Data Retention Laws by Country (2026)

Every country that regulates personal data addresses the same fundamental question: how long can organizations keep it? Data retention laws set the boundaries, requiring businesses to define storage periods, justify ongoing retention, and securely destroy data when the legal basis expires. Getting this wrong carries real consequences, from regulatory fines in the millions to litigation exposure and reputational harm.

The Storage Limitation Principle Under the GDPR

The GDPR does not prescribe specific retention periods for most categories of data. Instead, Article 5(1)(e) establishes the storage limitation principle: personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."

This means organizations must determine their own retention periods based on the purpose of processing, document those periods in their records of processing activities (Article 30), and communicate them to data subjects in their privacy notices (Article 13(2)(a)).

The GDPR does allow longer retention for archiving in the public interest, scientific or historical research, or statistical purposes, provided appropriate technical and organizational safeguards are in place (Article 89).

EU Sector-Specific Retention Periods

While the GDPR itself avoids fixed timelines, EU member state laws and sector regulations impose specific periods:

Telecommunications metadata. The EU's original Data Retention Directive (2006/24/EC) required telecom providers to store communications metadata for 6 to 24 months. The Court of Justice of the European Union (CJEU) invalidated this directive in 2014 in Digital Rights Ireland (Case C-293/12). However, many member states maintained or re-enacted similar national requirements. The CJEU has continued to refine permissible retention in subsequent rulings, most recently in La Quadrature du Net (2020), allowing targeted retention for national security purposes.

Financial records. EU Anti-Money Laundering directives require retention of customer due diligence records and transaction data for 5 years after the end of the business relationship, with member states permitted to extend this to 10 years.

Employment records. Most EU member states require employers to retain payroll and tax records for 6 to 10 years after the employment relationship ends. Germany requires 10 years for tax-relevant documents; France requires 5 years for payroll records.

**Medical records.** Retention periods for patient health data vary significantly. The UK NHS recommends retaining adult health records for 8 years after the last treatment (25 years for mental health), while France requires 20 years from the last medical contact.

Country-by-Country Retention Frameworks

United States

The United States has no single comprehensive federal data retention law equivalent to the GDPR. Instead, retention requirements are scattered across sector-specific federal statutes and state laws.

Federal requirements:

• IRS (tax records): The Internal Revenue Service requires businesses to retain tax records for a minimum of 3 years from the filing date, extending to 6-7 years in cases involving substantial understatement of income (26 USC 6501).
• HIPAA (health records): HIPAA requires covered entities to retain documentation of policies and procedures for 6 years from the date of creation or the date it was last in effect (45 CFR 164.530(j)). State laws often impose longer periods for the underlying medical records themselves.
• FLSA (employment records): The Fair Labor Standards Act requires employers to keep payroll records for 3 years and records used in wage computations for 2 years (29 CFR 516).
• SOX (financial records): The Sarbanes-Oxley Act requires retention of audit work papers for 7 years (18 USC 1520).
• SEC Rule 17a-4: Broker-dealers must retain certain records for 3-6 years depending on the record type.

State-level requirements: Several states have enacted their own retention and destruction mandates. California's CCPA/CPRA requires businesses to disclose retention periods and not retain data longer than reasonably necessary (Cal. Civ. Code 1798.100(c)). Colorado and Virginia's privacy laws contain similar storage limitation principles.

United Kingdom

Post-Brexit, the UK retains the GDPR's storage limitation principle through the UK GDPR. The ICO enforces this alongside sector-specific UK legislation:

• Financial services: FCA rules require retention of transaction records for 5 years (MiFID II) and anti-money laundering records for 5 years after the business relationship ends.
• Telecom: The Investigatory Powers Act 2016 allows retention of internet connection records for up to 12 months for law enforcement access, though this has faced legal challenges.
• Employment: HMRC requires payroll records to be kept for 3 years after the end of the tax year they relate to.

Brazil (LGPD)

Brazil's LGPD mirrors the GDPR storage limitation principle under Article 15, requiring deletion of personal data after the purpose of processing has been achieved. Exceptions include compliance with legal obligations, research (with anonymization where possible), transfer to third parties (with consent requirements), and the controller's legitimate interests.

Brazilian sector-specific laws require:

• Tax records: 5 years (Codigo Tributario Nacional)
• Employment records: Up to 30 years for occupational health records, 5 years for general employment records
• Consumer records: 5 years (Codigo de Defesa do Consumidor)

China (PIPL)

China's Personal Information Protection Law (Article 19) requires that retention periods be the "minimum necessary to achieve the purpose of processing." Organizations must delete or anonymize personal information once the purpose is achieved, the agreed retention period expires, or the individual withdraws consent.

China also maintains extensive sector-specific requirements:

• Cybersecurity Law: Network operators must retain network logs for at least 6 months.
• Financial records: Banks must retain customer identification records for 5 years after accounts are closed and transaction records for 5 years after the transaction.
• Telecom: Operators must retain user registration information for the duration of the service plus 5 years after termination.

India (DPDPA)

India's Digital Personal Data Protection Act, 2023 requires data fiduciaries to erase personal data once the purpose of processing has been fulfilled and retention is no longer necessary (Section 8(7)). The central government retains authority to prescribe specific retention periods through rules, which were still being finalized as of early 2026.

