Comparison of Internet privacy laws in 13 countries

Comparison of Internet privacy laws in 13 countries

Here is an overview of the data retention, copyright and censorship laws in 13 countries and how they may affect you.

United States

  • ISPs can spy on any customer and sell their personal information.

  • This snooping can include any customer’s online data and personal information, including their web browsing history, app usage and geolocation.

  • Individual ISPs are essentially free to keep or delete your data as they see fit, with now literally no oversight in place.

  • ISPs are private companies, therefore they’re not obliged to reveal how long they keep customer data.

  • The Digital Millennium Copyright Act (DMCA) of 1998 protects the rights of copyright holders and prevents copyright infringement and includes the copying, redistribution or downloading of software, music, videos or games without the copyright holder’s expressed permission to do so.

  • The First Amendment should protect a person’s right to freedom of speech and (to an extent) - internet use could be considered a form of speech.

  • However, most online usage is not overtly protected.

  • Furthermore, the Fourth Amendment, does not protect personal emails from being spied upon.

  • Electronic Communications Privacy Act is incredibly opaque and outdated with regard to access to digital communication and in dire need of reform.

United Kingdom

  • The Data Retention and Investigatory Powers Act (DRIPA) 2014 faced widespread opposition and it was successfully ruled as unlawful by the UK’s High Court.

  • The UK then passed the Investigatory Powers Act at the end of 2016. The new legislation allowed the UK government unprecedented powers of mass surveillance over its citizens – immediately derided as the ‘Snooper’s Charter’.

  • Widely recognised as being one of the most invasive mass-surveillance programmes of any democracy in history.

  • Any UK resident can have their personal data indiscriminately trawled, regardless of whether under investigation or not.

  • ISPs and phone companies would be compelled to harvest ‘Internet Connection Records’ (ICRs) by law or face prosecution.

  • ICRs would list every website a person had visited, at what time and via which IP address over a 12 month period.

  • Collection of data would be ‘en masse’ and as overreaching as the authorities see fit.

  • Also the potential for sensitive data breaches and attacks.

  • The UK enacted the Digital Economy Act (DEA) 2010, which covers copyright issues.

  • There is now an online copyright enforcement regime to which rights holders and internet service providers (ISPs) have voluntarily agreed for ‘educating’ alleged infringers about the harm of piracy.

  • Also a push now to make “micro payments” and other internet technologies a mechanism by which to enable proper remuneration for rights holders for online use of their works.

  • There has also been the development of a ‘digital copyright hub’ to assist in rights clearance for online works.

  • UK has no written constitution. Legal documents like the Magna Carta and legislation such as the Human Rights Act of 1998 do afford UK citizens inalienable rights and freedoms, but a simple Act of Parliament could alter these rights.

  • UK citizens do not have the constitutional protections of freedom of speech or freedom from censorship that citizens of other countries have, therefore said rights are legally precarious.


  • Germany enacted the Data Retention Act in 2015 - one of the most draconian pieces of legislation in 2015 with regard to mandatory data retention by ISPs.

  • The Act requires all public telecommunication and ISPs to retain both call detail records (or CDRs, and which include phone numbers, the date and time of phone calls and texts, the content of text messages, and—for cellular calls—the locations of call participants), as well as the storage of user metadata such as IP addresses, port numbers, etc.

  • The Act does provide for extensive technical requirements as to how providers can store all this data – this was a concession made to privacy and human rights advocates.

  • SPECIAL NOTE: Germany and all European Union (EU) states had been under obligation to implement the European Union’s 2006 Data Retention Directive (Directive 2006/24/EC), which requires that all German/EU ISPs must retain customer email data, web-browsing history and other data for at least one year. However, an April 2014 decision by the European Court of Justice (ECJ) declared that the European Data Retention Directive was a gross violation of privacy rights under European law and, therefore, was invalid.

  • Germany compels ISPs to hand over data of anyone suspected of infringing copyright on a commercial scale.

  • Notable that in 2013 the German Bundestag passed an addendum to the country’s copyright laws (known as the “Leistungsschutzrecht” ), which allows publishers to charge aggregators and search engines for the content they index and re-publish on their sites and on their apps - this is referred to as the ‘Google compromise’.

