Skip to content

Data Privacy and Information Security Laws by Country

Data Retention and Disposal: An Overview of Global Privacy Regulations

Organizations operating globally must navigate a complex landscape of data privacy and information security laws, many of which explicitly or implicitly mandate the retention and timely disposal of personal data. From comprehensive regional frameworks like the European Union's General Data Protection Regulation (GDPR)—which emphasizes data minimization and storage limitation—to national laws across jurisdictions like Australia, the United States, Canada, and beyond, businesses face strict obligations to ensure personal data is retained only as long as necessary, securely managed, and properly disposed of when no longer needed.

This overview summarizes key laws, regulations, and frameworks across twelve countries (Australia, United States, Canada, United Kingdom, France, Germany, Switzerland, Belgium, The Netherlands, Spain, Italy, and Austria), highlighting how each jurisdiction balances privacy, compliance, security requirements, and data lifecycle management. Understanding these regulations is essential not only for legal compliance but also for building trust and reducing risk in an increasingly privacy-conscious world.

Below is a structured summary of the primary data privacy and security frameworks for each country, detailing their implications for data retention and disposal.

This information should likely be taken in concert with applicable industry standard frameworks such as Data Retention Requirements: ISO 27001 and SOC 2 Frameworks that may apply to your organization.

Australia

  • Privacy Act 1988 (National) – Australia's primary data privacy law, which includes the Australian Privacy Principles (APPs). It governs how personal information is handled by federal agencies and many private organizations. Notably, APP 11 (Security of Personal Information) requires entities to protect personal data and to destroy or de-identify personal information once it is no longer needed for the purpose it was collected, unless retention is required by law. In practice, this means there is no fixed retention period under the Act, but organizations must not keep personal data longer than necessary and must dispose of it securely when no longer required.
  • Telecommunications (Interception and Access) Act 1979 – Data Retention Obligations (National) – Australia's data retention law (amended in 2015) that mandates telecommunications service providers retain certain metadata (phone numbers, times, IP addresses, etc.) for at least 2 years. This is an information security/surveillance measure requiring companies to store communications data for law enforcement and national security access. After the 2-year period, the data should be disposed of, though the law sets a minimum retention duration.

Australia also has state-level privacy laws for state government data and regulations like the Notifiable Data Breaches scheme under the Privacy Act, which reinforce secure handling and timely deletion of personal information.

United States

  • HIPAA – Health Insurance Portability and Accountability Act (National, Health sector) – A federal law protecting medical information privacy and security. The HIPAA Privacy Rule does not set specific record retention periods for medical data (those are generally set by state laws), but it requires that covered entities implement policies to safeguard and securely dispose of protected health information (PHI). For example, healthcare organizations must use reasonable safeguards (shredding, wiping electronic media, etc.) to ensure PHI is unreadable upon disposal. (Note: HIPAA administrative requirements do mandate retaining compliance records for 6 years, but patient data retention timelines are left to other laws.)
  • GLBA – Gramm-Leach-Bliley Act (Safeguards Rule) (National, Financial sector) – A federal law for financial institutions' data security. The Safeguards Rule (amended by the FTC in 2021) requires institutions to have an information security program including controls for data retention and disposal. It explicitly states organizations must securely dispose of customer information when it's no longer needed, with a general rule to delete it no later than two years after last use (unless a longer retention is legally required or for a legitimate business need).
  • FACTA (Fair and Accurate Credit Transactions Act) – Disposal Rule (National) – This regulation under FACTA applies to any business that uses consumer credit reports. It requires such businesses to take reasonable measures to dispose of consumer report information to prevent unauthorized access or misuse. In practice, companies must shred, erase, or otherwise destroy personal data derived from credit reports once retention is no longer necessary, to protect consumer privacy.
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (Regional/State – California) – Landmark state privacy laws (2018, amended 2020) that influence national practices. Under the CPRA (effective 2023), businesses must disclose how long they retain each category of personal information and not keep it longer than "reasonably necessary" for the disclosed purpose. Consumers have a right to deletion of their data, and businesses must honor deletion requests for data that is not needed for an ongoing legitimate purpose or legal obligation.
  • State Data Disposal and Security Laws (Regional – various states) – Over 30 U.S. states have laws requiring secure disposal of personal information held by businesses. For example, California Civil Code §1798.81 requires businesses to shred, erase or modify personal data when disposing of customer records. Additionally, many states require "reasonable security practices" for personal information, which include having data retention limits and proper disposal as part of an overall information security program.

