Mandatory Data Retention Worldwide

Everywhere in the world the Law enforcement agencies are forcing invasive laws that compel Internet Service Providers (ISPs) and telecommunication providers to continuously accumulate and collect credentials about the online activities of millions of average users.

Mandatory data retention regimes are normally paired with provisions that permit investigators to collect these documents. These regimes extend the capacity of governments to surveil its citizens, eventually harming people privacy, anonymity, and freedom.

Mandatory data retention schemes have reversed key specifications for the security of private data in the countries with effective online privacy laws. Companies are forced by data protection laws to define their collection of private information for specific purposes for instance billing and retaining data for a relatively distinct period of time before they crash it or anonymize it.

What Is Mandatory Data Retention?

Users are assigned a specific IP address by the Internet Service Provider (ISP) that helps them to recognize a user. However, the Internet Service Provider could change that particular IP address of the user anytime. Whereas, due to data retention law, the ISP has to retain the data of user’s online activities for a specific period of time by tracking that IP address. Through this, the law enforcement agencies acquire access to an individual by asking Internet Service Provider about the IP address assigned to the user.

How It Works?

Internet Service Providers supply the users with an IP address that changes systematically. Mandatory data retention regime demands the Internet Service Provider to retain the data of their IP address allocations for a specific time period. Law enforcement agencies are able to recognize an individual on the grounds of who delivered the IP address at a particular date and time.

Why You Should Worry?

Millions of regular internet user’s privacy are at risk due to government mandatory data retention specially whistle-blowers, journalist, researchers and those who are involved in political speech. The Metadata retention rules are interfering, costly and are great harm to the privacy and freedom of the individuals. They force Internet Service Providers ISPs to create a large database to keep the records about who interacts with whom via internet or phone, the duration of the chat, and the user’s location. These regimes make sure to record every action you do online. Privacy risks are increasing due to the database being exposed to theft and revealing.

Mandatory data retention law generates enormous possibility for the violation and is a dangerous invasion into the privacy and freedom of the users. These laws encourage pervasive surveillance and are a risk to the liberty of citizens.

Metadata laws in different countries:

Country Data Retention Period Authorization required to access the data Status Of Data Retention Regime
Australia 2 Years No judicial oversight aside from the problematic. Implemented
Austria Suspended by court
Belgium Between 1 Year & 36 Months
For telecommunications. No provision for internet-related data.
A magistrate or prosecutor authorization required for access. Suspended by court
Bulgaria 1 Year, Data can be accessed for more 6 months on request. The order of the Chairperson of a Regional Court is required for access. Suspended by the court in 2008 & again on 12 March 2015.
Cyprus 6 Months A prosecutor approval is needed to access the data if he might ask for evidence in the case of committing a stern crime. A judge can issue such an order if there is a rational suspicion of a major criminal offense and if the data is expected to be linked with it. Suspended by the court due to a violation of privacy rights.
Czech Republic Suspended by court
Denmark 1 Year Authorization from judicial needed for gaining access. The application is approved by the court if it meets the strict criteria for suspicion, necessity, and proportionality. Session logging ceased 2014
Estonia Permission from preliminary investigation judge is required for access. Implemented
Finland 1 Year Without judicial authorization, all competent authorities can access the user data. A court order is needed for other data. Under analysis
Germany 1 Year Suspended by the court. At the present, no mandatory data retention.
Greece 1 Year Access requires judicial decision declaring that investigation by other means is impossible or extremely difficult. Implemented
France 1 Year Police have to provide justification for each request for access to retained data and must ask for authorization from a person in the Ministry of the Interior designated by the Commission Nationale de contrôle des interceptions de sécurité. Implemented
Spain 1 Year Prior judicial authorization is required by all competent authorities to access the data. Under analysis
Hungary 6 Months for unsuccessful calls and 1 year for all other data. Prosecutor’s authorization is needed by police and the national tax and customs office. Preparing further constitutional challenge in opposition to the law.
Italy 2 Years of telecommunications and mobile telephony data, 1 year for internet access, internet email and internet telephony data. The public prosecutor ‘reasoned order’ is required for the access. Implemented
Lithuania 6 Months Authorized public authorities must request retained data in writing. Pre-trial investigations require a judicial warrant for accessing the data. Implemented
Latvia 18 Months Authorized officers, public prosecutor’s office, and courts are required to access ‘adequacy and relevance’ of the request, to record the request and make sure the security of data gained. Implemented
Luxembourg 6 Months  Judicial authorization required. Under analysis
Malta 1 Year for fixed, mobile and internet telephony data, 6 months of internet access and internet email data Requests must be in writing – Malta Police Force; Security Service. Implemented
Netherlands 1 Year telephony, 6 months internet-related data Order of a prosecutor or an investigating judge required. On 11 March 2015, national law was suspended. The decision is a preliminary injunction rendering the obligation ineffective.
Romania 6 Months under the earlier annulled transposing law Suspended by court
Poland 2 Years Requests must be in writing and in the case of police, border guards, and tax inspectors, authorized by the senior official in the organization. Under challenge
Portugal 1 Year Transmission of data requires judicial authorization on grounds that access is crucial to uncover the truth or that evidence would be, in any other manner, impossible or very difficult to obtain. The judicial authorization is subject to necessity and proportional requirements. implemented
Slovenia 8 Months for internet related and 14 months for telephony related data  Judicial authorization required. Suspended by the court and ordered the deletion of data collected under the data retention law.
Slovakia 1 Year for Internet data Written request. Records have been deleted and have stopped following the orders of the European court of justice.
Sweden 6 Months May face the judicial challenge.
UK 1 Year Access permitted, subject to authorization by a ‘designated person’ and necessity and proportionality test, in specific cases and in circumstances in which disclosure of the data is permitted or required by law. Judicial challenge by MPs successful in July 2015. Key provisions of data retention law ‘disapplied’
Ireland 2 Years of fixed telephony and mobile telephony data, 1 year for internet access, internet email and internet telephony data. No. Requests to be in writing from police officer/military over specified rank & tax/customs official over the specific grade. Under judicial challenge
Switzerland Under challenge
Norway No mandatory data retention regime
USA 1 Year for Internet metadata, email, phone records Various United States agencies leverage the (voluntary) data retention practiced by many U.S. commercial organizations like Amazon through programs such as Prism and Muscular. No mandatory data retention regime


Metadata retention is just followed by mass surveillance and only leads to mass surveillance, and infringing on citizen privacy, without the people knowing about it. It is not a solution to anything and only leads to disorganization of society. Limiting criminal activities is one thing, but hindering normal people online activities is a different thing.

Leave a Comment