  • Freedom of speech is a complex, highly emotional issue in Germany. It is protected under Article 5 (1) of the German constitution.

  • However, these freedoms are immediately curtailed under Article 5 (2), so that, for example, Holocaust denial is prohibited under German law, as is hate speech, which these days extends to anti-immigrant views.

  • Therefore, freedom of speech is far from absolute in Germany – and indirect censorship can often occur as a result.

Hong Kong

  • Hong Kong is a territory that is part of China, which is itself one of the world’s most oppressive countries with matters pertaining to online access and freedom.

  • Very important to note that when Hong Kong was returned from British rule to Chinese sovereignty in 1997 it was designated as a Special Administrative Region (SAR). This means that Hong Kong has extensive regional autonomy in most internal matters (although not so with regard to external matters such as defence and foreign affairs).

  • Hong Kong has no data retention laws in place that compel ISPs to retain any customer information, logs or any related metadata relating to customers.

  • This is in stark contrast to the data retention regime imposed by the Chinese government on ISPs in mainland China - however, Hong Kong is exempt from Chinese law and oversight in that regard.

  • The Copyright Ordinance currently in force in Hong Kong came into effect in 1997. It provides comprehensive (and instant, it should be noted) protection for recognised categories of literary, dramatic, musical and other artistic works.

  • It also includes any works made available to the public on the Internet.

  • The Copyright (Amendment) Ordinance 2003 (and, thereafter, the Copyright (Amendment) Ordinance 2007) lifted the restriction on what is known as the “parallel importation” of articles containing a computer program i.e. computer software products. The amended law specifically includes six exemptions that are meant to quell concerns over freedom of expression.

  • Hong Kong citizens enjoy quite extensive freedom of speech and censorship protections.

  • There is undoubtedly tacit interference by Chinese authorities at times, but Hong Kong citizens have been mostly granted their rights to freedom of speech according to the territory’s Bill of Rights.

  • China’s own ‘Great Firewall’ for online usage and scrutiny of IPSs is not applicable to Hong Kong .

  • The law was amended in 2012 to grant citizens greater online privacy when compared with mainland China.

  • Remember, it was Hong Kong that so clearly showed its support for privacy rights when it allowed Edward Snowden to take refuge in the territory when he fled the U.S., even against U.S. requests to get him extradited back to the U.S.


  • All French ISPs must track their customers’ personal web-browsing activities, including the monitoring of what websites were visited, when they were visited and to whom emails have been sent.

  • This data must then be stored for at least one year after a person leaves their ISP’s service and must be made readily available to French law enforcement.

  • It also allows intelligence agencies to monitor phone calls and emails without prior judicial authorisation; it requires ISPs to install “black boxes” that filter all internet traffic, so as to mine everyone’s metadata in order to identify what are referred to as “deviant behaviours and provides access thereof to all intelligence and law enforcement agencies.

  • The law even allows the state to bug cars, homes and keyboards for images, sound and data on an array of different premises, ranging from terrorism to the protection of France’s commercial self-interests.

  • SPECIAL NOTE: See the Special Note above under Germany with regard to the European Union’s 2006 Data Retention Directive (Directive 2006/24/EC), and how it was found by the European Court of Justice (ECJ) in April 2014 to be a gross violation of the fundamental rights to privacy of EU citizens, including those of France.

  • Copyright law is stringent in France and governed by Section I of the French Intellectual Property Code.

  • Furthermore, there is no exception under French law to copyright protection for the use of a work for educational purposes, i.e. even the reproduction of a work to be shared with students in an educational setting must be authorized by the owner of the rights of the reproduced work.

  • France implemented a controversial anti-copyright theft law in 2009, which allowed copyright-holders to obtain personal data on users suspected of engaging in illegal file-sharing.

  • If a user is found guilty of file-sharing three times, then they will be banned from the internet by their ISP.

  • France generally has protections for freedom of speech and censorship.

  • However, freedom of speech has often been curtailed thanks to extremely tough libel and (ironically) privacy laws.

  • Online freedom in this regard is also curtailed due to tough anti-terror laws, increased online surveillance and laws relating to libel.

