Data Retention Laws by Country (2026): GDPR, CJEU and Global Rules

Organizations worldwide face a deceptively simple question: how long can you keep personal data? The answer depends on which of two very different legal concepts applies. The GDPR storage-limitation principle says keep data no longer than necessary. Mandatory communications-data retention laws say you must keep certain metadata for a fixed period. Both carry significant penalties for non-compliance.

Jurisdictional scope: This article covers the GDPR/UK GDPR storage-limitation principle, the CJEU case law on mandatory communications-data retention, and the national retention frameworks of the United States, United Kingdom, EU, Brazil, China, India, South Korea, Australia, Canada, Japan, Singapore, South Africa, and Mexico. Information verified May 2026. Consult a lawyer licensed in your jurisdiction for advice specific to your situation.

Two Meanings of "Data Retention"

The phrase "data retention law" is used for two legally distinct concepts that point in opposite directions, and confusing them produces compliance errors.

The storage-limitation principle (privacy-law model) says organizations must not keep personal data longer than necessary for the purpose it was collected. GDPR Article 5(1)(e) is the canonical statement of this rule. South Africa's POPIA, Brazil's LGPD, India's DPDPA, and Canada's PIPEDA all echo it. Under this model, retention is an ongoing legal risk: the longer you keep data, the greater your exposure. The obligation runs from controller to regulator.

Mandatory communications-data retention laws (surveillance-law model) compel internet service providers and telecom operators to retain subscriber and traffic metadata for a fixed period so that law enforcement can access it retroactively. The EU's now-invalidated Data Retention Directive (2006/24/EC) is the canonical example. Australia's Telecommunications (Interception and Access) Act, the UK's Investigatory Powers Act, and South Korea's Telecommunications Business Act all create mandatory minimum retention periods. Under this model, deletion before the statutory period expires is the offense. The obligation runs from carrier to government.

The same data can be subject to both regimes simultaneously. A telecom company subject to a 12-month government-mandated retention law is also subject to GDPR storage limitation for the same customer data: it cannot delete before 12 months (government mandate) but must also justify keeping it beyond the 12 months under GDPR (storage-limitation principle). Those two constraints together define the lawful retention window.

The Storage-Limitation Principle Under the GDPR

GDPR Article 5(1)(e) establishes that personal data must be kept "in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." The GDPR does not set specific retention periods for most data categories; organizations must determine and document their own periods.

Organizations must record retention periods in their records of processing activities (Article 30) and communicate them to data subjects in privacy notices (Article 13(2)(a)). Longer retention is permissible only for archiving in the public interest, scientific or historical research, or statistical purposes, with appropriate safeguards (Article 89).

The EDPB's 2025 Coordinated Enforcement Action on the right to erasure (published February 2026) found widespread non-compliance: some controllers apply the longest applicable retention period to all processing operations; others retain data indefinitely. The EDPB recommended that national DPAs develop further practical guidance on retention-period determination.

EU Sector-Specific Retention Periods

While the GDPR avoids fixed timelines, EU member state laws and sector regulations impose specific periods:

Anti-Money Laundering. EU AML directives require retention of customer due diligence records and transaction data for five years after the end of the business relationship, with member states permitted to extend to ten years.

Employment records. Most EU member states require employers to retain payroll and tax records for six to ten years after the employment relationship ends. Germany requires ten years for tax-relevant documents; France requires five years for payroll records.

**Medical records.** Retention periods for patient health data vary significantly. The UK NHS recommends retaining adult health records for eight years after the last treatment (25 years for mental health records), while France requires 20 years from the last medical contact.

Telecommunications metadata. The EU's original Data Retention Directive (2006/24/EC) required telecom providers to store communications metadata for 6 to 24 months. The CJEU invalidated the Directive in 2014 in Digital Rights Ireland. Most EU member states maintained national retention requirements, but those too have faced CJEU scrutiny. As of a 2025 survey of 18 European countries, only Germany, the Netherlands, and Romania had no telecom data retention rules in force; most others retained general retention obligations despite CJEU case law, and only Belgium, Denmark, and the UK imposed only targeted retention.

The CJEU Communications-Data Retention Case Law

The Court of Justice of the EU has developed a body of case law on mandatory communications-data retention that has progressively narrowed what member states may compel telecoms to retain. Understanding this trajectory is essential for any organization operating across EU member states.

