List of Countries With No Data Retention Laws
14 min. read
Updated on
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Countries with no data retention laws are pro-privacy jurisdictions. They often impose regulations that protect internet privacy.
Service headquartered in those places, including VPNs, social media apps, and IM apps are better for user safety.
Data retention has been around for years. These laws compel ISPs to store user data and the online activities of their customers.
From a cybersecurity and privacy standpoint, they have been seen as a violation of fundamental human rights.
This is because they breach individual rights to privacy and gives undue access to third parties including the government.
Oftentimes, citizens have protested against these forceful data retention laws.
However, the concerned governments push back with the if you have nothing to hide, you won’t be against it maxim, thereby silencing any opposition to the policy.
Is there an end to this? Will it be stopping anytime soon? Based on how things are going, I don’t think so.
The good news is, there are countries that respect their citizens’ privacy, which means they don’t retain their data.
Read till the end to find out more interesting stuff about data retention.
What is data retention?
In simple terms, data retention is an act of collecting and storing user information for no reason except for future criminal prosecution.
It’s some sort of law or policy that compels ISPs and electronic communication services to collect and store their customers’ data.
The purpose of this is usually to allow the government to track or monitor certain individuals when there’s a need for criminal prosecution.
This however doesn’t necessarily imply an ongoing suspicion of criminal activities, but just in case it happens in the future, your data comes in handy.
Apart from laws imposed by the government, there are also data retention requirements by industry. Although they can differ from one company to the other.
This is because industries and organizations need to have a little information and data about their staff, intended to meet business and legal requirements.
Who retains your data? ?️
The government, your ISPs, the services you use, and the companies you work for can retain your data.
This is because there has to be a bit of information about you to form a profile for easy access.
However, data retention requirements by industry vary from one to another.
→ For example, a company may only retain information about your past job history and qualifications.
On the other hand, another company may request and retain personal data about you.
These personal data may include your full name, DOB, tax records, selling and purchasing activities, permanent home address, and lots more.
This is to show that inasmuch as companies require a bit of background information about their staff, some can go to the extreme in collecting and retaining private data that can put one’s identity at risk.
→ Also, it’ll interest you that services you no longer use can still have a huge chunk of your data.
According to Mine, an average person’s data is held by 350 companies.
This figure however is still growing as more people get to stay online and use more and more services.
→ Interestingly, users can now make right-to-be-forgotten requests for companies and services they no longer use so they can remove their data from their database within 30 days.
Mine has recorded 37% completed requests while 26% are in communication with users so as to finalize the process.
Countries with no data retention laws
Although this is not an exhaustive list, these countries include:
1. Argentina
Argentina’s constitution upholds its citizens’ right to privacy.
As such, the government does not pass any laws that would violate this right. As of right now, no ISPs are forced by the law to retain data.
2. Brazil
Same as Argentina, Brazil’s constitution respects the right to privacy.
Therefore, no data retention laws exist that would infringe on this right.
In fact, it has a data protection regulation law that’s been in force since 2020. Services and companies are forced to disclose what type of data they retain and only do so upon getting the user’s agreement.
3. Czech Republic
The government does not see the need to have data retention laws as the country respects its citizens’ privacy.
The country has had a data protection act for over 20 years, and as a member of the EU, it aligns with the organization’s GDPR (General Data Protection Regulation).
4. British Virgin Islands
Even though it’s a British overseas territory, The British Virgin Islands has no data retention laws as they are considered illegal in the country.
If you use ExpressVPN, you probably know that it is based in this country. That’s because it gives the service the possibility to keep its privacy promise.
The state’s authorities cannot ask the VPN service to log and share users’ private data.
5. Germany
Germany had data retention laws until they were removed by the European Court of Justice in 2014.
New laws have not been passed to that effect since then.
6. Iceland
The country does not have such laws due to its strong tradition of privacy protection.
Furthermore, it is a member of the European Union (EU), and the EU’s General Data Protection Regulation (GDPR) does not allow any form of illegal data retention.
7. Liechtenstein
Being a small country that has respect for privacy protection and is also a part of the EU’s GDPR, the government sees no need to pass such laws.
8. Luxembourg
Same as Iceland, Luxembourg’s government favors privacy protection and it is also an EU member.
Therefore, the country has no laws that infringe on people’s right to privacy.
9. Monaco
Monaco is another small country with a strong tradition of privacy protection.
The government has not seen the need to pass any data retention laws.
10. Montenegro
Same as Monaco, Montenegro is a small country with respect for privacy and no reason to pass or enforce data retention laws.
