Mandatory Data Retention Worldwide

Everywhere in the world the Law enforcement agencies are forcing invasive laws that compel Internet Service Providers (ISPs) and telecommunication providers to continuously accumulate and collect credentials about the online activities of millions of average users.

Mandatory data retention regimes are normally paired with provisions that permit investigators to collect these documents. These regimes extend the capacity of governments to surveil its citizens, eventually harming people privacy, anonymity, and freedom.

Mandatory data retention schemes have reversed key specifications for the security of private data in the countries with effective online privacy laws. Companies are forced by data protection laws to define their collection of private information for specific purposes for instance billing and retaining data for a relatively distinct period of time before they crash it or anonymize it.

What Is Mandatory Data Retention?

Users are assigned a specific IP address by the Internet Service Provider (ISP) that helps them to recognize a user. However, the Internet Service Provider could change that particular IP address of the user anytime. Whereas, due to data retention law, the ISP has to retain the data of user’s online activities for a specific period of time by tracking that IP address. Through this, the law enforcement agencies acquire access to an individual by asking Internet Service Provider about the IP address assigned to the user.

How It Works?

Internet Service Providers supply the users with an IP address that changes systematically. Mandatory data retention regime demands the Internet Service Provider to retain the data of their IP address allocations for a specific time period. Law enforcement agencies are able to recognize an individual on the grounds of who delivered the IP address at a particular date and time.

Why You Should Worry?

Millions of regular internet user’s privacy are at risk due to government mandatory data retention specially whistle-blowers, journalist, researchers and those who are involved in political speech. The Metadata retention rules are interfering, costly and are great harm to the privacy and freedom of the individuals. They force Internet Service Providers ISPs to create a large database to keep the records about who interacts with whom via internet or phone, the duration of the chat, and the user’s location. These regimes make sure to record every action you do online. Privacy risks are increasing due to the database being exposed to theft and revealing.

Mandatory data retention law generates enormous possibility for the violation and is a dangerous invasion into the privacy and freedom of the users. These laws encourage pervasive surveillance and are a risk to the liberty of citizens.

Metadata laws in different countries:

CountryData Retention PeriodAuthorization required to access the dataStatus Of Data Retention Regime
Australia2 YearsNo judicial oversight aside from the problematic.Implemented
AustriaSuspended by court
BelgiumBetween 1 Year & 36 Months
For telecommunications. No provision for internet-related data.
A magistrate or prosecutor authorization required for access.Suspended by court
Bulgaria1 Year, Data can be accessed for more 6 months on request.The order of the Chairperson of a Regional Court is required for access.Suspended by the court in 2008 & again on 12 March 2015.
Cyprus6 MonthsA prosecutor approval is needed to access the data if he might ask for evidence in the case of committing a stern crime. A judge can issue such an order if there is a rational suspicion of a major criminal offense and if the data is expected to be linked with it.Suspended by the court due to a violation of privacy rights.
Czech RepublicSuspended by court
Denmark1 YearAuthorization from judicial needed for gaining access. The application is approved by the court if it meets the strict criteria for suspicion, necessity, and proportionality.Session logging ceased 2014
EstoniaPermission from preliminary investigation judge is required for access.Implemented
Finland1 YearWithout judicial authorization, all competent authorities can access the user data. A court order is needed for other data.Under analysis
Germany1 YearSuspended by the court. At the present, no mandatory data retention.
Greece1 YearAccess requires judicial decision declaring that investigation by other means is impossible or extremely difficult.Implemented
France1 YearPolice have to provide justification for each request for access to retained data and must ask for authorization from a person in the Ministry of the Interior designated by the Commission Nationale de contrôle des interceptions de sécurité.Implemented
Spain1 YearPrior judicial authorization is required by all competent authorities to access the data.Under analysis
Hungary6 Months for unsuccessful calls and 1 year for all other data.Prosecutor’s authorization is needed by police and the national tax and customs office.Preparing further constitutional challenge in opposition to the law.
Italy2 Years of telecommunications and mobile telephony data, 1 year for internet access, internet email and internet telephony data.The public prosecutor ‘reasoned order’ is required for the access.Implemented
Lithuania6 MonthsAuthorized public authorities must request retained data in writing. Pre-trial investigations require a judicial warrant for accessing the data.Implemented
Latvia18 MonthsAuthorized officers, public prosecutor’s office, and courts are required to access ‘adequacy and relevance’ of the request, to record the request and make sure the security of data gained.Implemented
Luxembourg6 Months Judicial authorization required.Under analysis
Malta1 Year for fixed, mobile and internet telephony data, 6 months of internet access and internet email dataRequests must be in writing – Malta Police Force; Security Service.Implemented
Netherlands1 Year telephony, 6 months internet-related dataOrder of a prosecutor or an investigating judge required.On 11 March 2015, national law was suspended. The decision is a preliminary injunction rendering the obligation ineffective.
Romania6 Months under the earlier annulled transposing lawSuspended by court
Poland2 YearsRequests must be in writing and in the case of police, border guards, and tax inspectors, authorized by the senior official in the organization.Under challenge
Portugal1 YearTransmission of data requires judicial authorization on grounds that access is crucial to uncover the truth or that evidence would be, in any other manner, impossible or very difficult to obtain. The judicial authorization is subject to necessity and proportional requirements.implemented
Slovenia8 Months for internet related and 14 months for telephony related data Judicial authorization required.Suspended by the court and ordered the deletion of data collected under the data retention law.
Slovakia1 Year for Internet dataWritten request.Records have been deleted and have stopped following the orders of the European court of justice.
Sweden6 MonthsMay face the judicial challenge.
UK1 YearAccess permitted, subject to authorization by a ‘designated person’ and necessity and proportionality test, in specific cases and in circumstances in which disclosure of the data is permitted or required by law.Judicial challenge by MPs successful in July 2015. Key provisions of data retention law ‘disapplied’
Ireland2 Years of fixed telephony and mobile telephony data, 1 year for internet access, internet email and internet telephony data.No. Requests to be in writing from police officer/military over specified rank & tax/customs official over the specific grade.Under judicial challenge
SwitzerlandUnder challenge
NorwayNo mandatory data retention regime
USA1 Year for Internet metadata, email, phone recordsVarious United States agencies leverage the (voluntary) data retention practiced by many U.S. commercial organizations like Amazon through programs such as Prism and Muscular.No mandatory data retention regime


Metadata retention is just followed by mass surveillance and only leads to mass surveillance, and infringing on citizen privacy, without the people knowing about it. It is not a solution to anything and only leads to disorganization of society. Limiting criminal activities is one thing, but hindering normal people online activities is a different thing.

Leave a Comment