This table was produced by Leanne O’Donnell – a senior lawyer and leading legal expert in the communications sector. You can follow Leanne on Twitter: @mslods. See also the original article on her website.
The Australian Government looked to the European experience as a model for its data retention scheme, and also claimed the European examples as justifications for our own legislation. As Attorney-General Brandis said in July 2014, data retention ‘is very much the way in which western nations are going’.
This table compares the current situation in Australia with that across the various EU jurisdictions. As you’ll see, the UK is just the latest of many EU countries to strike out data retention laws.
Far from following the trend of other western nations, Australia is therefore moving in the opposite direction.
Data retention – EU experience (updated July 2015)
| Country | Retention Period | Authorisation required to access “metadata” | Status of Telecommunications Data Retention Regime |
| Australia | 2 years | No judicial oversight aside from the problematic ‘journalist information warrant‘ | Data retention bill passed by Parliament on 26 March. Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015Implementation information from Attorney-General’s Dept |
| Austria | Ruled unconstitutional | ||
| Belgium | Between 1 year and 36 months for ‘publically available’ telephone services.No provision for internet-related data. | Access must be authorised by a magistrate or prosecutor. | Ruled unconstitutional (Commentary) |
| Bulgaria | 1 year.Data which has been accessed may be retained for a further 6months on request. | Access only possible on the order of the Chairperson of a Regional Court | Ruled unconstitutional in 2008 & again on 12 March 2015 (commentary) |
| Cyprus | 6 months | Access must be approved by a prosecutor if he considers it may provide evidence of committing a serious crime. A judge may issue such an order if there is a reasonable suspicion of a serious criminal offence and if the data are likely to be associated with it. | Ruled unconstitutional – violated right to privacy |
| Czech Republic | Ruled unconstitutional | ||
| Denmark | 1 year | Access requires judicial authorisation; court orders are granted if application meets strict criteria on suspicion, necessity and proportionality | Session logging ceased 2014 (Commentary) |
| Estonia | Access requires permission of a preliminary investigation judge | In force | |
| Finland | 1 year | Subscriber data may be accessed by all competent authorities without judicial authorisation. Other data requires a court order. | Under review (Commentary) |
| Germany | 1 year | Ruled unconstitutional. Now no mandatory data retention. | |
| Greece | 1 year | Access requires judicial decision declaring that investigation by other means is impossible or extremely difficult. | In force |
| France | 1 year | Police must provide justification for each request for access to retained data and must seek authorisation from person in the Ministry of the Interior designated by the Commission nationale de contrôle des interceptions de sécurité. | In force |
| Spain | 1 year | Access to the data by the competent national authorities requires prior judicial authorisation. | Under review |
| Hungary | 6 months for unsuccessful calls and 1 year for all other data | Police and the National Tax and Customs Office require prosecutor’s authorisation. Prosecutor and national security agencies may access such data without a court order | Further constitutional challenge is being prepared |
| Italy | 2 years for fixed telephony and mobile telephony data,1 year for internet access, internet email and internet telephony data | Access requires ‘reasoned order’ issued by the public prosecutor. | In force |
| Lithuania | 6 months | Authorised public authorities must request retained data in writing.For access for pre-trial investigations a judicial warrant is necessary | In force |
| Latvia | 18 months | Authorised officers, public prosecutor’s office and courts are required to assess ‘adequacy and relevance’ of request, to record the request and ensure protection of data obtained | In force |
| Luxembourg | 6 months | Access requires judicial authorisation. | Under review |
| Malta | 1 year for fixed, mobile and internet telephony data,6 months for internet access and internet email data | Requests must be in writing – Malta Police Force; Security Service | In force |
| Netherlands | 1 year – telephony, 6 months internet-related data | Access must be by order of a prosecutor or an investigating judge | On 11 March 2015, national law was suspended. The decision is a preliminary injunction rendering the obligation ineffective.(Commentary) |
| Romania | (6 months under the earlier annulled transposing law) | Ruled unconstitutional | |
| Poland | 2 years | Requests must be in writing and in case of police, border guards, tax inspectors, authorised by the senior official in the organisation. | Under challenge |
| Portugal | 1 year | Transmission of data requires judicial authorisation on grounds that access is crucial to uncover the truth or that evidence would be, in any other manner, impossible or very difficult to obtain. The judicial authorisation is subject to necessity and proportional requirements. | In force |
| Slovenia | 8 months for internet related and 14 months for telephony related data | Access requires judicial authorisation. | Ruled unconstitutional. Ordered that data collected under the data retention law be deleted |
| Slovakia | 12 months, 6 months for Internet services | Requests must be in writing. | Ceased following judgment of European Court of Justice. Records deleted. |
| Sweden | 6 months | Subject to judicial challenge (Commentary) | |
| UK | 1 year | Access permitted, subject to authorisation by a ‘designated person’ and necessity and proportionality test, in specific cases and in circumstances in which disclosure of the data is permitted or required by law. | Judicial challenge by MPs successful in July 2015. Key provisions of data retention law ‘disapplied’ – effective March 2016(My post) |
| Ireland | 2 years for fixed telephony and mobile telephony data, 1 year for internet access, internet email and internet telephony data | No. Requests to be in writing from police officer/military over specified rank & tax/customs official over specific grade. | Under judicial challenge (Follow Digital Rights Ireland) |
| Switzerland | Under challenge | ||
| Norway | N/A | N/A | No mandatory data retention regime |
- Within the EU: 11 Member States require judicial authorisation for each request for access to retained data.
- Within the EU: In 3 Member States judicial authorisation is required in most cases.
- Norway and Switzerland are not part of the European Union, but are included here for reference
Further reading
- European Commission resources on data retention
- Resources relating to communications data retention in the EU
- Evaluation Report on the Data Retention Directive (2011)
- Boehm & Cole study on data retention after the judgment of the Court of European Justice:
- Australian Privacy Foundation’s submission to PJCIS pp 31–33
- EFA’s submission to PJCIS pp 7-9