11. Namibia
Namibia is a developing country with no reason to pass any such laws. Furthermore, it’s arguable whether it should prioritize such practices as it does not have the resources to implement them.
12. Panama
Panama has no data retention laws due to its small size and limited resources. It is not part of any surveillance agencies and has clear data protection laws.
Probably for this reason, the VPN industry’s giant, NordVPN has its headquarters here.
13. Paraguay
Coupled with its small size and limited resources, Paraguay’s government sees no reason to pass such laws.
14. Peru
As a developing country with limited resources, Peru’s government has not seen the need to pass data retention laws.
15. Saint Kitts and Nevis
Being a small country with a strong tradition of privacy protection, Saint Kitts and Nevis has no data retention laws.
The current Data Protection Bill was passed on May 4th, 2018. It highlights the citizen’s right to privacy and includes measures that prevent and stop data tracking.
16. Saint Lucia
Saint Lucia is a small country with a strong tradition of privacy protection. As such, the government does not see the need to pass any data retention laws.
In fact, the country abides by a Data Protection Act that’s been in effect for years.
17. Saint Vincent and the Grenadines
The small country respects its citizens’ privacy rights. However, as of right now, I was not able to find any mentions of specific laws that protect against data retention.
18. San Marino
The government of San Marino favors privacy protection and therefore sees no reason to retain information.
19. Seychelles
Seychelles has a strong tradition of privacy protection. It’s a small country with limited resources
Therefore, no such laws exist in the country.
20. Switzerland
Switzerland’s constitution guarantees privacy protection, therefore, the government does not have any data retention laws that would violate this right.
The Swiss Federal Data Protection Act (DPA) ensures that data is only processed with the user’s consent.
Additionally, as a member of the EU, the EU’s GDPR frowns against data retention except in specific legal cases.
21. Uruguay
Uruguay’s small size and limited resources mean that its government cannot enforce any such laws even if they are passed. No data retention laws are currently in place.
22. Vanuatu
Vanuatu does not have data retention laws because it’s a developing country with no resources to implement or enforce such laws.
23. The Netherlands
The Dutch Data Protection Authority ruled out data retention legislation in 2015, calling it illegal.
Since then, the Dutch government has not passed any new laws to that effect.
24. The US
There are no data retention laws at the federal government level.
However, some states have these laws and enforce them within their jurisdictions. Furthermore, the US is a member of international data retention groups, including the Five Eyes Alliance.
Certain states such as Delaware are passing data privacy acts, but the issue still persists country-wise.
25. Austria
The EU’s GDPR applies to Austria as a member country.
Furthermore, any laws that infringe on the people’s constitutional right to privacy are illegal in the country.
The GDPR is regarded as the strictest data protection regulation in the world.
In fact, non-EU services and businesses must follow the regulation if they operate anywhere in the EU.
However, it’s important to note that not all EU member countries follow the GDPR. There are several EU countries with data retention laws, and you will see them in the next section.
Some of the countries listed above generally believe in fundamental human rights to privacy and they see no reason to tamper with that.
However, there are some who simply don’t have such laws due to the lack of resources to enforce them.
Countries with data retention laws
These countries include:
1. Australia
Australia’s Telecommunications (Interception and Access) Act 1979 was passed into law in 2015.
As a result of the law, telecom companies and ISPs have to store records of phone calls and other internet activities for 2 years.
It was ruled constitutional by the High Court of Australia when it was challenged in 2017.
2. Belgium
ISPs and telecommunication companies can store people’s activity records for 1 year as a result of the law which has been active since 2017.
The law has faced challenges from privacy advocates, but the Belgian Constitutional Court upheld the law in its 2021 ruling.
3. France
The French data retention law has been active since 2015 when it was passed in a bid to prevent crime and terrorism.
As a result, ISPs and telecom companies in the country have to store call records and internet activities for 1 year.
4. Italy
Italy’s regulation on data retention law that allows telecom companies and ISPs to store their users’ information for 6 years was passed in 2017.
5. Russia
Russia passed data retention laws in 2014 after Norway’s terrorist attacks of 2011.
The laws allow the concerned services to store relevant information about their customers’ activities for 5 years. Furthermore, the country is big on online censorship, having anti-VPN usage laws.
6. Poland
Poland’s laws on data retention were passed in 2016 after the Paris terrorist attacks of 2015.
In short, the relevant bodies can store information like phone calls, emails, and internet activities for 2 years.
