data retention and was introduced back in 2006, has come under criticism with the Court of Justice of the European Union (CURIA) calling the legislation a breach of ‘the fundamental rights to respect for private life and to the protection of personal data’.
Another concerning element of the law in Finland is the fact that currently the government is not obliged to report violations of data security or data losses, either to the user in question or to the data protection agencies.
Currently in France, data is retained for one year, though ‘Police must provide justification for each request for access to retained data and must seek authorisation from…the Ministry of the Interior’.
In May 2015, the French parliament passed a sweeping surveillance bill, giving the government new powers to retain phone call data, emails, and metadata in bulk.
France came under significant political pressure to extend its retention powers in the wake of the Charlie Hebdo attacks in January 2014; the new legislation was drafted just three days afterwards. The bill saw widespread support in parliament, though critics pointed to the fact that civil rights groups were intentionally under represented in the build up to the vote. With the most recent terror attacks in Paris, it seems probable that data retention laws will remain rigid or may even be extended.
Other critics are concerned about French policy on data breaches since there is no provision of notification in the event of a data security breach.
Another concern is the National Commission for Control of Intelligence Techniques (CNCTR), which oversees the retention bill, since it is chaired by the prime minister with little room for external interrogation.
A bipartisan commission at the French National Assembly concluded earlier in 2015 that the bill breaches European data protection principles and was later ruled illegal by the European Court of Justice (ECJ), though as of yet, the surveillance bill is still in place.
In October 2015, the German parliament passed a wide-reaching data retention bill that requires telecoms and metadata to be held on air-gapped servers within the country. This data will then be made available to law enforcement agencies on request (for crimes classified as ‘severe’).
Retained data includes phone numbers, the date and time of phone calls and text messages, localization data for mobile phones, and data held by ISPs in terms of the IP addresses of users and dates and times for online connections.
Similar data retention proposals were introduced in 2007, but were later ruled disproportionate and lacking in provisions for data security. To address these concerns, the most recent legislation has introduced several measures to secure data, including the fact that communication content, website names, and metadata of e-mail traffic are excluded from retention. Also, the six month collection period originally suggested has been reduced to ten weeks, and stored data will be encrypted and accessible only if two authorized individuals are present.
In Ireland, phone call data may be retained for two years, while internet and email data may be stored for one year. Both without external authorization. Data requests can be made by police or military officers.
Ireland has attracted global media coverage for several years as a safe haven for large tech corporations. Earlier this year, Austrian law student and digital activist Max Schrems brought allegations against Facebook, whose European headquarters are based in Ireland, for non-consensual privacy breaches, as well as spotlighting the Safe Harbour data agreement between the US and Europe. Proceedings initially took place in the Irish High Court and later in the ECJ, where in October the agreement was ruled invalid.
In July this year, the Peruvian government introduced a worrying new decree allowing the police and other law enforcement agencies to access localization data for any Peruvian citizen without a judge’s warrant. The decree has been dubbed the ‘Stalker Law,’ and aside from allowing police to use technology to pinpoint the whereabouts of any mobile phone, the legislation obliges ISPs, data controllers, and telephone companies to retain customer data for every Peruvian citizen for three years. This data can then be requested later on following court approval.
Supporters of the law argue that communication content is protected, and that it is merely metadata that will be collected, but this is deceptive since metadata itself can contain sensitive details about a person’s private life, including ‘when and where a person goes…when a person is at home or spends the night somewhere else and with whom.’ Read more on ‘Why Metadata Matters’.
Following the decree, several international human rights groups have expressed concern directly to the Peruvian government.
There has been a distinct increase in centralized government’s influence concerning data retention in Russia in recent years. With prevalence of cyber crime and online counter-terror directives, Russia’s government still casts a wide, and often unseen, net when it comes to retaining citizen data.
New legislative amendments came into force on 1 September 2015 that require data controllers to collect personal data of Russian citizens, which are stored in databases located in Russia. This comes with strict rules in terms of enforcement, whereby violations to this rule can result in the blocking of websites by the Roscomnadzor.
Furthermore, in September of 2015 the government passed a bill requiring all foreign internet companies to store data on Russian citizens within Russia’s borders. While Google, a company keen to retain its market share in the country, has complied, other internet giants such as Facebook have been reluctant to migrate the data to Russia-based servers.
The Roscomadzor is the collective name for the Federal Service for Supervision of Communications, Information Technology and Mass Media. It controls the so called internet blacklist that was passed into law in July 2012 by the State Durma and which blocks websites deemed harmful or inappropriate. The main concern with the blacklist is that little oversight is given to its expansive powers, and often seemingly innocuous websites have been blocked.
The UK has a long history of covert surveillance programs, often in allegiance with the US and others, but the latest legislation to be drafted, the revised Snoopers’ Charter, which was revealed by the Home Secretary in May 2015, is perhaps the most explicit threat to user privacy the country has seen.
Currently, internet data may be retained for one year following the approval of a ‘designated person,’ as well as a necessity and proportionality test, but not a judge’s warrant. The legislation is under judicial challenge and key provisions have been disapplied.
The proposed Snoopers’ Charter has been redrafted several times and, as it stands, seeks to extend the powers of the police and government agencies to collect internet data in bulk without court approval.
