CDT

Business Records by Country


Rules Australia Brazil Canada China France Germany India Israel Italy Japan Korea United Kingdom United States
LocationASIO and police may authorize disclosure if deemed “reasonably necessary” Telecom. Act § 174 et seq.UnclearWarrant generally required but PIPEDA may allow voluntary disclosure.Encompassed within laws giving government sweeping powers of access to data.May be obtained upon approval of Prime Minister's office for security matters. Telecom operators required to retain traffic data, which includes location data, for one year.Available without court order.Cell phone providers required to retain location data; available without a warrant; concerns about disclosure to Central Monitoring System.May be accessed with permit from magistrate or head of GSS.Unclear; may receive protection as “sensitive data” due to the potential to reveal religious, political, and organizational affiliation.Personal Information Protection Act limits collection and disclosure of data.Standards for government collection unclear. Cell phone location data may be accessed without a warrant. RIPA § 21(4)(a).Accessible from carrier with court order, issued on standard lower than warrant, though some uncertainty after US v. Jones.
TravelCrimes Act § 32QM gives federal police power to demand disclosure of aircraft or ship passenger data. Passenger data is collected.Passenger data must be reported to border control authorities through electronic system.Passenger data is collected. All passenger data stored for 5 yearsMinistry of the Interior collects passenger name records on any travel by air, sea or rail to or from non-EU countries (The Anti-Terror Act of 2006). Biometric data is collected from all individuals requesting a visa.Does not participate in EU passenger data collection.Hotels are required to maintain a separate register for foreigners and submit a copy to the Foreigners Registration Officer.Passenger data is collected.Records of hotel visits must be automatically reported to the government.Passenger records are submitted to the government for a range of administrative use.Domestic and international passenger data collected and screened. Immigration Act, § 3(2).Passenger data must be transferred to Transportation Security Administration.
FinancialReporting required by Anti-Money Laundering ActGenerally, financial data can only be obtained with a warrant, when necessary to the investigation of illicit activities. However, the Secrecy of Financial Data Act permits the Brazilian Revenue Service to obtain info from financial institutions absent judicial authorization; challenged in Supreme Court.Transactions over $10,000 must be reported.Reporting required by money laundering laws tax laws.Financial institutions must report suspicious transactions.Suspicious activity reporting required, but apparently no mandatory reporting of transactions over a specified threshold; automatic access to account identifying info for counter-terrorism purposes.Extensive monitoring and profiling to prevent money launderingLarge transactions must be reported. Money Laundering Law § 7(b).Financial institutions must report to tax office all transactions over €1,500.National Tax Agency gathers financial info; financial institutions requested to report “doubtful transactions.”Financial institutions are required to report any transaction exceeding USD 5,000 when the financial institution has a reasonable ground to suspect that the transaction is related to criminal activity.Financial institutions required to file suspicious activity reports.Individual bank records accessible with subpoena for law enforcement, national security letter for intelligence. Financial Privacy Act. Reporting of certain transactions required for AML.
Systematic disclosure demandsNone known beyond regulatory reporting requirements summarized below (AML, tax, etc); AG guidelines should ensure only particularized access.The Brazilian Communications Agency has direct access to all telephony metadata from telecommunication providers databases.Financial & passenger data disclosed; public health reporting required.Data retention required for ISPs, email, Internet cafes, and online sales; routinely accessed by state security.None known.Telecom "inventory information."Widespread access due to vague standards and use of Central Monitoring System.Systematic access to cellular phone subscriber data, including unique identifiers.Systematic access to cellular activation data.Unlikely. Present legal and political atmosphere does not allow systematic access (except for reporting requirements noted).None“Voluntary” data sharing agreements allow widespread government access to data.Manadatory reporting of air travel data, cash transactions over certain threshold; press reports of money transfers disclosed under court order.
