What is Data Retention and How Does It Affect Online Privacy?

“But what is data retention?” If you’ve been wondering that for a while, this article will be right up your alley since we’ll be discussing this topic, how it’s handled in certain countries, and how you can protect yourself from it.

Mandatory Data Retention

On the one hand, mandatory data retention is justified by the need to access and protect important information – both to offer customers services and to prevent data breaches, data leaks, and data loss. Backups are also obviously necessary as a precaution in case something happens with the main data storage systems.

On the other hand, mandatory data retention has a different, more problematic definition.

While that might make sense if you consider the authorities can use that info in crime investigations, it also gives more power to governments to monitor citizens, and takes away their rights to online privacy.

Why is that kind of mandatory data retention a thing, you ask? The wording of the reasons might differ from country to country, but they’re usually the same: To fight terrorism and prevent/combat serious crimes. True, that definitely makes sense, but it’s also pretty vague and leaves a lot of room for interpretation, which can cause a serious abuse of your privacy rights.

How Does Mandatory Data Retention Affect Online Privacy?

Well, think of it this way – how does knowing that somebody is watching your every online move, and can access a log of all your online interactions, downloads, and outright everything you said make you feel?

Besides that, data retention is a considerable threat in many political regimes (like Saudi Arabia, for example) where people have to resort to self-censorship whenever they’re online. Otherwise, they risk serious legal repercussions.

Also, the process of storing such a heavy load of information is costly and it involves expensive equipment. And if you’re wondering who pays for that, the answer is simple: The government makes the service providers cover the check, and the service providers are charging the end users more to cover their expenses.

Lastly, let’s talk about hacking attempts. While your ISP might take plenty of measures to make sure the data is safe, there’s no guarantee your personal data would not be exposed to a privacy breach (here’s another example) or leak.

About Data Retention Laws

Data retention laws are different from country to country, but they generally have the same goal: A better grip on the digital world at the expense of privacy and freedom of speech.

We’re going to be looking at some of the more popular examples from around the world, but if you want a more in-depth list, check this one out.

Data Retention in the EU

Not long ago, in December 2016, the EU made an important statement against data retention and declared it illegal for member states to log emails or other electronic data in bulk.

The only exception to this ruling applies to serious threats against public safety. Only then are targeted surveillance and data retention legal. Still, this comes with an important mention: The person or group of people whose data was accessed must be notified that the surveillance act took place once it is sure that the notice won’t endanger the investigation. What’s more, after the investigation comes to an end, all the retained data must be destroyed.

As of 2018, the GDPR (General Data Protection Regulation) also started being implemented, forcing businesses worldwide to adhere to tighter privacy regulations when dealing with EU users, essentially giving Internet users from the EU more control over their data and privacy.

Of course, it is worth noting that the implementation of the GDPR does not mean online users in the EU no longer have to put up with some form of data retention or even online surveillance. It’s just that the situation is a bit better now, though not by much.

Data Retention in the UK

User data is logged and recorded up to 1 year in the UK. Things were made worse by the Draft Communications Data Bill (also known as “Snooper’s Charter”), which forces ISPs to make user data available to public authorities, and gives police officers the power to perform data requests once per month.

There are some good news, though – while the UK leaving the EU obviously conflicts with the GDPR and EU privacy laws, high courts have ruled that the Snooper’s Charter must be amended to comply with EU laws.

Still, that doesn’t mean UK online users will suddenly get to enjoy a new level of privacy. It’s likely numerous loopholes will be used in the amended version to allow for the originally intended mass surveillance.

Data Retention in Australia

Back in 2017, the Data Retention law came into effect. According to it, ISPs and telecom providers must store the metadata of Australian mobile and online users for up to 2 years. If you’re not sure what metadata is, it’s anything related to a call or online connection.

However, data retention is actually difficult to implement in Australia. Why? Because Australian ISPs don’t have a legal obligation to own a license, so nobody truly knows how many providers there are. The Bureau of Statistics had recorded 77 ISPs with more than 1,000 subscribers. On the other hand, Internet Australia estimates there are at least 250, and perhaps more than 500.

That doesn’t mean you should underestimate the Data Retention law. Eventually, a solution will be found, and more user data will be logged.

Data Retention in the US

While there is no mandatory retention law in the United States, the NSA records Internet metadata for up to 1 year in its MARINARA database. Here’s the interesting thing – they don’t do it only to US online users – they record metadata worldwide. The NSA also collects metadata through the PRISM program which includes Internet giants in the US.

Besides that, the Stored Communications Act (SCA), issued in 1986 as a part of the Electronic Communications Privacy Act requires data storage up to 180 days on government demand. Also, the providers can willingly disclose private information in emergencies where a delay of such a disclosure puts a person or a group of people in serious danger.

Other than that, access to digital content is only allowed with a court order. But there is some specific information (like users’ names, addresses, telephone numbers, or records of phone calls) that can only be obtained with an administrative subpoena.

Another huge concern US online users should have is whether or not the data logged by their ISP is being sold to advertisers or not. Apparently, ISPs in the US can actually do that.

Data Retention in China

There is no specified data retention period in China, which makes it easy for the government to abuse user data, naturally. Despite that, things aren’t that bleak in this case – according to China’s Cybersecurity Law, citizens have the right to request the data to be deleted if it goes against the law, and they also have to give their consent before the data can be processed.

There’s still reason to be concerned if you live in China or plan to visit, though. The Cybersecurity Law clearly states that data must be stored in local servers regulated by Chinese law. Businesses also need to “cooperate” with security agencies when asked to. Plus, Chinese ISPs likely use Deep Packet Inspection to log as much information as they can about users’ connections.

How to Protect Yourself from Mandatory Data Retention

While you can’t prevent mandatory data retention 100% (unless you just live off the grid), there are 2 things you can do to reduce some of the information ISPs and government surveillance agencies log:

1. Use Tor (The Onion Router)
2. Use a VPN (Virtual Private Network)

Tor is an anonymity network that works by bouncing your Internet traffic between relays to make it harder to trace. While it is a useful service, it does have one big flaw – the exit relay (the last relay your data will go through before reaching its destination) doesn’t really have any encryption. That means the person who runs the relay can snoop on your traffic, and their ISP can do the same thing.

A VPN is a better choice because it encrypts your connections at all time. Basically, the traffic between your device and the VPN server is completely unreadable to ISPs and government surveillance agencies.

Besides that, a VPN will also mask your IP address, and replace it with the VPN server’s own address, making it much harder for anyone to track down your geo-location.

All in all, it’s better to mainly use a VPN, and pair it up with Tor if you want an extra boost of data security.

Conclusion

While data retention laws vary by country, they all accomplish the same goal – more government control over your Internet data and freedom. Luckily, there’s a way to fight back – using a VPN to encrypt all your online communications.