Current Status: The Polish mandatory data retention law was fast-tracked in legislation without public debate in 2009. Polish law goes even beyond what is permitted in the European Data Retention Directive. The law allows authorities to use retained data for both general crime prevention purposes and civil cases – and a broad range of purposes including petty civil offenses and minor criminal investigations. Various Polish authorities from law enforcement to intelligence agencies, can access the retained data without independent oversight and at no cost. Instead of authorization from an independent judge, the law permits access to the data through a simple written or oral request authorized by the head of the Central Anticorruption Bureau, the Polish intelligence agency on anticorruption.
Polish law enforcement agencies have no obligation to inform citizens that their privacy has been compromised. However, telcos and ISPs are legally obliged to report annually to the Polish government the total number of requests received from law enforcement agencies. Using this provision, the Polish digital civil rights group Panoptykon Foundation Panoptykon was able to acquire incomplete statistics on government authority access to the retained data. The data does not indicate how often and for what purposes the information was accessed, making it impossible to assess whether the Directive can be justified.
Public Discussion: A preliminary challenge to the national implementation of the European Data Retention Directive has been filed in Poland. Panoptykon and several other Polish groups continue to fight against Polish data retention mandates. Due to public pressure and increased media scrutiny, the Polish government announced a set of amendments to the law in 2011. This discussion has been suspended temporarily after the 2011 Polish elections, but the public debate continues. Panoptykon Foundation’s Executive Director Katarzyna Szymielewicz argues that Poland’s implementation of the Data Retention Directive is one of the worst in Europe with regard to privacy and transparency. The Panoptykon Foundation has published disturbing information about abuses of Poland’s mandatory data retention law. Using a Freedom of Information Act request, Panoptykon obtained documents that reveal that in 2011, Polish authorities requested users’ traffic data retained by telcos and ISPs over 1.85 million times—half a million times more than in 2010.
According to the Google Transparency Report, from January-June 2011 Google received 266 requests from Polish authorities to hand over Google’s users data. Of these, Google deemed less than 11% to be compliant with domestic laws. This is a far lower rate than in most European countries, making Poland second only to Hungary as the country with highest percentage of flawed government access requests. EDRI reported that two major intelligence agencies in Poland used retained traffic and subscriber data to illegally disclose journalistic sources without any judicial oversight.
Polish media reported two major cases where intelligence agencies used retained traffic and subscriber data to illegally disclose journalistic sources. For the first time, one of the affected journalists—Bogdan Wroblewski—has sued the Polish Central Anticorruption Bureau in a civil court to fight for his rights. