Peru Adopts Data Retention Decree: Declares Location Data No Longer Protected
The Peruvian President today adopted a legislative decree that will grant the police warrantless access to real time user location data on a 24/7 basis. But that’s not the worst part of the decree: it compels telecom providers to retain, for one year, data on who communicates with whom, for how long, and from where. It also allows the authorities access to the data in real time and online after seven days of the delivery of the court order. Moreover, it compels telecom providers to continue to retain the data for 24 more months in electronic storage. Adding insult to injury, the decree expressly states that location data is excluded from the privacy of communication guaranteed by the Peruvian Constitution.
The decree was adopted with no public consultation by the Executive Branch on the basis of a mandate from the Peruvian Congress to legislate on general public safety and the fight against crime. Moreover, the decree was adopted one day before the celebrations of Peru's independence, a set of holidays that coincides with vacation for most local schools and businesses.
”This law makes one clear mistake: assuming that geolocalization data from cellphones is not protected by the privacy safeguards under Peruvian Constitution. Following that line of reasoning, the government lifts any kind of protection for this data and gives unfettered access to it to the police and mandates ISPs to retain communications data for up to three years. Any policy like that is controversial in itself, but the fact that it was directly approved by the Executive Branch without prior debate and in the middle of national holiday season is especially undemocratic”.
The decree has significant potential for abuse of its new powers. It ignores the fact that most cellular phones today constantly transmit detailed location data about every individual to their carriers, and that all this location data is housed in one place—with the telecommunications service provider. The police will have access to more precise, more comprehensive and more pervasive data than would ever have been possible with the use of the interception of the content of communications. The Peruvian government should have been more sensitive to the fact that mobile companies are now recording detailed footprints of our daily lives.
International human rights standards
By stating that location data is excluded from guarantees in the Peruvian Constitution of the privacy of communications, the decree contradicts international human rights standards:
On the question of whether communications metadata is protected by the right to privacy, the Inter-American Court of Human Rights decision in Escher v. Brasil makes clear that both content and metadata are protected:
“[The right to privacy] applies to telephone conversations irrespective of their content and can even include both the technical operations designed to record this content by taping it and listening to it, or any other element of the communication process; for example, the destination or origin of the calls that are made, the identity of the speakers, the frequency, time and duration of the calls, aspects that can be verified without the need to record the content of the call by taping the conversation. In brief, the protection of privacy is manifested in the right that individuals other than those conversing may not illegally obtain information on the content of the telephone conversations or other aspects inherent in the communication process, such as those mentioned.”
Moreover, the 2014 UN High Commissioner on Human Rights report (A/HRC/27/37 - PDF) on the right to privacy in the digital age emphasized:
“19. [...] it has been suggested that the interception or collection of data about a communication, as opposed to the content of the communication, does not on its own constitute an interference with privacy. From the perspective of the right to privacy, this distinction is not persuasive. The aggregation of information commonly referred to as “metadata” may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication. [...]
"20. It follows that any capture of communications data is potentially an interference with privacy and, further, that the collection and retention of communications data amounts to an interference with privacy whether or not those data are subsequently consulted or used. Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association. The very existence of a mass surveillance programme thus creates an interference with privacy.”
Policy makers must understand that the adoption of broad surveillance powers without adequate safeguards undermines the privacy and security of citizens, and is therefore incompatible with their international human rights obligations. For any surveillance measure to be legal under international human rights law, it must be prescribed by law. It must be “necessary” to achieve a legitimate aim and “proportionate” to the desired aim. This requirement is important to ensure that the government does not adopt surveillance measures that threaten the foundations of a democratic society.
The thirteen Necessary and Proportionate Principles in particular, and international human rights law more generally, are premised on the assumption that interferences with fundamental rights must be dealt with on a case-by-case basis. In this context, data retention mandates for innocent individuals, by their very nature, eradicate any consideration of proportionality and due process in favor of the indiscriminate interference with the right to privacy—and could not be compatible with States’ human rights obligations. Peru must turn back from the dead-end path of data retention mandates, and uphold its international human rights obligations.
What Location Tracking Looks Like
In the meantime, Peruvian citizens should consider requesting access to their own personal data retained by their mobile company in accordance with Peruvian Data Protection Law. In Germany, the politician and privacy advocate Malte Spitz used a similar local data protection law—which like laws in many European countries, gives individuals a right to know what kinds of data private companies retain about them—to force his cell phone carrier to reveal what records it had on him. He received 35,831 different facts about his cell phone use over the course of six months, revealing vast amounts of personal information. To demonstrate just how intrusive this data is, Spitz chose to make it all available to the public. Watch this remarkable interactive map of Spitz’s location information if you haven’t done so already.
It is time to educate all of our legislators and the general public that sensitive data warrants strong legal protections, not an all-access pass. We hope Peruvian human rights advocates evaluate all necessary legal options for challenging the legality of the measure. EFF will continue to report on mobile and online surveillance in Peru, and delve into the decree in more depth in the days to come.
More information in Spanish: Nueva norma permite a la Policía saber dónde está cualquier persona sin orden judicial