  • Strict hate speech laws, especially those relating to race and religion, have also had a chilling effect on freedoms of speech and expression.


  • All Italian ISPs must record and archive data such as a customer’s IP address, billing information, the websites they visit and to whom they send emails.

  • This is according to the Italian Data Protection Code of 2003, which has had an impressive average of 1.4 amendments per year since being enacted, invariably prompted by various changes to EU Directives on the subject of data retention and online.

  • All data relating to electronic communications in Italy must now be stored for a period of 5 years. The online data retention period had previously been 30 months. All this data must be separately accessible, although the usage thereof is limited to particularly “serious crimes,” which include kidnapping, organised crime and terrorism, as well as certain crimes against IT or online systems.

  • SPECIAL NOTE: See the Special Note above under Germany with regard to the European Union’s 2006 Data Retention Directive (Directive 2006/24/EC), and how it was found by the European Court of Justice (ECJ) in April 2014 to be a gross violation of the fundamental rights to privacy of EU citizens, including those of Italy.

  • Article 1 of Italian copyright law (referred to as the “ICL”) guarantees that all works having a creative character and belonging to literature, music, figurative arts, architecture, theatre or cinematography, whatever their mode or form of expression, are eligible for copyright protection under Italian law.

  • A requirement for copyright protection under Italian law is that the work must be both creative and of an individual nature.

  • An Italian piracy law was enacted in 2014 regarding any website or ISP making a work available without a licence, and by which a rights-holder (or their representative) can file a takedown request. It literally takes 12 days from complaint to removal.

  • Freedom of speech and freedom from censorship are both fundamental human rights protected by the Italian Constitution.

  • Italy has developed an online censorship culture in recent years, including a demand at the end of 2016 by the head of the Italian competition commission that the European Union ‘crackdown’ on what he termed ‘fake news’.

  • A proposed cyberbullying law is considered a draconian method by which to curtail online free speech in Italy.


  • Canada does not yet require its ISPs to log and retain data on their customers.

  • Canadian privacy activist groups and civil society have been very vigilant in monitoring impending legislation that may impact on the online privacy of Canadians.

  • There are still ongoing concerns that the Canadian government, as well as provincial governments, have been making every effort to enact legislation that would curb online privacy.

  • Bill C-30, the Protecting Children from Internet Predators Act, was proposed legislation that aimed to provide Canadian authorities with wide-ranging powers to monitor and track the online activities of its citizens. ISPs would be forced to keep logs of all their customers, which would have to be immediately handed over to authorities on request.

  • It was further divulged that the Act would be an absolute goldmine for hackers - the Act was eventually shelved due to public outcry.

  • Canada is not immune from government surveillance and potential breaches of online privacy, however, especially by the federal government’s secretive electronic intelligence agency (Communications Security Establishment Canada).

  • Canada has a long and evolving history of copyright law, dating back to the country’s much-amended Copyright Act of 1924.

  • No one can claim copyright over an idea or some fact. They can, however, claim ownership over their particular expression of an idea or statement of fact.

  • New amendments to modernize the Copyright Act for the internet age were added in 2012, with a focus almost entirely on digital copyright issues.

  • The new legislation has been viewed as mostly positive with regard to digital copyright usage, including the right to ‘fair dealing’.

  • Canadian copyright law also protects unique user-generated content , known as the ‘Youtube exception’, and not restricted to videos only.

  • Canadian courts have been vigorous in their defence of the Canadian Charter of Rights and Freedoms.

  • The Supreme Court of Canada has also expressly recognized the essential role of privacy in a democratic state.

  • However, these laudable constitutional efforts by Canadian courts to defend privacy have been contradicted by incursions into online privacy by the government and its agencies.


  • The Netherlands passed the EU’s Data Retention Directive into law in 2009.

  • Meant that all ISPs in the Netherlands must retain personal data of all customers, including all their web-browsing history and email data, for six months after they leave the ISP’s service.

  • Under the 2009 Dutch law telephone companies were also required to store information about all fixed and mobile phone calls for a year. It also allowed access to data that was not subject to a prior review by a court or independent administrative authority.

