Data Retention
Module 4: Privacy and Security Online
Data retention is typically described as “the process through which governments and businesses (especially telecommunication and internet providers) record and store various data (usually related to individuals).”(1) As explained by Privacy International:(2)
“The practice of data retention involves the gathering and storing of communications data for extended periods for the purpose of future access. Metadata tells the story about your data and answers the who, when, what, and how of a specific communication.”
While the specific terms and definitions vary, most legal frameworks on data retention relating to communications provide for two categories of information – the ‘content’ of the communication itself, and information about the communication. This second category, often called communication data or communication metadata, includes a wide range of information which is often deeply revealing, such as the identities or identifiers of those involved, the times and durations of their interactions, locational information, and any technology or services involved. While data retention can be important for criminal investigations, it also gives more power to governments to monitor the public and takes away their rights to online privacy.(3) The practice of mandating the retention of communications data raises significant privacy, transparency and security concerns. In turn, this may affect the ways in which people exercise their rights online and poses a risk of leading to self-censorship.
It has been noted that: “Data retention laws are different from country to country, but they ultimately have the same goal: A better grip on the digital world at the expense of privacy and freedom of speech”.(4) Privacy International explains that the mass retention of individuals’ communications records, outside the context of any criminal investigation or business purpose, “amounts to the compilation of dossiers on each and every one of us, our friends, family and colleagues”.(5) Privacy International goes on to explain that:
“The potential harms associated with data retention and access are significant. In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention poses serious risks to individual privacy and data security. The data opens the door for governments and third parties to make intimate inferences about individuals, to engage in profiling and to otherwise intrude on people’s private lives. If the information is not properly protected there is the potential of unauthorised access to troves of information by third parties, including cyber-criminals.”
Most data protection frameworks provide that data should only be collected for specified, explicit and legitimate purposes and that such data should, in the ordinary course, be deleted when this is no longer the case. Additionally, data ought not to be kept for longer than it is needed. For example, article 5(1)(e) of the GDPR provides that personal data shall be–
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes … subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.
In general, there are two key factors that determine an appropriate data retention period: (i) the purpose for processing the data; and (ii) any legal or regulatory requirements for retaining it. In respect of the latter, various countries have mandatory data retention laws that require telecommunication and internet service providers to retain certain types of data – such as metadata – for stipulated periods of time.
Importantly, there have been at least two significant judgments of the CJEU — Digital Rights Ireland(6) and Tele2 Sverige AB(7) — that have reaffirmed the requirement that all data retention regimes must comply with the principles of legality, necessity and proportionality.(8) Appropriate safeguards are also needed to protect the data that has been retained.
Case note: No legal restrictions on the retention of data
In the Nubian Rights Forum v Attorney General case, the High Court of Kenya ruled against the gathering of DNA and GPS data, deeming it a violation of the right to privacy and unconstitutional.(9) This decision followed a challenge by three non-governmental organizations to amendments to the Registration of Persons Act, which sought to establish a centralized database of biometric information and introduce unique identification numbers. The petitioners emphasized the sanctity of the right to privacy, arguing that state intrusion required substantial justification. Notably, they contended that the collection of DNA and GPS data lacked legal restrictions on retention and lacked clarity on purpose. Moreover, they highlighted risks of unauthorized access and potential misuse of biometric technologies for discrimination and surveillance. While the Court recognised the importance of certain biometric data collection, it found the risks associated with DNA and GPS data unjustifiable. Despite the introduction of the Data Protection Act during the proceedings, the court deemed the existing regulatory framework insufficient and mandated the adoption of a more comprehensive data protection framework before implementing the proposed system.