Sector-specific retention under existing Indian law:

• Companies Act 2013: Financial records must be kept for 8 years.
• Income Tax Act: Tax records must be retained for 6-8 years depending on assessment status.
• RBI regulations: KYC records must be retained for 5 years after the business relationship ends.

South Korea (PIPA)

South Korea's PIPA requires destruction of personal information within 5 days of the retention period expiring or the purpose being achieved (Article 21). This is one of the most aggressive destruction timelines globally.

If retention is required by another law, the information must be stored separately from other personal data. South Korean sector-specific retention periods include:

• E-commerce records: 5 years for contract and payment records under the Act on Consumer Protection in Electronic Commerce.
• Telecom: 12 months for subscriber data, 3 months for communications metadata under the Telecommunications Business Act.
• Tax records: 5 years under the Framework Act on National Taxes.

Australia

Australia's Privacy Act 1988 requires organizations to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it may lawfully be used (Australian Privacy Principle 11). The Telecommunications (Interception and Access) Act requires telecom providers to retain metadata for 2 years.

Canada

Canada's PIPEDA requires organizations to retain personal information only as long as necessary for the identified purpose. The proposed Consumer Privacy Protection Act (CPPA, part of Bill C-27) would strengthen destruction requirements. Provincial laws add further requirements: Quebec's Law 25 amendments (effective September 2023) require organizations to destroy or anonymize personal information once the purpose is achieved.

Key Retention Periods Comparison Table

Sector/Record Type	US	EU/GDPR	UK	Brazil	China	South Korea	Australia
Tax/Financial Records	3-7 years	5-10 years (varies by state)	3-6 years	5 years	5 years	5 years	5-7 years
Employment/Payroll	2-3 years (FLSA)	6-10 years (varies)	3 years (HMRC)	5-30 years	Per contract + law	3 years	7 years
Health/Medical Records	6+ years (HIPAA docs)	8-20 years (varies)	8-25 years (NHS)	20 years	15 years minimum	5 years post-treatment	7 years
Telecom Metadata	No federal mandate	6-24 months (varied)	12 months (IPA)	Per sector regulation	6 months (logs)	3-12 months	2 years
Anti-Money Laundering	5 years (BSA)	5 years (AMLD)	5 years	5 years	5 years	5 years	7 years
Consumer/E-commerce	No federal mandate	Purpose-based	Purpose-based	5 years	Purpose-based	5 years	Purpose-based

Data Destruction Requirements

Retention obligations are meaningless without enforceable destruction requirements. Most modern privacy laws now specify how data must be destroyed, not just when.

GDPR Approach

The GDPR requires erasure that renders data unrecoverable. The European Union Agency for Cybersecurity (ENISA) has published guidance recommending physical destruction for hardware and cryptographic erasure or multi-pass overwriting for electronic records.

US Federal Standards

The National Institute of Standards and Technology (NIST) publishes SP 800-88 Rev. 1 ("Guidelines for Media Sanitization"), which provides detailed methods for clearing, purging, and destroying data storage media. Many state privacy laws reference NIST standards as the benchmark for adequate destruction.

Documentation Requirements

Several jurisdictions require organizations to maintain records of data destruction:

• South Korea requires a destruction log documenting the date, method, and person responsible for each destruction event.
• The UK ICO recommends maintaining destruction certificates for outsourced disposal services.
• Singapore's PDPA requires organizations to maintain "reasonable accountability" for destruction, including keeping records.

Litigation Holds and Retention Conflicts

A litigation hold (or legal hold) is an obligation to preserve all potentially relevant documents and data when litigation is reasonably anticipated. In the United States, the duty to preserve arises from common law and has been reinforced by Federal Rules of Civil Procedure amendments, particularly Rule 37(e), which addresses sanctions for failure to preserve electronically stored information.

Litigation holds override standard retention schedules. If an organization's retention policy calls for deletion after 3 years, but litigation is anticipated involving those records, the organization must suspend deletion for the affected data until the hold is lifted.

The tension between privacy law requirements to delete data and litigation preservation duties creates genuine compliance challenges. Organizations operating under both the GDPR's data minimization principles and US litigation hold obligations must carefully document their reasoning when choosing to retain data beyond its normal retention period.

Practical Compliance Steps

Organizations navigating multi-jurisdictional retention requirements should consider these steps:

Conduct a data inventory. Map every category of personal data collected, the jurisdictions it flows through, and the legal bases for processing. This inventory forms the foundation of a defensible retention schedule.

Build a retention schedule. For each data category, identify the longest mandatory retention period across all applicable jurisdictions, then set that as the retention ceiling. Document the legal basis for each period.

Automate deletion. Manual deletion processes are error-prone. Modern data governance platforms can enforce automated deletion based on retention schedules, with exception handling for litigation holds.

Document everything. Regulators and courts increasingly expect organizations to demonstrate not just that they have a retention policy, but that they follow it. Maintain destruction logs, audit trails, and exception records.

Sources and References

This article provides general legal information about data retention requirements across jurisdictions. Retention periods change as laws are amended. Consult an attorney for advice specific to your situation.