  • However, the District Court of The Hague held in March 2015 that the law was unconstitutional. Interestingly, the Dutch court conceded that rendering the law invalid would complicate efforts by the Dutch authorities to fight terrorism, but that even that did not justify such violations of privacy.

  • SPECIAL NOTE: See the Special Note above under Germany with regard to the European Union’s 2006 Data Retention Directive (Directive 2006/24/EC), and how it was found by the European Court of Justice (ECJ) in April 2014 to be a gross violation of the fundamental rights to privacy of EU citizens, including those of the Netherlands.

  • Dutch copyright law is very specific. The Dutch Copyright Act ( Auteurswet ) grants protection to literary, artistic or scientific works.

  • The Copyright Act does not protect an idea as such, however original it may be. What the Act does is protect only the original expression, or the original application of an idea.

  • The Dutch legislature has taken explicit steps in recent years to protect the fair use of copyrighted material, i.e. to have a more liberal, even ‘relaxed’ view with regard to making certain types of online material free from copyright restrictions.

  • Freedom of speech and freedom from censorship are enshrined rights in the constitution of the Netherlands. This is echoed in the country’s strong freedom of expression record, as per several international surveys.

  • There has been a tendency for the Dutch to prosecute certain types of so-called ‘hate speech’ in recent years, particularly against anti-immigrant views. This has had a chilling effect on freedom of speech.


  • Sweden passed the Data Retention Act in 2012, which forces all Swedish ISPs to record user information, such as login times, email logs and websites visited, and store the data for at least six months.

  • ISPs in Sweden are required to archive personal information so that the, “data can be transmitted upon request to the competent authorities without undue delay.

  • In a landmark case, the European Court of Justice (ECJ) delivered a judgment in December 2016 (in a case known as C-203/15, Tele 2, Sverige AB v Post-och Telestyrelsen ) whereby it struck down Sweden’s Data Retention Act as being entirely inconsistent with the applicable provisions of the Charter of Fundamental Rights of the European Union. The case arose when the Swedish ISP Tele 2 stopped collecting data on its customers and was found to be in contravention of the Act by the district administrative court. Tele 2 appealed the decision to the Sweden’s Administrative Court of Appeal, which in turn referred the case to the ECJ. The ECJ held in its decision that the Swedish law was in contravention of Articles 7 (privacy) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.

  • Sweden possesses very stringent copyright law as enshrined in its Act on Copyright in Literary and Artistic Works of 1960, as amended in 2000.

  • In 2009 Sweden passed the anti-copyright theft directive IPRED into law. IPRED allows copyright holders to force Swedish ISPs, through a court order, to reveal the personal information of users under suspicion of sharing copyrighted files.

  • Sweden’s Supreme Court ruled in 2016 that organisations and individuals do not have the right to post images of public works of art on Wikimedia without the permission of the artist. The court held that even ‘innocent snaps’ of these artworks were a contravention of Swedish copyright law.

  • Sweden is generally a country regarded to have a high degree of freedom of speech and freedom from censorship for its citizens.

  • Freedom of speech has been curtailed due to many caveats upon its use, especially owing to crushing political correctness and the need ‘not to offend’.

  • There has also been an all-out campaign by Swedish authorities against many different forms of so-called ‘hate speech’.


  • Iceland has championed itself as being a beacon of Net Neutrality and online privacy for both its citizens and any organizations who take up business domicile in the country.

  • A 2015 parliamentary resolution on Equal Access to the Internet re-defines “data service providers” as “common carriers”, which is believed to be in the spirit of Net Neutrality, whereby access to the Internet is part of all Icelandic citizens’ civil rights.

  • The key legislation on data privacy in Iceland is the Data Protection Act, which is said to be very protective of Icelandic citizens’ online privacy. The Icelandic Data Protection Authority is responsible for the enforcement of the Act.

  • However, Iceland did pass the Electronic Communications Act 81/2003 which implemented data retention requirements. This was claimed to be mandated by Iceland’s inclusion in the European Economic Area (EEA).

  • The Icelandic data retention law applies to telecommunication providers and mandates the retention of records for six months. It does stipulate that companies may only deliver information on telecommunications in criminal cases or on matters of public safety.

