What is Data Retention Directive?
Laws requiring telecommunications companies and ISPs to store user metadata for a specified period, enabling retroactive surveillance.
Data retention laws force companies to keep records of all communications metadata, creating a surveillance infrastructure available on demand.
What's Retained
- Who called/messaged whom
- When and for how long
- Location data from cell towers
- IP addresses and connection timestamps
- Email sender/recipient and timestamps
By Country
- EU: The EU Data Retention Directive was struck down by the Court of Justice in 2014 as violating fundamental rights, but many member states maintain their own laws
- Australia: Mandatory 2-year retention of metadata
- UK: Investigatory Powers Act mandates 12-month retention
- US: No mandatory retention, but ISPs often keep data voluntarily
Protection
- Use encrypted messaging (Signal) — metadata is minimized
- Use a VPN — ISP only sees VPN connection, not actual destinations
- Sealed sender features protect against even the messaging provider seeing metadata
Related Terms
Data Retention Policy
Rules that define how long an organization keeps personal data and when it must be deleted, a key requirement under privacy regulations.
GDPR
The General Data Protection Regulation is a comprehensive data protection law in the European Union that gives individuals control over their personal data. It establishes strict requirements for how organizations collect, process, store, and transfer personal information.
Metadata
Data about data. In the context of communications, metadata includes information like who you contacted, when, for how long, and from where—everything except the actual content of your message. Metadata can reveal intimate details about your life even when content is encrypted.
Have more questions?
Use our guided flow to get the right next privacy step for Data Retention Directive.
Open Guided Flow