Digital Rights Ireland (2014)

In Digital Rights Ireland (Joined Cases C-293/12 and C-594/12, April 8, 2014), the CJEU's Grand Chamber invalidated the EU Data Retention Directive (2006/24/EC) in its entirety. The Directive had required blanket retention of all communications metadata for 6 to 24 months. The court found that requiring general and indiscriminate retention of all data of all users, with no differentiation, limitation, or exception based on the objective of fighting serious crime, interfered disproportionately with the rights to privacy and data protection guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights.

Tele2 Sverige and Watson (2016)

With the Directive gone, several member states maintained or re-enacted national retention laws. In Tele2 Sverige and Watson (Joined Cases C-203/15 and C-698/15, December 21, 2016), the Grand Chamber held that national legislation providing for general and indiscriminate retention of all traffic and location data of all subscribers is incompatible with EU law. Lawful targeted retention must be: (a) limited to specific categories of data, means of communication, persons concerned, and retention periods; (b) restricted to what is strictly necessary; (c) accessible only for fighting serious crime; and (d) subject to prior review by a court or independent administrative body. The court also required that retained data be stored within the EU and irreversibly destroyed at the end of the retention period.

La Quadrature du Net I (2020)

In La Quadrature du Net I (Joined Cases C-511/18, C-512/18, C-520/18, and C-623/17, October 6, 2020), the Grand Chamber confirmed the ban on general retention but recognized three permissible exceptions: (1) preventive general retention of all metadata during a foreseeable period of serious threat to national security, subject to review by a court or independent body; (2) targeted retention based on geographical criteria or characteristics of specific groups for fighting serious crime; and (3) expedited preservation of retained data (quick-freeze) for ongoing investigations.

SpaceNet and Telekom Deutschland (2022)

In SpaceNet and Telekom Deutschland (Joined Cases C-793/19 and C-794/19, September 20, 2022), the Grand Chamber reaffirmed that German legislation requiring general and indiscriminate retention of telecommunications traffic and location data was incompatible with EU law, even for the purpose of fighting serious crime. The ruling underscored that quick-freeze and targeted retention remain available but general retention is not, regardless of the crime prevention objective.

La Quadrature du Net II (2024)

The most recent development is La Quadrature du Net II (Case C-470/21, April 30, 2024), which addressed the French HADOPI anti-piracy system. The CJEU's full court (not Grand Chamber) held that IP addresses are traffic data under Directive 2002/58, but are distinct from other traffic and location data in that their general and indiscriminate retention does not constitute a serious interference with fundamental rights when properly safeguarded.

The court permitted retention of IP addresses and their association with civil identity data for law enforcement access to combat online copyright infringement, including non-serious offenses. The required safeguards are: (a) IP address data must be stored separately from other retained data via secure technical systems; (b) access must be restricted to prosecution referral only, preventing clickstream tracking or profiling; (c) prior review by a court or independent body is required when there is risk of profiling; and (d) periodic independent oversight of system integrity is maintained.

What This Means Now

The CJEU case law as of 2026 permits member states to: retain IP addresses generally with technical safeguards; impose targeted retention based on geography or suspect categories for serious crime; use quick-freeze orders; and impose general retention during a foreseeable period of serious national security threat. General and indiscriminate retention of all metadata for all users for fighting ordinary crime remains unlawful. The European Commission is consulting on a new EU-level mandatory metadata retention framework (call for evidence launched May 2025; draft legislation expected early 2026), which would need to navigate these constraints.

Country-by-Country Retention Frameworks

United States

The United States has no single comprehensive federal data retention law equivalent to the GDPR. Retention requirements come from sector-specific federal statutes and state laws.

Federal requirements:

• IRS (tax records): Businesses must retain tax records for a minimum of three years from the filing date, extending to six to seven years for substantial understatement of income (26 USC 6501).
• HIPAA (health records): Covered entities must retain documentation of policies and procedures for six years from creation or last effective date (45 CFR 164.530(j)). State laws often impose longer periods for underlying medical records.
• FLSA (employment records): The Fair Labor Standards Act requires employers to keep payroll records for three years and wage computation records for two years (29 CFR 516).
• SOX (financial records): The Sarbanes-Oxley Act requires retention of audit work papers for seven years (18 USC 1520).
• SEC Rule 17a-4: Broker-dealers must retain certain records for three to six years depending on record type.
• Bank Secrecy Act (AML records): Financial institutions must retain records of certain transactions, including Currency Transaction Reports and Suspicious Activity Reports, for five years.

State-level requirements: California's CCPA/CPRA requires businesses to disclose retention periods and avoid retaining data longer than reasonably necessary (Cal. Civ. Code 1798.100(c)). Colorado, Virginia (VCDPA), and Texas (TDPSA) contain parallel storage-limitation principles requiring documented retention periods aligned with processing purposes.

