Data Retention Laws: Threats to
Privacy, Free Expression, and
Innovation
These slides were compiled by Erica Newland,
CDT Policy Analyst, in April 2012. They may be
freely used or copied, with or without attribution,
so long as their substantive content is not modified
They may also be used or copied in modified form,
but versions with substantive modifications must
not be attributed to CDT.
Presentation goals
 Understand why governments seek to create data retention laws
 Examine the different types of data retention laws
 Explain why data retention laws are disproportionate, ineffective, and
unnecessary
 Understand how data retention laws threaten privacy and free
expression, and may even undermine the work of law enforcement
 Note the impact of data retention mandates on innovation and
broadband access
 Learn how to …
 assess data retention proposals and laws against global standards
 assess their potential impacts on privacy, free expression, and
innovation
 advocate for better policy
What is data retention?
 Data retention mandates are government
requirements that telephone and/or Internet service
providers retain certain data about all of their users for
specified periods of time, even though these
companies would not otherwise retain this info for
their own purposes.
 Retained data must generally be linked to users’ names or
other identification information.
 Gov’t officials may then request access to this info, pursuant
to laws of their respective countries, for use in
investigations.
 Typically, these mandates take the form of laws or
regulations. Sometimes they are found in licensing
 Crisis:
Why do countries adopt data retention
laws?
 2004 Madrid bombings  adoption of EU Data Retention
Directive
 Sensational type of crime:
 In the US, a data retention bill (not adopted) was titled “The
Protecting Children from Internet Pornographers Act.”
 In response to data destruction mandates
 One of the above as a cover for other motives…
 Data retained under the US bill mentioned above would have
been available for all criminal investigations and for national
security uses
 Potential use for copyright enforcement
Data retention laws often differ with respect to
the following elements:
Types of companies covered
Types of data retained
Retention period
Restrictions on when the government can access
retained data
Who pays for data retention
Security requirements for storing and transmitting data
Types of companies covered
 Telephone companies (wireline and mobile)
 Internet Service Providers (ISPs)
 Traditional cable or DSL access providers
 Sometimes includes mobile carriers – laws often unclear on this
 Other Internet access providers
 Internet cafes, coffee shops w/ WiFi, airports, schools, libraries
 Companies that provide Internet access to employees at work
 Online service providers (OSPs)
 Providers of web-hosting services, email service, mobile and
web apps, platforms for user-generated content
Types of data retained – Part 1
 Telephony (fixed network and mobile)
 For each call, number of origin and destination – that is, the
calling and called telephone numbers
 Date, time, duration
 Location of mobile callers, based on cell tower
Types of data retained – Part 2
 IP addresses
 ISPs may be required to retain logs of IP addresses
allocated to customers – perhaps the most common type of
data retention requirement.
 OSPs may be required to retain IP addresses of users.
 Changes in technology mean that IP address retention is an
increasingly less proportionate response to law enforcement
needs (we discuss this in greater depth later).
Types of data retained – Part 3
 Internet traffic data, which may include:
 Addressing information and types of network/equipment used
 Identities and locations of the users involved in a communication
 Duration, type, and volume of communications
 URL browsing information (sometimes considered content data,
sometimes considered traffic data)
 Location data
 Content data, which may include:
 URL browsing information
 Content of emails and instant messages
 Note: retention of content data is rarely mandated
Retention Period
 The length of time for which companies are required
to store user data
 Examples:
 EU Data Retention Directive: 6 months – 2 years
 Thailand Computer Crimes Act: 90 days, but gov’t can
request longer
 Argentina tried for a 10-year retention period but the law
was suspended after public outcry
Restrictions on access to retained data
 Under what conditions can law enforcement obtain
access to retained data?
 Limited type of investigation? Limited types of crimes or
offenses?
 Judicial approval required?
 Under what conditions can others access/use retained
data?
 Commercial purposes?
 Copyright enforcement?
 By civil litigants?
 Example: EU Data Retention Directive
 Can only be used to investigate “serious crimes” but each
Other important questions
 Who bears the cost of data retention and retrieval?
The answer may affect the incentives for breadth of
the mandate and frequency of its use.
 Will government subsidize companies for…
 …storing data?
 …transmitting data to government?
 Are there security requirements for how…
 …data is stored?
 …data is transmitted to government?