  • As a member of the EEA, Iceland accepts jurisdiction of the EEA Court, which includes matters pertaining to intellectual property (IP).

  • Property rights, which include copyrights, are recognized and protected under the Constitution of Iceland.

  • Copyright is protected in Iceland as per the Copyright Act no. 73/1972, as subsequently amended.

  • There have been allegations that the Icelandic government has signalled to police and prosecutors that it wants efforts to be ramped up in order to reduce Internet piracy.

  • Iceland has strong protections for free speech in place, even though libel and insult are criminal offenses subject to fines or a prison sentence of up to one year and which have been criticised for undermining civil liberties and freedom of speech in the country.

  • Iceland’s Althing (parliament) established the country as an information freedom haven in 2010 as part of the Icelandic Modern Media Initiative (IMMI). The concept was to make Iceland a “haven for freedom of information, freedom of expression and of speech.”.

  • In particular, it was to make Iceland a safe haven for people with Internet servers and hosting online material that their governments might want to shut down.


  • Switzerland has some of the most draconian data retention laws in all of Europe.

  • In 2015 the two government chambers of Switzerland passed amendments to existing surveillance laws (known as BÜPF and NDG) that granted police vast new snooping powers, which now extend to all forms of communications (inclusive of post, email, phone, text messages and IP addresses) and metadata for a period of 12 months.

  • Those opposed to the law even warned that the legislation as written would allow the monitoring of mobile phones and even the installation of trojans on computers, tablets and mobile phones. Opponents of the law further accuse the law of monitoring everyone, monitoring too much private information, using ominous technology to do so.

  • There was an almost complete lack of critical scrutiny regarding the curtailment of civil liberties and the like - Furthermore, because Switzerland does not have a constitutional court and, therefore there is a very strong chance that the country’s controversial data retention laws could be contested in the European Court of Human Rights.

  • Copyright is protected in Switzerland by the Federal Act on Copyright and Related Rights (CopA) of 1992.

  • Switzerland has often been criticised for its ‘leniency’ regarding certain intellectual property rights, extending to downloads considered for ‘family’ or private use.

  • However, Swiss copyright law does explicitly recognize computer software as ‘literary works’ and the country has a remuneration scheme for the private copying of audio and video works.

  • A Swiss user can knowingly purchase or download pirated audio-visual work from a foreign website and still not be prosecuted by Swiss authorities since Swiss law can only allow for criminal prosecution within the country.

  • Switzerland has a generally high standard of freedom of speech.

  • However, censorship of the politically correct ilk does play a role in the country as Switzerland’s anti-racism laws make it illegal to deny any genocide. Racist or anti-Semitic language or public discourse is also prohibited.

  • The country is famous for its ‘direct democracy,’ whereby citizens are expected to vote in referenda on laws and government policies, so the Swiss tend to be actively involved in the protection of their freedoms.


  • According to the Australia Data Retention Act (ADRA) of 2015, large amounts of telecommunications metadata must now be kept for two years by Australian telecommunications companies.

  • The Act covers data with regard to who called or texted whom and for how long, as well as the location, volume of data exchanged, information about the device used and any and all email IP data.

  • It also makes it far easier for Australian authorities to access these records.

  • The legislation does only allow for metadata to be included and not the actual content of calls and messages. The law also doesn’t require firms to retain the browsing history of users.

  • Also, whilst Australian ISPs are required to keep detailed records of almost everything about an email or chat conversation (apart from their actual content), foreign messaging platforms such as Gmail, Hotmail, Facebook and Skype are exempt. Internal email and telephone networks, such as those operated within companies and universities, are also exempt.

  • ADRA remains very divisive in Australia, with accusations that the Act provides excessive room for law enforcement agencies to abuse their access to and viewing of consumer data.

  • Australia has strong copyright laws in place. Copyright is fully embodied in the applicable provisions of the Copyright Act of 1968.

  • The Act applies to certain materials, including literary works, dramatic works, musical works, artistic works and other subject matter such as films, sound recordings, broadcasts and published editions.

  • Copyright protection is conferred outright and without prejudice to its owner.