United Kingdom

Post-Brexit, the UK retains the GDPR's storage-limitation principle through the UK GDPR and Data Protection Act 2018. The ICO enforces this alongside sector-specific UK legislation.

The UK Data Protection and Digital Information (DPDI) Bill died when Parliament dissolved ahead of the July 2024 general election. The Data (Use and Access) Act received Royal Assent on June 19, 2025, introducing changes to smart data schemes and data sharing but preserving the core UK GDPR storage-limitation principle unchanged.

Sector-specific periods include:

• Financial services: FCA rules require retention of transaction records for five years (MiFID II) and AML records for five years after the business relationship ends.
• Telecom: The Investigatory Powers Act 2016 allows retention of internet connection records for up to 12 months for law enforcement access. Belgium, Denmark, and the UK are among the few EU/post-EU jurisdictions that impose only targeted retention consistent with CJEU case law.
• Employment: HMRC requires payroll records to be kept for three years after the end of the tax year they relate to.

European Union Member States

Beyond the GDPR framework, individual EU member states maintain sector-specific statutory retention periods. Key examples:

Financial/AML: All member states implement the EU AML Directive's five-year retention requirement for customer due diligence and transaction records.

Employment: Germany requires ten years for tax-relevant employment documents; France requires five years for payroll records; Poland and the Czech Republic require 50 years for social insurance and pension-related records.

Health records: Germany requires 10 years for medical records from the end of treatment; France requires 20 years from last contact; Italy requires 30 years for medical records of major interventions.

Telecom metadata: As noted above, only Germany, the Netherlands, and Romania currently have no mandatory telecom retention rules. Most other member states maintain national laws that may be inconsistent with CJEU case law but have not yet been formally struck down domestically.

Brazil (LGPD)

Brazil's LGPD mirrors the GDPR storage-limitation principle under Article 15, requiring deletion of personal data after the processing purpose is achieved. Exceptions cover legal obligation compliance, research (with anonymization where possible), and the controller's legitimate interests.

Brazil's National Data Protection Authority (ANPD) issued its first significant enforcement decisions in 2024 and published draft retention guidance, signaling increased regulatory scrutiny of organizations that retain data without defined schedules.

Sector-specific Brazilian requirements include:

• Tax records: Five years (Codigo Tributario Nacional).
• Employment records: Five years for general records; up to 30 years for occupational health records.
• Consumer records: Five years (Codigo de Defesa do Consumidor).

China (PIPL)

China's PIPL Article 19 requires that retention periods be the "minimum necessary to achieve the purpose of processing." Organizations must delete or anonymize personal information once the purpose is achieved, the agreed retention period expires, or the individual withdraws consent.

The Network Data Security Management Regulations, announced September 30, 2024, and effective January 1, 2025, require network data processors to include the retention period of personal information in their processing rules. Where a period is difficult to determine, the method for determining it must be stated explicitly. These Regulations implement PIPL requirements with greater operational specificity.

Existing sector-specific requirements remain in force:

• Cybersecurity Law: Network operators must retain network logs for at least six months.
• Financial records: Banks must retain customer identification records for five years after account closure and transaction records for five years after the transaction.
• Telecom: Operators must retain user registration information for the service duration plus five years after termination.

India (DPDPA)

India's DPDPA Section 8(7) requires data fiduciaries to erase personal data once the processing purpose is fulfilled and retention is no longer necessary for legal compliance.

The Digital Personal Data Protection Rules 2025 were finalized on November 13, 2025, operationalizing the DPDPA with specific retention provisions:

• Minimum retention (Seventh Schedule processing): Data fiduciaries processing data under the Seventh Schedule (national security, statutory obligations) must retain personal data, traffic data, and processing logs for at least one year from the date of processing.
• Maximum retention (large-scale platforms): E-commerce entities and social media intermediaries with 20 million or more registered Indian users, and online gaming intermediaries with five million or more registered users, face a three-year cap from the later of the data principal's most recent request or the Rules' commencement date.
• Pre-deletion notification: Data fiduciaries must notify affected individuals 48 hours before deleting personal data if the individual has not interacted with the platform.

The Rules take effect in phases: 12 months for consent manager provisions and 18 months for the remainder. Sector-specific laws continue to apply: the Companies Act 2013 requires financial records for eight years; the Income Tax Act requires tax records for six to eight years; RBI KYC regulations require five years after the business relationship ends.

South Korea (PIPA)

South Korea's PIPA Article 21 requires destruction of personal information within five days of the retention period expiring or the processing purpose being achieved. This five-day destruction window is among the most aggressive globally.

Where retention is required by another law, the information must be stored separately from other personal data. Sector-specific periods include:

• E-commerce: Five years for contract and payment records under the Act on Consumer Protection in Electronic Commerce.
• Telecom: 12 months for subscriber data; three months for communications metadata under the Telecommunications Business Act.
• Tax records: Five years under the Framework Act on National Taxes.

Australia

Australia's Privacy Act 1988 (Australian Privacy Principle 11) requires organizations to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose.

The Privacy and Other Legislation Amendment Act 2024 (Cth) received Royal Assent on December 10, 2024, introducing the most significant reform to Australia's privacy regime since its enactment. Key changes affecting data retention include: clarification that "reasonable steps" to protect personal information encompasses implementing "technical and organisational measures"; a new statutory tort for serious invasions of privacy (commenced no later than June 10, 2025); and new automated decision-making transparency obligations effective December 11, 2024. The two-year telecom metadata retention requirement under the Telecommunications (Interception and Access) Act remains unchanged.

Canada

Canada's PIPEDA (Personal Information Protection and Electronic Documents Act, SC 2000, c 5) requires organizations to retain personal information only as long as necessary for the identified purpose. Quebec's Law 25 amendments (effective September 2023) require organizations to destroy or anonymize personal information once the purpose is achieved.

Bill C-27 / CPPA update: Bill C-27, which would have enacted the Consumer Privacy Protection Act to replace PIPEDA, died on the Order Paper when Parliament prorogued in January 2025. A federal election in April 2025 pushed reform further down the legislative calendar. The Office of the Privacy Commissioner has expressed confidence that federal privacy reform will become a priority in the 45th Parliament, but no new federal legislation has been enacted as of May 2026. Canada continues to operate under PIPEDA, a law written in 2000.

Japan

Japan's Act on the Protection of Personal Information (APPI) Article 22 requires handling operators to endeavor to delete personal data when it becomes unnecessary, but does not specify fixed retention periods. Industry guidelines provide additional specificity: MIC Guidelines for telecommunications operators require carriers to document retention periods and erase data without delay after the retention period expires.

The Personal Information Protection Commission (PPC) rendered 67 enforcement cases in FY2024 (April 2024 to March 2025) and is consulting on 2025 APPI amendments including the introduction of administrative monetary penalties. Sector-specific retention periods include: corporate records under the Companies Act (10 years), financial institution records under the Banking Act (10 years after account closure), and tax records under the National Tax Act (seven years).

Singapore

Singapore's Personal Data Protection Act (PDPA) imposes a Retention Limitation Obligation requiring organizations to cease retaining or dispose of personal data when it is no longer needed for any business or legal purpose. The PDPC has escalated enforcement in 2024-2025: a 2024 case against Keppel Telecommunications found a breach for failure to delete outdated personal data from a legacy server. Financial penalties can reach S$1 million or 10% of annual Singapore turnover for organizations with turnover exceeding S$10 million.

Sector-specific requirements include: financial institutions regulated by MAS must retain customer records for five years; healthcare providers must retain medical records for six years under the Private Hospitals and Medical Clinics Regulations.

South Africa (POPIA)

South Africa's Protection of Personal Information Act (POPIA) Section 14 requires that records of personal information not be kept longer than necessary for achieving the purpose of collection. Extended retention is permitted for lawful functions, contractual obligations, or data subject consent.

Where a record has been used to make a decision about a data subject, it must be retained for a period required by law or code of conduct, or if no such period is specified, for long enough to afford the data subject a reasonable opportunity to request access. POPIA came into effect July 1, 2020, with the compliance deadline of June 30, 2021.

Mexico

Mexico enacted a new Federal Law on Protection of Personal Data held by Private Parties (LFPDPPP) effective March 21, 2025, replacing the 2010 version. Data controllers must establish retention periods and delete data after those periods expire, following a blocking process. Data related to contractual non-compliance must be deleted after 72 months. Once the processing purpose is fulfilled, data is blocked (preserved but not processed) until the legal or contractual statute of limitations expires, then deleted.

Key Retention Periods Comparison Table

Data Destruction Requirements

Retention obligations are meaningless without enforceable destruction requirements. Most modern privacy laws specify how data must be destroyed, not just when.