Use, retention, disclosure limitsPrivacy Act 1988 imposes use and disclosure limits, but agencies consider information ‘fair game’ for later lawful use.Statutory limits sparse and vague; may flow from Constitutional right of privacy, but may be overriden by consent in terms of service.Limits created by Privacy Act §§ 5-8.None.NoneBDSG, other laws impose use and disclosure limits.NonePolice and GSS immune from liability under Privacy Protection Act.Data may only be accessed and used by government entities “in order to discharge their institutional tasks” (Data Protection Code, Art. 18). Collected data may not be used outside of its original purpose. Third party data sharing is forbidden.Information obtained is limited in use to the initial purpose of collection (Personal Information Protection Act)Data may not be used for a purpose incompatible with original purpose; broad exception for national security; limited exception for police. DPA §§ 28-29.Vary by program.
Oversight mechanismsPrivacy Comm'r (OAIC); AG guidelines for ASIO.No DPA; general privacy legislation proposed.Privacy Commissioner may investigate, audit.None.CNIL supervises compliance with privacy law.Federal and state data protection commrs have extensive authority.Some ineffectual protections in Information Technology Act.Israeli Law, Information and Technology Authority (ILITA) active in enforcement.Data protection is overseen by the Data Protection Authority (GarandeIndependent DPA to be set up in 2014, pursuant to Number Use Act 2013.Information Commissioner monitors for violations of the DPA. DPA §§ 51-54A.Agency privacy officers, inspectors general, congressional oversight, Privacy and Civil Liberties Oversight Board.
Redress/due process mechanismsOffice of Privacy Comm'r investigates complaints and initiates investigations on its own.Privacy Commissioner has authority to hear complaints.None.Target of a search may seek review by the Court of Cassation regarding legality and authorization; exclusionary rule applies, but liability for government officials is unclearImproperly collected data cannot be used in criminal trials; civil damages available.NoneCivil and criminal liability for violations; security services exempted.Complaints may be filed before the Data Protection Authority (Garande) or courts; the Garande is more typically used.Right of correction and right of deletion. Personal Information Protection Act, art. 9, 26, 27.Individuals may bring civil suit for improper release of information (Protection of Personal Data Act.Information Commissioner has authority to hear complaints, conduct audits, issue enforcement notices and "stop now" orders, prosecute criminal violations of privacy.Vary by program. Civil action under Privacy Act, sectoral laws. Air transport security program has robust redress process.
Transparency Privacy Act requires transparency; Privacy Comm'r conducts, publishes audits.Limited.Privacy Commissioner has annual reporting requirement.None.CNIL publishes reports.Multiple required reports.NoneIsrael has system of database registry, other transparency measures.UnclearReporting under Personal Information Protection Act, art. 53.NoneInformation Commissioner publishes reports.Privacy impact assessments for many programs; Federal Register notices.
Automatic disclosure mandatesCertain financial transactions, income data, certain educational data, and passenger data.Financial institutions must report transactions over R$5,000 per month to the Revenue Service and must report suspicious transactions to Ministry of Finance.Financial and passenger data.Vast amounts of data flow into governent databases, including a population database and the Basic Internet Database.NoneNone.Disclosure required in banking and health fieldsUnclearCell phone activation data, financial transactions, and hotel activity must be automatically disclosed.None.NoneFinancial and passenger data.Passenger data, financial data, income automatically disclosed.
Retention mandateNone, though recently debated.NoneNumerous, generally for 60 days.Telecom operators required to retain traffic data (including location data, and Internet logs) for one year. Hosting providers required to retain similar logs relating to persons who create or store data using their hosting service.6 month retention mandate struck down by Constitutional Court.Banking information stored for 10 years; call detail retention mandate.None.Traffic data must be retained for 24 months and electronic communications traffic data must be retained for 12 months. (Data Protection Code, Art. 132)None.Mobile phone service providers, credit card firms and mass transit operators are required to store customer’ records for one year (Protection of Communications Secrets Act)Communications non-content data must be retained for 1 year. Data Retention Reg. §§ 3-5None.
Unmediated accessNone known.Brazilian Communications Agency has direct access to telecommunication databases. Federal court ruled that Public Prosecutor could not have unmediated access to subscriber data.None known.Not clear; generally data seems to be transmitted to gov databases.None known.None known.Widespread access through Central Monitoring System.None known.None known.None known.None known.Unclear. Voluntary arrangements leave potential for widespread access.Some reports of corporate employees located in government offices to faciltate access.