Framework of Standards by Country

Standard Australia Brazil Canada China France Germany India Israel Italy Japan Korea United Kingdom United States
ConstitutionalNonePrivacy is constitutionally protected. Art. 5, Items X, XI, and XII.Privacy constitutionally protected. Charter of Rights § 7, 8.Privacy of correspondence nominally protected. Const. art. 40.Constitutional norms exist but traditionally are not legally enforceable.Privacy constitutionally protected. Basic Law, art. 10.Privacy construed to be part of fundamental right to "life and personal liberty" under Const. art. 21.Privacy is constitutionally protected; security exception. Basic Law § 7.Privacy not explicitly protected, but inferred from certain protections and general rights set forth in the Constitution.Communications privacy expressly protected by Const. art. 21, broader privacy right inferred from Const. Art. 13.Privacy constitutionally protected. Art. 17 and 18.The U.K. lacks a written constitution.Privacy is a right inferred from the Constitution. Const. amend. IV.
StatutoryTelecom (Intercept and Access Act), ASIO Act.The Wiretapping Act, Brazilian Federal Act 9296 / 1996Criminal Code, Nat'l Defence Act and CSIS Act.State Security Law, art. 11 and 18.Law n° 91-646.Standards laid out in Telecom. Act and G-10 Act.Currently no umbrella privacy statute.Wiretap Act, Teleco. Act, GSS Act.Data Protection Code (Legislative Decree no. 196 of 30 June 2003)Personal Information Protection Act, Communications Interception Act.Communication Privacy Act; Personal Info Protection Act.Standards provided by RIPA. Some protections in DPA. Standards provided by the Wiretap Act, ECPA and FISA
Law Enforcement vs. National SecuritySubject to distinct requirements.The Constitution only authorizes interception of communications for the purpose of investigating crimes, and the Brazilian Intelligence Agency does not have surveillance powers. Subject to distinct requirements.No meaningful separation. Neither subject to meaningful restrictions.Distinct requirements; judicial approval is required for electronic surveillance for law enforcement purposes, but is not always required for national security purposes. Express legal separation rule; “Trennungsgebot.”No clear distinctionSubject to distinct requirements.The Data Protection Code sets different standards for administrative, law enforcement, and national security activity.Security forces have few powers.Subject to distinct requirements.Same standards apply; intercepted communications excluded from court proceedingsExpress legal separation, though increased information sharing.
Distinction between content and non-contentCommunications data has a lower threshold for access. Telecom Act § 110.Police can obtain subscriber identifying data without a warrant, but court has held that such info is protected by Const., requiring warrant.Unclear; Crim. Code does not expressly address collection of traffic data.Widespread access makes the distinction irrelevantContent is subject to greater protections.No, though both protected by the same high standard. NoNon-content data is subject to lesser protectionsGreater protection is given to “sensitive data.”UnclearTransactional data – including call records and Internet log records - is not considered to be “personal information.”Non-content data is subject to lesser protections. RIPA § 21-22.Yes. Telephony non-content data accessible with subpoena; Internet transactional data only with court order (but less than a warrant).
Tech neutral (Same standards voice vs data; analog vs. digital)Interception standard is tech. neutral. Telecom. Act § 5.Interception standards apply to telephone and digital communications.Interception standard is tech. neutral. Crim. Code §184(1).Standards differ depending on medium of transmissionYes; applies to any form of “interception of communication.”Employs a “layer model” which is not tech. neutralStandard for access is tech. neutral. Crim. Proc. § 91.Standard for access is tech neutralDifferent standards apply to monitoring different locations, such as a home compared to a car.Unique standards apply to certain forms of data, such as DNA.Standard for access is tech neutral. Standard for access is tech neutral.Standard for access is tech. neutral.Standards for law enforcement are tech neutral, but distinguish between access in real-time versus stored. National security standards generally the same for stored and real-time, but vary for radio.