  • Australia is still assessing how to make changes to its copyright laws to accommodate the digital age, with this being done at the behest of the Australian Law Reform Commission (ALRC).

  • Australia does not have a Bill of Rights which guarantees the right of free speech.

  • However, the Australian High Court has ruled that freedom of expression is implied in Australia’s constitution, given that the country was established as a democracy.

  • The country has very strong, even crippling, defamation laws, which can hinder freedom of speech.

  • Australia has also shown a strong preponderance to enact censorship laws regarding issues of morality.


  • Romania enacted Law No. 298, which regulated the retention of data generated or processed by suppliers of electronic communication services and public communications networks.

  • The government attempted to justify the mandatory retention of data by invoking undefined “threats to national security”.

  • However, in 2009 the Constitutional Court of Romania (CCR) declared that these Romanian laws which implemented the EU Data Retention Directive were an unconstitutional violation of Romanian citizens’ rights to privacy and private correspondence, as well as on citizens’ privacy rights.

  • The Romanian government enacted a second version of the data retention law in 2012. However, in 2014 the Constitutional Court of Romania once again declared the data retention legislation (as revised) to be unconstitutional in its entirety.

  • SPECIAL NOTE: See the Special Note above under Germany with regard to the European Union’s 2006 Data Retention Directive (Directive 2006/24/EC), and how it was found by the European Court of Justice (ECJ) in April 2014 to be a gross violation of the fundamental rights to privacy of EU citizens, which would include those of Romania.

  • The Romanian Copyright Office (ORDA) was established in 1996, and the agency promotes and monitors copyright legislation.

  • The downloading of pirated content is very popular in Romania, which means that copyright infringement of music and film is widespread throughout the country.

  • Romania has been cited by intellectual property groups as being ‘soft’ on internet piracy, particularly with regard to both Torrent sites peer-to-peer (P2P) file sharing and business-to-consumer piracy.

  • Many Romanian courts still tend to view copyright piracy as a “victimless crime” and this attitude has resulted in very weak enforcement of copyright law.

  • Romania’s Constitution guarantees freedom from censorship and freedom of expression.

  • A very controversial law was passed by Romania’s Senate in 2015 in which anyone accused of “social defamation” can be subject to penalty.

  • Freedom of speech remains fairly precarious in Romania to this day.


  • Among EU countries, Spain has some of the strictest legislation on personal data protection.

  • Data privacy for Spaniards is protected by the 1978 Spanish Constitution which provides for the protection of both personal and family privacy.

  • A 2007 Act known as ‘LOPDP’ pertains to the retention of data and is enforceable in many diferent scenarios relating to digital data retained in Spain.

  • The Agencia Española de Protección de Datos (AEPD) is a data retention enforcement agency with the authority to hear complaints on personal data protection matters and to impose sanctions (i.e. fines) to those who infringe data protection rights.

  • This agency has been very active and responsive to citizens’ complaints and imposed significant fines.

  • A pivotal case was that of Google v Spain as heard by the European Court of Justice (ECJ) in 2012. Known as the ‘right to be forgotten’ case, the ECJ held that European citizens have a right to request that commercial search firms, such as Google, should remove links to private information when asked by a person.

  • The main Spanish legislation is the Copyright Act (CA) of 1996, and as reformed in 2014, specifically to take digital copyright matters into due consideration.

  • A copyright owner can file a lawsuit on copyright matters before a commercial court.

  • Article 32.2 of the Act specifically addresses digital use such as the limitation on an author’s economic rights (known as the ‘Google tax’ as inspired by the Google v Spain case – see column to the left).

  • One does not need to register a work for it to be copyrighted in Spain.

  • Spain has a long and very recent history with both dictatorship and domestic terrorism in the form of ETA, the Basque separatist movement. Therefore, Spain has very draconian laws that impede freedom of speech, especially with regard to politically ‘insensitive’ speech.

  • Spanish courts have sent people who supposedly ‘supported’ terrorists on Twitter to jail.

  • Freedom of speech is clearly at constant risk in Spain, since censorship is openly allowed, especially with regard to political speech or speech that may be a ‘threat’ to national security.