Ideally a web server with a SecureDrop landing page would not keep any log as recommended in the deployment best practices. Unfortunately there are legal obligations in Europe to keep the logs during some time. How long exactly, I’m not sure.
Recent rulings of European courts (see below) acknowledge a conflict between state imposed data retention and human rights (freedom of expression, right to privacy…). This challenges the transposition of the DIRECTIVE 2006/24/EC and some member states face legal action from civil society.
Companies hosting web sites may be hesitant to challenge national laws and obey European law instead. However, this may not be relevant for logs regarding the SecureDrop landing page. If the navigation of this particular page is not logged while all other pages are logged, the hosting company is in compliance. There is no obligation to log each and every page of a web site, nor is there an obligation to log the navigation of every user within the web site.
- DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
- 2014 Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union JUDGMENT OF THE COURT commented in Chronique du droit « Post-Snowden » : La CJUE et la CEDH sonnent le glas de la surveillance de masse
- 2016 Tele2 ECLI:EU:C:2016:970 commented in L’État de surveillance au régime sec : la CJUE renforce la prohibition de la surveillance “de masse”