Data retention is an Internet policy and human rights issue that has arisen throughout the world, from Argentina to South Africa, from the US and Europe to South Korea. These policies are often driven by law enforcement dissatisfaction with the amount of information that service providers collect and retain in the ordinary course of business. In response, governments have imposed or considered legal mandates requiring service providers to retain certain data about all of their users for specified periods of time, even when that data no longer is needed for a business purpose, and even where only some users are suspected of wrongdoing. Generally, under these data retention mandates, the data must be collected and stored in a manner such that it is linked to users’ names or other identification information. Government officials may then request access to this data, pursuant to the laws of their respective countries — with varying degrees of protection against undue government intrusion.
This paper offers an introduction to the issue of data retention and the different variables that may be present in a data retention mandate. It presents an evaluation of the risks to privacy, free expression, competition, and innovation that are raised by data retention mandates and provides examples of data retention laws from around the world and the challenges and concerns raised by these laws. Finally, the paper provides a framework for analyzing data retention proposals, wherever they may arise.