The Failure of Personal Data Retention

Two basic privacy principles are that no more personal info should be collected than necessary, and it should not be kept any longer than necessary. That flies in the face of repeated attempts by governments and law enforcement to collect and retain data, or to require others to retain it.

One example is attempts to pass laws to require ISPs and telecommunications companies to retain data on customers for a fixed period of time just in case it might be helpful to police. Denmark has had such a data retention law in place for many years. The Danish Ministry of Justice has just concluded, however, that five years of extensive Internet surveillance have proven to be of almost no use to the police. (I’m relying on a news story – the actual report is in Danish.)

“Session logging has caused serious practical problems,” the ministry’s staffers write in the report. “The implementation of session logging proved to be unusable to the police; this became clear the first time they tried to use [the data] as part of a criminal investigation.”

So the downside of retaining personal info is the cost to the service provider to do it (which is ultimately paid by consumers), the increased risk of it being misused or leaked, and the general privacy invasiveness. And the upside is …?


  1. David Collier-Brown

    As well, retaining such information makes the ISP a target for those who want the information, and will break in, hack or attack the ISP to get it.

    It’s like preventing someone from filling in a swimming pool, a well-known attractive nuisance, even though they no longer have a use for it.