The Snoopers’ Charter has been in and out of the mainstream media now for months. Critics argue that the bill will be ineffectual against terrorism, while it has also attracted the sustained attention of Edward Snowden, who has widely criticized its application on Twitter:
By my read, #SnoopersCharter legitimizes mass surveillance. It is the most intrusive and least accountable surveillance regime in the West.
— Edward Snowden (@Snowden) November 4, 2015
#SnoopersCharter does not require individualized judicial authorization in advance of *interception*. Such a dragnet is mass surveillance.
— Edward Snowden (@Snowden) November 4, 2015
Thanks to Edward Snowden it’s now clear just how far-reaching mass data retention in the US has been, and the now-notorious NSA surveillance program has been curtailed due partly to the passing of the Freedom Act and the expiration of provisions in the Patriot Act which both occurred in June 2015.
Mandatory data retention in the States is no longer in place, however, internet metadata is still retained for one year by many large US corporations such as Amazon through NSA surveillance programs succeeding operations like Prism and Muscular.
Another concern is that some US state agencies are appealing to these corporations for leverage, as seen with the CISA Security Bill, which passed the Senate in October 2015. Essentially, the highly controversial bill offers corporations immunity from external regulation and from Freedom of Information Act requests in return for a share in user data.
Countries with lenient or no data retention laws
Austria has a history of rejecting intrusive data retention legislation and supporting the privacy rights of the individual. The latest attempt to enforce data retention in bulk by the government was ruled unconstitutional in June 2014 as it was found to breach European law.
The Austrian campaigner Max Schrems generated the support of 25,000 Austrian students in his case against Facebook and their violations of privacy laws.
Belgium takes data privacy very seriously and currently there is no provision for retaining data from internet activities, though the government can retain data from ‘publicly available’ telephone services.
Currently there is an especially appointed Secretary of State who is responsible for privacy matters. While in June 2015, a Belgian privacy watchdog took Facebook to court over the allegations mentioned above.
British Virgin Islands
The British Virgin Islands in the Caribbean do not retain citizen data. Although the Islands are considered an overseas British territory, its 28,000 inhabitants are not directly governed by EU law.
At present there is no formal legislation governing data protection, though user privacy is protected through English Common law, which protects user confidentiality and the consent of the user prior to data retention.
Currently, the large and reputable provider, ExpressVPN, has its headquarters in the British Virgin Islands.
Internet data can be retained in Czech Republic but ‘The unequivocal (and revocable) consent of a data subject is required for the processing of personal data.’
The former data retention legislation, which was based on the European Union Data Retention Directive, was ruled unconstitutional by the Czech Constitutional Court in March 2011. Currently, ISPs are not required to retain internet and email data for use by police. Although the Czech parliament had passed a mandatory retention bill in 2012, the legislation did not received required approval from the President. The Czech Constitutional Court went on to rule collection of data unconstitutional and and invasive of personal privacy, however retention of data can be enforced, subject to individually reviewed cases.
Because Hong Kong is an autonomous territory from mainland China, it has established its own legislative framework when it comes to data retention. While China operates wide-reaching and rigid censorship of internet resources deemed harmful through the so called ‘Great Firewall’, as well as the restricting of some well-known VPN providers, Hong Kong is generally regarded as a place that protects rights to privacy online.
The law was amended in 2012 to grant citizens more privacy when compared with mainland China. What’s more, Hong Kong has demonstrated its support for privacy rights when it welcomed Edward Snowden, refusing US calls for extradition.
Until recently, internet data in the Netherlands could be retained for six months (phone data for one year) only after a prosecutor or judicial investigator had received a court order to access specified metadata.
In March 2015, however, a Dutch court filed an injunction against the metadata retention law and the legislation was discontinued. The Dutch security and justice ministry has said that it was considering an appeal but further action is yet to be taken.
Currently in Romania there is no mandatory data retention legislation. As with the Czech Republic and Austria, the former bill was ruled unconstitutional. In Romania’s case, the country’s Constitutional Court concluded in 2009 that the bill was unfair because it treated all Romanians as suspects. A redrafted retention bill was introduced to Parliament but it was later rejected by the Senate in 2011.
As the laws stands, data controllers are allowed to retain sensitive personal data, but only if the person in question gives their unequivocal consent beforehand.
Data retention and VPNs
With constantly shifting forces against and in favour of mass data retention it can be difficult to know current legislation for both governments and corporations. One feature of the debate that as of yet has been little discussed is the role VPNs and other proxies play.
There are two essential principles about end-to-end encryption that allow VPN providers to stay ahead of the game. First, technology is on the side of those who develop it, i.e. the VPN providers. Second, and as laid out in this article, different countries have different laws concerning access, collection, storage, and transfer of data, this makes it incredibly likely that while some countries may choose to block known IP ranges used by providers, others will not, and servers can be established within those countries.
The redrafted Snoopers’ Charter in the UK, which has attracted widespread media coverage because of the severity of its proposals, does not include an outright ban on end-to-end encryption used by VPNs and proxy tools. However, the bill does contain conditions that could allow the state agencies to pressure companies into creating technology to weaken encryption, as a recent article suggests.
For more information on how VPNs work have a look at our 101 guide to virtual private networks.