Data Retention Protocols: A Critical Appraisal of the Telecom Surveillance Apparatus in India and Abroad (Part II)

The second post in the two-part series on Data Retention laws in India and abroad, by Balaji Subramanian. The first part can be found here.

In Foreign Lands: US and the EU

Earlier, I’ve given a broad picture of the data retention scenario in India. Now, I attempt to draw a comparison between India and other, more “advanced” jurisdictions such as the US and the EU.

In the US, data retention is conducted voluntarily by service providers, without any statutory imperative. Several prominent voices from law enforcement have advocated the promulgation of laws that enable mandatory data retention and specify the duration, means and extent of such retention. However, these attempts have failed several times, with two federal Bills lapsing.

The main concern appears to be child pornography, and the need to eradicate it completely from the internet and prosecute offenders. However, policy organisations and think-tanks have argued that mandatory data retention regimes are not necessarily solutions to the problem, and so the current situation is one of voluntary data retention by ISPs. Law enforcement agencies then make requests for user data on an ‘as required’ basis, asking for specific user data for a specific interval of time under the Stored Communications Act (18 USC §2703). While there is no obligation for ISPs to store user data (and therefore no liability for a failure to retain logs), once this data has been stored, it must be made available to law enforcement agencies where required.

In the EU, this area was largely regulated by the EU Data Retention Directive from 2006. This directive faced severe challenges from EU member states. While it was implemented fully only in a few states, at least 3 member states declared local laws giving effect to the directive unconstitutional. In addition, the directive itself was challenged, first in the ECHR and most recently in the ECJ, and in April this year, the ECJ declared the directive as violative of the right to privacy, and declared it to be invalid (press release). Thus, the EU has no data retention regime in place, as of today. Individual member states did have laws that put data retention in place, but in the most prominent jurisdictions such as the UK and Germany, these laws were struck down, mostly as a result of post-Snowden challenges regarding the absence of judicial oversight of retention mechanisms. The EU is working on a fresh draft for a directive on data retention, incorporating more safeguards into the system to escape the pitfalls of the 2006 directive.

In conclusion, data retention policies are still a stumbling block in terms of legislative clarity, not just for countries such as India, but even for first world jurisdictions that possess relatively developed internet jurisprudence.