The Poland Constitutional Court in its 2017 ruling declared the laws legal after challenges from privacy advocates.
7. Ireland
The country’s data retention laws were passed in 2011 after the 2005 London bombings.
As a result, the relevant services can store people’s information for 1 year.
8. The United Kingdom
The Investigatory Powers Act 2016 (IPA) allows ISPs and telecommunication services to store call records, internet activities, and emails for 1 year.
However, this is not the only active law backing data retention in the country.
There’s also the Interception and Access Act 1985 that allows the government to intercept calls for investigation purposes.
9. Finland
The country’s laws that allow concerned services to legally store their users’ information have been active since 2019.
The Finnish Supreme Court in its 2021 ruling ruled the laws constitutional.
10. Denmark
Denmark passed its data retention laws in 2007 following the 2005 London bombings.
The law gives the concerned services the right to store personal information including phone call records, and more for 1 year.
In 2022, the Danish government updated the law to allow ISPS to store information relating to IP addresses and the duration of each customer’s online activities.
11. Greece
ISPs and other relevant companies in Greece have the right to store their customers’ personal data for 1 year.
The country’s data retention laws have been active since 2012, coming after the 2011 terrorist attacks in Norway.
12 Malta
Malta passed its data retention law in 2014 and since then, companies can store the personal call records, emails, and online activities of the citizens for 1 year.
13. Estonia
The Madrid train bombings of 2004 caused Estonia to pass the law to retain its citizens’ personal data in 2007.
As a result, ISPs and telecommunication companies can store information for 1 year.
14. Spain
Spain’s data retention law requires ISPs and telecommunication companies to retain data pertaining to phone calls, email messages, and other internet activities for a period of 1 year.
This law has been active since 2014 even though it has been challenged in the European Court of Justice (ECJ).
15. Hungary
The country has laws to retain information for 1 year in order to investigate crimes and protect national security.
16. Serbia
After the Paris terrorist attacks of 2015, Serbia passed a law to retain its citizens’ personal data in 2018.
The law allows for the collection and storage of people’s data for 1 year.
17. Slovakia
Slovakia passed its first data retention law in 2007 but the court nullified it in 2014.
The government has since passed new ones that allow for the collection and storage of data for 1 year since 2016 and these are still active today.
18. Latvia
Latvia’s data retention law has been active since 2018 and allows ISPs and other concerned bodies to store records for 1 year.
In a 2020 ruling, the Latvian Supreme Court declared the law constitutional and in accordance with the EU’s GDPR.
Countries with active data retention laws put the whole citizen of such a country under suspicion.
The governments of these countries believe that only citizens who have shady things to hide claim that these laws violate their rights.
This ultimately defeats and tramples upon their citizens’ fundamental human right to privacy and open democracy.
However, in all cases, the governments maintain that the laws are necessary to protect their national security and investigate crimes.
Summary
ISPs and other services operating in countries with data retention laws are bound by the government to store private data belonging to its citizens with the hope of using them in the future.
While some may argue that this serves as a means of curbing crime, it’s clear that it does that at the expense of people’s right to privacy.
This is what countries with no data retention laws respect – privacy.
If you have concerns about your privacy, consider using a VPN, especially if you’re in a country that imposes data retention laws.
A VPN routes your internet traffic through its own encrypted tunnels to ensure that nobody can track, monitor, or retain your data.
FAQs
A couple of countries like Panama, The British Virgin Islands, Romania, Hong Kong, and Singapore have no data retention laws for VPNs.
In fact, Panama and The British Virgin Islands don’t have a mandatory data retention law binding them.
According to the UK GDPR, companies and businesses are required to keep data for a period of six years from the end of the last company financial year they relate to.
It allows for longer data retention if they show a transaction that covers more than one of the company’s accounting periods, especially if the company purchased equipment that’s meant to last longer than 6 years.
In addition, for data that has no personal data included, the default data retention period is five years, and for data with personal data, it’s 2 years.
Data retention policy in the EU concerns itself with the fact that EU Member States are able to store data from electronic telecommunications devices for at least 6 months and no longer than 24 months in issues relating to detecting, investigating, and prosecuting serious crimes.
Regular day-to-day use is fully protected by the GDPR.
Depending on your reasons for storing data, personal data can be kept indefinitely for historical research, scientific or statistical purposes.
Any reason other than this requires you to hold data in a temporary state for 30 days, after which it can be deleted.
For work, companies, and businesses, especially personal data that can easily identify a person, a request can be sent to such companies so a person’s data can be deleted from their database.
User forum
0 messages