User Tools

Site Tools


IP data retention

The data retention directive from the European Union sets the frame, but not the exact implementation in-law from the sovereign countries. Wikipedia lists a rough legal framework, but the exact implementation is up to the single countries.


One approach is to not incorporate as an ISP and then IP data retention laws do not apply. Often it is so that an organization self-identifies and registers as an ISP.


In Germany, data retention was implemented to store the collected data for six months. They had a – compared to other countries – rather less-restrictive law, forcing providers to “only” save:
For Internet connections, for every connection (together with the actual customer): * time of login * time of logout * IP of the connection

For e-mail, for every mail: * the sender * the receiver * the exact date * (essentiall, this is the standard mail log you had to keep)

There was a large “collective” lawsuit by several large organisations (initiated by the Arbeitskreis Vorratsdatenspeicherung). They collected signatures of about 35.000 inhabitants against data retention, and, eventually, the constitutional court considered the German law to be contrary to the German constitution. Since that rendered the current data retention illegal, providers had to delete the data they collected and reduce the amount of data they stored.

But the court did not consider the law in principle to be against the constitution, it was just the current implementation. Several politicians have rised the issue since then, and the new great coalition (from 2013) said they want to wait for the decision on the European level. But there are still politicians and spokesmen of legal institutions which are trying to get the law as soon as possible.

State: February 2014

State: November 2015: data retention is back


(This is only about the part of the Danish data retention law that concerns ISP's, telcom rules about phone and sms are not covered)

The Danish law concerns all ISP's that does not fall into one of the following category:

  • Networks with less than 100 connected end users.

The following data have to be logged in a per-session manner:

  1. Sender IP address
  2. Receiver IP address
  3. Transport protocol (TCP, UDP ect.)
  4. Sender port number
  5. Receiver port number
  6. Start and end times

This information available and linkable to the session log (described above):

  1. The assigned user identity.
  2. Name and address of the user.
  3. IP addresses assigned to this users (including time periods for the assignment)

Providers who offer wireless networks must also:

  1. Register the exact physical or geographical position of wireless transmitters.

E-mails must be logged with the following information:

  1. Sender e-mail address
  2. Receiver e-mail address

This is about it :)




legal/dataretention.txt · Last modified: 2015-11-25 17:45 by bodems