Governments and online privacy: Who are the worst offenders?

In this article we take a quick look at the track records of western democratic governments when it comes to online privacy and data retention, rounding up the three best cases and the three worst cases. Obviously this isn’t a comprehensive list and you may (re: probably will!) disagree with our entries - so why not let us know what you think in the comments below?

The good (relatively)


Germany has generally been good at resisting EU legislation that impacts on its citizens privacy and the Germans have shown themselves to be quite active in protesting anti-privacy legislation. Germany is still refusing to implement the EU’s Data Retention Directive over privacy concerns and may suffer disciplinary action because of it. Germany played a big role in defeating ACTA, after widespread protests throughout the country. The German government also famously forced Google to allow its citizens to opt-out of Google Street View – although this eventually resulting in Google opting out of expanding the service in the country.


It’s no secret that the US government has been the source of many pieces of controversial legislation that would negatively impact online privacy if implemented (think SOPA, PIPA and CISPA). However, as it stands, you may be surprised to hear the US is better than many other western countries when it comes to online privacy. There is no state mandated data retention laws in the US, like there is in Europe. Rather ISPs are free to set their own data retention policies. And while SOPA and PIPA were frightening, they were ultimately defeated after popular protest saw political opposition grow across both Democrat and Republican parties. However, whether or not the status quo in the US will survive for much longer is another matter entirely.


Like the US, Canada does not require ISPs to retain data on its users. The Canadian government does require ISPs to track individual users and retain data, but only if a court order has been issued (there are reports suggesting law enforcement often circumvents this requirement). Canadians can also take heart over what happened to the ‘Protecting Children From Internet Predators Act’. PCIPA began life as a pretty nasty piece of legislation, zealous in its protection of copyright, which would have had dire consequences for online privacy. But popular protest actually forced the Canadian government to take a scalpel to the act and carve out a much more reasonable and even handed law. It’s still not perfect, but it’s a good example of governments and activists reaching a compromise.

The bad

United Kingdom

The UK government wasted no time signing-up to the EU’s Data Retention Directive and currently requires all ISPs to retain the personal data of their customers for at least one year after you cancel your subscription. Your data must be handed over to police if they have a court order. There are over 200 agencies in the UK that are authorised to access your personal data and in 2009 there were over 1,700 requests for court orders to intercept communications data. The UK government recently announced its plans to introduce a new bill dubbed the Communications Capabilities Development Programme (CCDP), which intends to give UK law enforcement enhanced powers to monitor your web browsing without the need for judicial oversight. Given the lack of political opposition to the CCDP, it seems likely that the bill will pass.


As with the UK and other EU countries France requires all ISPs to retain your data for at least one year until after you cancel your subscription. But while EU countries such Germany and Romania have fought the Data Retention Act, the French government has actually taken it one step further with the ‘Legal Regime for E-Commerce Trust’ directive. This directive requires that all internet access and hosting providers – i.e. any internet-based service, such as e-commerce companies and social networks – must retain financial transaction details, data logs, usernames, passwords, pseudonyms, email addresses and phone numbers of users. France requires these companies to then share this information with government agencies at their request. High profile web companies such as Facebook, eBay and Google are currently trying to petition the French government to repeal the law.


The Swedish government initially resisted implementing the EU’s Data Retention Directive due to privacy concerns. However, in March 2012 it caved to the pressure, opting for the lesser retention period of 6 months. Beyond that Sweden has come under fire from privacy campaigners due to the FRA aw it passed in 2008. This legislation, brought in under terrorism concerns, requires around 20 surveillance hubs to be installed around the country, monitoring all traffic that comes in and out of Sweden. In 2010 the project ran into technical difficulties, as well as pressure from activist groups, but its unclear whether it’s still being carried out (I’ve not been able to uncover any info post 2010, so if anyone reading knows more let us know in the comments). Following Sweden’s IPRED legislation, which requires ISPs to reveal the personal info of file sharers, a number of news outlets have reported a spike in Swedish VPN usage.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.