The U.S. has a sectoral patchwork of laws rather than one comprehensive law. Other examples include FERPA for educational records and COPPA for children's online data, which have their own retention or deletion rules. In the absence of a single national privacy law, companies often follow industry standards (like NIST guidelines) and contract requirements for data retention and deletion, in addition to these laws.

Canada

  • Personal Information Protection and Electronic Documents Act (PIPEDA) (National) – Canada's federal private-sector privacy law. PIPEDA requires organizations to follow principles limiting collection, use, and retention of personal data. Under Principle 5 (Limiting Use, Disclosure, and Retention), personal information "shall be retained only as long as necessary" to fulfill the purposes for which it was collected. Once information is no longer needed, organizations "should destroy, erase, or anonymize" it, per PIPEDA guidelines. In practice, businesses must establish retention policies (including minimum and maximum periods) and dispose of personal data securely when those periods expire or the data is no longer required.
  • Privacy Act (R.S.C. 1985) (National) – The Canadian Privacy Act applies to federal government institutions. It requires government agencies to handle personal information in accordance with fair information practices, including retaining personal data only as long as needed for legal or operational purposes. Federal institutions must dispose of personal information when it is no longer required by transferring records to Library and Archives Canada or by secure destruction, in line with record disposition authorities.
  • Provincial Privacy Laws (Regional) – Several provinces have their own private-sector privacy laws that are "substantially similar" to PIPEDA, and health information privacy laws, which also include retention and disposal rules. For instance, Quebec's Law 25 (2021 amendments to its private-sector privacy act) explicitly requires organizations to have a retention schedule and to destroy or anonymize personal information once the purposes for which it was collected are achieved. British Columbia's and Alberta's Personal Information Protection Acts similarly mandate that personal data must not be kept indefinitely. These provincial laws reinforce the principle that data should be erased when no longer needed.

United Kingdom

  • UK GDPR (General Data Protection Regulation) (Regional/National) – After Brexit, the UK adopted its own version of the EU GDPR. The UK GDPR enshrines core principles of data protection, including "storage limitation," which means personal data must not be kept longer than necessary for its purpose. Organizations in the UK must have retention policies and are expected to erase or anonymize personal data once it is no longer needed for the purpose it was collected.
  • Data Protection Act 2018 (National) – The DPA 2018 is the UK's implementing legislation for GDPR and covers areas GDPR does not explicitly, such as law enforcement and intelligence data processing. It reinforces the requirements of the UK GDPR. Under this Act, organizations must adhere to data protection principles (including storage limitation) and ensure secure disposal of personal data. Not complying with deletion requirements can lead to enforcement action by the UK Information Commissioner's Office.
  • Privacy and Electronic Communications Regulations (PECR) (National/Regional) – These regulations govern electronic communications data. PECR requires telecom and internet service providers to respect user privacy in communications. Traffic data may only be retained as long as needed to transmit the communication or for billing, and must be erased or anonymized once no longer required for those purposes.
  • Investigatory Powers Act 2016 (National) – A UK security law that allows the government to issue Retention Notices to telecom operators. Under this Act, telecom and internet providers can be required to retain communications data for up to 12 months for law enforcement and intelligence purposes. After 12 months, the provider should delete the data.

France

  • EU General Data Protection Regulation (GDPR) (Regional) – France is under the GDPR for data privacy. The GDPR imposes principles of data minimization and storage limitation, requiring French organizations to only keep personal data as long as necessary and then delete or anonymize it. Companies and public bodies in France must set retention periods for personal information and cannot retain data "just in case" indefinitely.
  • French Data Protection Act ("Loi Informatique et Libertés" 1978, modified 2018) (National) – This law, amended to align with the GDPR, supplements the GDPR in France. It establishes the CNIL and contains national rules. It reinforces that data controllers in France must define a data retention period for each type of personal data and informs data subjects of these periods. Under this law, organizations are expected to delete or archive data after the retention period expires.
  • Electronic Communications Data Retention (French Security Laws) (National) – France has had specific regulations requiring telecom operators and online service providers to retain certain metadata for law enforcement. Telecom operators and internet hosts in France have been required to retain connection data for up to 12 months. These rules have been controversial: in 2021, France's Conseil d'État ordered the government to revise its blanket 12-month retention regime to comply with EU Court of Justice rulings.
  • Cybersecurity and Information Security Requirements (National/European) – France also implements information security frameworks such as the Network and Information Systems (NIS) Directive for critical infrastructure. While these primarily mandate security measures, they can implicitly influence data retention. The focus remains that any retained data must be justified and securely disposed of when no longer needed.

Germany

  • EU General Data Protection Regulation (GDPR) (Regional) – Germany operates under the GDPR, which strictly requires data storage limitation. Organizations in Germany must delete personal data when it's no longer necessary for the purpose collected. German companies often implement detailed retention schedules to comply.
  • Bundesdatenschutzgesetz (BDSG) (National) – Germany's Federal Data Protection Act, updated in 2018 to align with GDPR, adds German-specific rules. It covers areas like employee data processing and certain public-sector provisions. The BDSG upholds the principle that personal data should be erased when it's no longer needed.
  • Telecommunications & Telemedia Data Protection Act (TTDSG) and Legacy Telecom Laws (National) – Germany's TTDSG governs privacy of electronic communications. Germany attempted to institute mandatory telecommunications data retention: a 2015 law required telecom companies to retain call and internet metadata for 10 weeks and location data for 4 weeks. However, this law has been suspended due to court rulings and is not enforced. As of 2025, Germany has no general data retention in force, making it one of the few EU countries without one.
  • IT Security and Other Sectoral Laws (National) – Germany's IT Security Act and related regulations require certain industries to maintain log data and incident records. Companies in finance or healthcare might also face rules on record retention. Importantly, those sectoral retention requirements must be balanced with data protection—companies must delete personal data once legal retention periods expire.

Switzerland

  • Federal Act on Data Protection (FADP) (National) – Switzerland's main data protection law (revised FADP effective September 2023). Under the FADP, personal data should only be kept for as long as required to achieve the purpose for which it was collected. Organizations are expected to establish retention policies and cannot keep personal information indefinitely.
  • Ordinance to the FADP and Sectoral Guidelines (National) – Accompanying the FADP are various ordinances and guidelines. Swiss regulators encourage companies to align with GDPR-like practices: define data retention periods and dispose of personal data safely afterwards.
  • Federal Law on the Surveillance of Postal and Telecommunications Traffic ("BÜPF") (National, Security) – This law imposes data retention duties on telecom/Internet providers in Switzerland. Under the BÜPF, major telecom operators and ISPs must retain telecommunications metadata for 6 months for potential criminal investigations. After six months, the providers are required to delete the data.

Belgium

  • EU General Data Protection Regulation (GDPR) (Regional) – Belgium enforces the GDPR. The GDPR's requirements for storage limitation apply fully: Belgian organizations must not retain personal data longer than necessary and must erase or anonymize data once it's obsolete with respect to its original purpose.
  • Belgian Data Protection Act of 30 July 2018 (National) – This law implements and supplements the GDPR in Belgium. It affirms that controllers must respect the principles of data processing, including not keeping personal data beyond what is needed.
  • Data Retention for Electronic Communications (National) – Belgium has had a turbulent history with mandated data retention. A 2016 law required telecom operators to retain metadata for 12 months. However, in April 2021 the Belgian Constitutional Court annulled the 2016 data retention law for being too broad and indiscriminate. As of 2025, there is no general data retention obligation in force in Belgium.
  • Information Security Laws (National/European) – Belgium implemented the NIS Directive via a national law to ensure cybersecurity for critical services. Companies might keep security logs for some months as part of compliance. However, these logs, if containing personal data, would still fall under GDPR/Belgian law—meaning they should be purged when no longer needed.

The Netherlands

  • EU General Data Protection Regulation (GDPR) (Regional) – The Netherlands adheres to the GDPR. The Dutch Data Protection Authority expects organizations to define retention terms in their record of processing. Keeping data "forever" without justification is illegal.
  • Uitvoeringswet AVG (Implementation Act for GDPR) (National) – The Netherlands passed this law in 2018 to implement certain flexibilities of the GDPR. Dutch authorities have issued guidance that, for instance, employee data should be deleted after statutory periods.
  • Telecom Data Retention Law (National, annulled) – The Netherlands had a data retention law requiring telephone companies to store call data for 12 months and ISPs to store internet data for 6 months. However, in March 2015 a Dutch court struck down this law as a breach of privacy. As of 2025, there is no general obligation in the Netherlands to retain communications metadata.
  • Sectoral Retention Rules – The Netherlands has various other laws that indirectly set retention times (e.g., tax law requires companies to keep financial records 7 years, employment law mandates keeping certain employee records 5 years after termination). Once those periods lapse, the data should be erased in compliance with the GDPR.

Spain

  • EU General Data Protection Regulation (GDPR) (Regional) – Spain enforces the GDPR as its core data protection framework. Personal data should be kept only for as long as necessary and then deleted.
  • Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) (National) – Spain's national data protection law, which supplements the GDPR. It reinforces the GDPR's requirements and supports the idea that when the legal or agreed retention period ends, personal data must be either deleted or anonymized.
  • Data Retention Law (Law 25/2007) (National, Communications) – Spain implemented the EU Data Retention Directive via Law 25/2007, which requires telecom and internet providers to retain certain traffic and location data for 12 months for investigating serious crimes. The law allowed the government to adjust retention between 6 months and 2 years by regulation.
  • National Security and Digital Rights – Spain's LOPDGDD also included a chapter on digital rights. Combined with the Spanish Constitution's privacy protections, there is an environment where undue retention of personal data can be challenged as a rights violation. Spain also has an Esquema Nacional de Seguridad (ENS) for public administrations.

Italy

  • EU General Data Protection Regulation (GDPR) (Regional) – Italy follows the GDPR. Italian businesses and government agencies must ensure personal data is erased once it's no longer needed. Italy's supervisory authority, the Garante, oversees this.
  • Italian Personal Data Protection Code (Legislative Decree 196/2003, as amended by D.Lgs. 101/2018) (National) – Italy's comprehensive data protection law adjusted to align with GDPR. The general rule is that controllers must limit retention of personal data.
  • Data Retention Obligations for Communications (National) – Italy has had one of the longest data retention mandates in the EU. By default, Italian law required telcos to retain telephone traffic data for 24 months and internet access data for 12 months. In 2017, Italy passed Law 167/2017 which extended the retention period to 72 months (6 years) for telephone and internet data in cases of serious crimes. This blanket 6-year retention has been highly controversial and is being reassessed following EU Court of Justice rulings.
  • Data Disposal and Security Practices – Italian regulations stress proper destruction of data. The Garante has issued best practices requiring anonymization of certain datasets after defined periods. Under Italy's Cybersecurity Act 2021, critical operators must manage data securely, which includes not retaining sensitive personal data longer than necessary.

Austria

  • EU General Data Protection Regulation (GDPR) (Regional) – Austria implements the GDPR as its data privacy cornerstone. Austrian companies and authorities must not hoard personal data without purpose. Data should be erased once it's no longer required.
  • Datenschutzgesetz (DSG) (National) – Austria's Data Protection Act, which works alongside the GDPR. Under the DSG, the fundamental right to data protection is enshrined, and it upholds that unnecessary retention is a violation of that right.
  • Telecommunications Data Retention (Repealed) (National) – Austria had implemented the EU Data Retention Directive in 2012, requiring telecom operators to store communications metadata for 6 months. In June 2014, Austria's Constitutional Court struck down the data retention law as unconstitutional. Since 2014, Austria has not had any general telecom data retention mandate, making Austria, like Germany, an EU country without a current blanket data retention regime.
  • Records Management and Disposal – Austrian administrative law (e.g., the Federal Archiving Act) dictates how long official records should be kept and when they should be destroyed or archived. Common legal retention periods (tax, accounting records for 7 years, etc.) apply, but after those periods, data should be deleted.

A common theme across these countries is that data should not be kept forever: laws either directly require deletion of personal information once it becomes unnecessary, or they implicitly encourage it by limiting retention to what is justified and imposing penalties for holding data negligently beyond that.

Disclaimer

The content provided by the Opus Guard Governance Library is for informational purposes only and does not constitute legal advice. While we strive to offer useful guidelines to assist your understanding and learning, it is important to consult legal counsel or authoritative sources for specific advice relevant to your circumstances.