GDPR/EU approach: The GDPR requires erasure that renders data unrecoverable. The ENISA has published guidance recommending physical destruction for hardware and cryptographic erasure or multi-pass overwriting for electronic records. The EDPB has noted that anonymization (rendering individuals no longer identifiable) is an alternative to deletion for research and archiving purposes, but has warned against pseudonymization being treated as equivalent to erasure for storage-limitation purposes.

US federal standards: NIST publishes SP 800-88 Rev. 1 ("Guidelines for Media Sanitization"), providing detailed methods for clearing, purging, and destroying data storage media. Many state privacy laws reference NIST standards as the benchmark for adequate destruction.

Documentation requirements: Several jurisdictions require documented records of destruction:

• South Korea requires a destruction log documenting date, method, and person responsible within five days of purpose expiry.
• The UK ICO recommends maintaining destruction certificates for outsourced disposal services.
• Singapore's PDPA requires organizations to maintain "reasonable accountability" for destruction, including keeping records.
• India's DPDPA Rules require the 48-hour pre-deletion notification documented and logged.

Backup data: The EDPB's 2025 CEF report found that half of responding DPAs reported controllers have no specific procedures for erasure from backup systems. Some controllers do not delete personal data from backups at all. Regulators are increasingly treating backup data as subject to the same deletion obligations as primary data.

Litigation Holds and Retention Conflicts

A litigation hold (or legal hold) is an obligation to preserve all potentially relevant documents and data when litigation is reasonably anticipated. In the United States, the duty to preserve arises from common law and FRCP amendments, particularly Rule 37(e), which addresses sanctions for failure to preserve electronically stored information.

Litigation holds override standard retention schedules. If an organization's policy calls for deletion after three years but litigation is anticipated involving those records, the organization must suspend deletion for the affected data until the hold is lifted.

Under the GDPR, the tension between data minimization requirements and litigation hold duties is explicitly recognized. GDPR Recital 65 provides that retention beyond the original purpose may be permissible to establish, exercise, or defend legal claims. Organizations must document this legal basis in their records of processing activities and communicate it to affected data subjects.

How to Build a Compliant Retention Policy

Organizations navigating multi-jurisdictional retention requirements should follow these steps:

1. Conduct a data inventory. Map every category of personal data collected, the jurisdictions it flows through, and the legal bases for processing. This inventory forms the foundation of a defensible retention schedule.

2. Build a retention schedule. For each data category, identify the applicable retention periods across all relevant jurisdictions. Set the retention ceiling at the longest mandatory period. Document the legal basis for each period (legal obligation, legitimate interest, or consent).

3. Build a cross-border matrix. For multinational organizations, create a jurisdiction-by-jurisdiction table that identifies the longest mandatory period, the shortest maximum period, and the resulting lawful window. Where jurisdictions conflict (e.g., a mandatory 12-month minimum in jurisdiction A and a purpose-based maximum of six months in jurisdiction B), document the tension and the chosen resolution.

4. Automate deletion. Manual deletion processes are error-prone. Modern data governance platforms can enforce automated deletion based on retention schedules, with exception handling for litigation holds. The EDPB's 2025 CEF report found backup data is a common gap.

5. Document everything. Regulators and courts increasingly expect organizations to demonstrate not just that they have a retention policy, but that they follow it. Maintain destruction logs, audit trails, and exception records. South Korea and India both require specific documentation of destruction events.

Recent Developments (2024-2026)

EDPB 2025 right to erasure enforcement. The EDPB's 2025 Coordinated Enforcement Action covered 764 controllers across 32 jurisdictions and found widespread difficulty in determining and implementing retention periods. The EDPB has called for national DPAs to develop more specific retention guidance.

EU metadata retention legislation. The European Commission launched a formal call for evidence in May 2025 on reviving a mandatory EU-wide metadata retention framework. A draft legislative proposal is expected in early 2026. The proposal would apply to telecoms, cloud services, payment processors, and potentially end-to-end encrypted messaging services. Any law would need to navigate the CJEU case law prohibiting general and indiscriminate retention.

India DPDPA Rules finalized. India's DPDPA Rules were finalized on November 13, 2025, establishing specific retention caps for large digital platforms for the first time.

Australia Privacy Act reforms. The Privacy and Other Legislation Amendment Act 2024 (Royal Assent December 10, 2024) introduced the most significant Australian privacy reforms since the Act's enactment, clarifying destruction obligations and introducing a new statutory tort.

Mexico new LFPDPPP. Mexico's updated LFPDPPP took effect March 21, 2025, replacing a 2010 framework with updated data-handling and retention blocking procedures.