Data retention laws are ineffective,
disproportionate, and unnecessary
 Data retention laws are ineffective:
 New technology renders IP-address based retention far less
effective than it used to be
 Retention of large masses of data may actually undermine
the effectiveness of law enforcement
 Data retention laws are disproportionate:
 In their impacts on human rights: free expression, privacy,
and the presumption of innocence
 In the costs they impose on businesses and in their impacts
on innovation and economic growth
 Data retention laws are unnecessary:
 Good alternatives, such as data preservation, exist and
work well in countries including the US and Japan
Effectiveness: Massive data 
problems
 Ineffectiveness and disproportionality of data retention
are inseparable from the astonishing volume of data
stored and, often, transmitted to law enforcement.
 Denmark: ISPs collected an average of 82,000 records/Dane to
comply with the country’s data retention laws (2009)
 Germany: 35,831 data points for one person over six months
(2009-2010)
 When data exists, gov’t can become profligate in
requesting it
 Poland: gov’t issued 1.85 million requests for access to data
held under its data retention law  1 request/20 citizens (2011)
 Czech Republic: gov’t requested retained data 280,000 times 
1request/37 citizens (2009)
Data retention laws are ineffective
Data retention laws may undermine law
enforcement efforts
 Astonishing volume of data (see previous slide) can
render data retention laws ineffective:
 Large-scale data storage increases the likelihood of system
crashes and failures
 The greater the volume of stored data, the less reliable its
integrity and the longer the delays when ISPs respond to law
enforcement requests
 This creates a perverse result in emergency situations. Law
enforcement may encounter delays in accessing needed data,
while the data most desired in emergencies is recent data that
would likely have been retained and easily accessible absent a
retention mandate.
New technology renders IP-address
based retention less effective than
evermandates assume that an IP address is
 Data retention
uniquely linked to an individual device.
 However, with widespread adoption of a technology called
NAT:
 The IP address of origination is often replaced by a different IP
address that is not unique to a specific end-user device.
 Such a swap may occur as often as once/minute!
 For retained data to enable the identification of users, ISPs and
mobile carriers would have to retain an extraordinary amount of
data, far more data than was needed even a few years ago.
 NAT is used to ease the (perhaps indefinite) transition from
IPv4IPv6
Data retention laws are disproportionate
Data retention laws violate fundamental
human rights (Part 1)
 Which rights?
 Privacy
 Free expression
 Presumption of innocence.
 German, Czech, and Romanian national courts have
found national transpositions of the EU’s Data
Retention Directive to violate fundamental
constitutional rights.
Data retention laws violate fundamental
human rights (Part 2)
 National Human Rights Commission of Korea:
 “requiring telecommunication service providers to keep
communication records of ordinary persons for up to one
year for the purpose of resolving crimes which have not
occurred yet, not even at the stage of preparing for crimes,
is…highly likely to infringe upon human rights…”
 European Commission’s Article 29 Working Party:
 “[Data retention] encroaches into the daily life of every citizen and
may endanger the fundamental values and freedoms all European
citizens enjoy and cherish.”
These are not merely theoretical
concerns
 A German study showed that data retention in Europe
has significantly diminished citizens’ willingness to
discuss and obtain info about mental health issues
online.
 In Poland, intelligence agencies used data stored
pursuant to retention laws to expose info about
journalists’ sources.
Data retention laws create new privacy
risks
 Retained data is vulnerable to hackers, accidental
disclosure, and other unauthorized access
 Aggravates identity theft problem
 Risks especially high at entities that have not traditionally kept
such data (Internet cafés, coffee shops) and those that can’t
afford high-end security (small ISPs, libraries)
 Once retained pursuant to retention mandate, data may
be put to other legal, but privacy-invasive, uses
 Service providers might repurpose data for behavioral
advertising.
 Use by civil litigants, use in copyright enforcement, etc.