Stored (cloud) data – different std (third party doctrine)Separate provisions for stored vs. real-time access.Issue currently unresolved by the Supreme Federal Court.Cloud data may lose reasonable expectation of privacy.Cloud data subject to greater protectionsCommunications are only protected from direct “interception” by government.Third party access does not destroy an expectation of privacy.UnclearUnclearUnclearUnclearTelecommunication service providers must obtain consent from the data subject before providing personal information to a third party, including government, absent a warrant (Telecommunication Business Act)Cloud data may be “voluntarily” shared with gov.; additional consent not req. DPA §§ 28-29.In general, no reasonable expectation of privacy in information held by 3rd parties; but one appellate court has held that stored content is constitutionally protected.
Use, retention, disclosure limitsData must be destroyed when no longer required. Telecom. Act § 14.No clear use limitations exist. Information not used over the course of an investigation must be destroyed.Complex limits created by Privacy Act.NoneVague provisions exist regarding the sealing and destruction of previously intercepted communications.Use must be necessary to the purpose for which the data were collected. BDSG §15(1).NoneLimits on use and disclosure, exemption for security. Privacy Protection Act §2(b)Data may only be accessed and used by government entities “in order to discharge their institutional tasks” (Data Protection Code, Art. 18).Strict usage limits; innocent conversations must be deleted within 30 days.Communications surveillance may only occur for 2 months for law enforcement purposes.Intercepted communications may not be used in legal proceedings. RIPA § 17.Disclosure limited to “proper performance of … official duties.” 18 USC §2517(1).
Oversight mechanismsReports to and by the Minister; intelligence surveillance reviewed annually. ASIO Guidance, para 11.1.National Counsel of Justice established procedures limiting wiretaps.Privacy Commissioner may investigate, audit. Minister of Public Safety annual report.NoneIndependent Commision on Security Interceptions oversees national security wiretaps.The G-10 Commission must approve certain surveillance. Parliamentary Control Panel publishes an annual reportSome ineffectual protections in Information Technology Act.Numerous reporting requirements to the Attorney-General.Data protection is overseen by the Data Protection Authority (Garande). Electronic interceptions must be authorized by judicial authorities. Communications Interception Act requires annual disclosures of the number of interceptionsThe Ministry of Information and Communications operates a wiretap complaint center.Intercept Communications Commissioner reports to Investigatory Powers Tribunal. RIPA §§ 57-70.Warrants require judicial approval; Congressional oversight of Nat. Sec. surveillance.
Design mandatesYes.The Wiretapping Act permits police to request telephone companies provide the necessary technical services and personnel to perform the wiretapping. None, though proposed.Yes.ISPs required to collect and store identification and log data of users.Yes.Crypto-key escrow required. Info. Tech. Act § 69(3)(b).Equipment must support surveillance tech. Telecom. Act § 13.Unclear.NoneNoneTeleco. equipment must support surveillance tech. RIPA § 12(1).Equipment must support surveillance. 47 USC § 1001-1021.
Retention mandatesNone, though mandate proposed.NoneNone, though proposed.60 days for most dataTelecommunications operators are required to retain traffic data (including location data, and Internet logs ) for one year. Hosting providers are required to retain similar logs relating to persons who create or store data using their hosting service6 month retention law held unconstitutional.Vague retention mandates exist with length unclear. Info. Tech Act §67C.Retention is allowed only for a “reasonable period of time.”Traffic data must be retained by the provider for 24 months and electronic communications traffic data must be retained for 12 months. Data Protection Code, Art. 132.NoneMobile phone service providers, credit card firms and mass transit operators are required to store customer’ records for one year (Protection of Communications Secrets Act)Communications non-content data must be retained for 1 year. Data Retention Reg. §§ 3-5None
Unmediated accessMember of 5 Eyes/ECHELON network; may have direct access to international radio or cable comms.Brazilian Communications Agency has direct access to telecommunication databases.Member of 5 Eyes/ECHELON network; may have direct access to international radio or cable communications.Almost certainly has unmediated access.Surveillance of international radiowaves.Limited access to teleco. subscriber information.Widespread access through Central Monitoring System.UnclearUnclear.None known.None known.See Snowden leaksSee Snowden leaks