 Fear of non-compliance/poor system design  storage
of even more data than is required by law
Data retention laws create huge cost
burdens for ISPs
 Costs for ISPs alone
 Capital costs: System design, collection and storage equipment,
integration of new and existing system, and systems to identify
and deliver requested data to government in a timely manner
 Operating costs: Access procedures and security, compliance
implementation staff, law enforcement liaison staff, staff training,
system maintenance, and continuing integration costs
 Opportunity costs that even gov’t reimbursement cannot alleviate:
both financial and technical (personnel) resources must be
diverted away from innovation and invested instead in the creation
and maintenance of complex data storage systems
 Where NAT is used, costs are greatly increased
These cost burdens may impede
broadband and mobile deployment
 Small ISPs serve communities or regions where large
ISPs haven’t been willing to invest
 Operate with tiny profit margins
 A US-based trade association for small and rural
telecommunication cooperatives estimated that
complying with a proposed IP-address based data
retention mandate would:
 Create capital costs for a rural broadband provider
amounting to 5-7.5% of annual revenue
 Likely drive some providers out of business, thereby
reducing broadband access in the US
When extended beyond ISPs, data
retention can damage a country’s global
economic competitiveness
 Similar capital, operating, and opportunity costs for
other access providers and OSPs
 Especially problematic for new companies:
 Most successful OSPs began as small start-ups and would
not have been able to retain the required data
 Retention mandate on OSPs would therefore chill domestic
innovation and damage the global competitiveness of a
country’s domestic technology
 Foreign companies will resist establishing local
offices, lest they be required to take on the costs of
data retention
Data retention laws are unnecessary
Data preservation is an effective
alternative to data retention
 Data preservation (“quick freeze”)
 Permits law enforcement to require service providers to
immediately begin retaining data relevant to a specified
investigation or proceeding, while investigators seek
authorization to demand disclosure
 Implicates only data about the tiny fraction of individuals who
might fall under criminal suspicion
 Better aligned with the principle of “presumed innocence”
 Less expensive for businesses
 Provided for in Council of Europe Cybercrime Treaty
 Some countries reject data retention and/or
preservation all together
When governments propose data
retention mandates…
 Organize a coalition
 Evaluate the proposed law or regulation
 With respect to the elements of data retention laws
discussed in this presentation
 With respect to the law’s likely impact on human rights and
innovation
 Promote alternatives to data retention, such as data
preservation
 Fight the proposal or work to limit its breadth
Organize a coalition
 Data retention laws negatively impact a diverse set of
entities, many of whom may be effective allies in a fight
against a data retention law:
 Human rights advocates at home and abroad
 Journalists and press groups
 Telcos, ISPs, and mobile carriers (if not state-operated)
 Domestic OSPs
 Foreign service providers, access providers, and OSPs with
operations on the ground in the country
 Policymakers interested in promoting the domestic economy,
foreign investment, or human rights
When evaluating a proposed data
retention law, ask the following
questions
 What types of entities will be required to retain data?
 What types of data will be retained?
 What will be the length of the retention period?
 Who will bear the financial burden of the capital and operating
costs related to data retention?
 How will government access to retained data be controlled?
 How will commercial and other uses of retained data be
restricted?
 Will retained data be securely held and securely transferred to
law enforcement?
How will a data retention law impact the
domestic economy and human rights?
 Will the law respect the human rights guaranteed by the
countryʼs constitution?
 What impact will the law have on the cost of providing Internet
service via ISPs or access points? Could it drive smaller ISPs
out of business? What impact will it have on Internet access?
 Will government reimbursements – if they exist – sufficiently
cover the opportunity costs of prioritizing data retention?
 How will the increased volume of data impact the ability of
service providers to respond to law enforcement inquiries in a
timely fashion?
 Will the law affect the viability of local online service providers or
incentivize them to relocate to other countries?
To repeat: Data retention laws are ineffective,
disproportionate, and unnecessary
 Data retention laws are ineffective:
 The volume of data will make it harder to find relevant info
 New technology renders IP-address retention far less
effective than it was previously
 Data retention laws are disproportionate:
 In their impact on human rights: free expression, privacy,
and the presumption of innocence
 In the cost they impose on businesses and their impact on
innovation and economic growth
 Data retention laws are unnecessary:
 Good alternatives, such as data preservation, exist and
work well in countries like the US and Japan
Resources
 Longer CDT paper on data retention
 In-depth discussion of points made in this presentation
 Includes appendices with case studies from India, Thailand,
and Europe

https://www.cdt.org/files/pdfs/CDT_Data_Retention_Paper.p
df
 Memo on how the IPv4IPv6 transition and
associated use of Carrier Grade NAT complicates
retention of IP addresses by ISPs

https://www.cdt.org/files/pdfs/data%20retention%20memo%
202-1-12.pdf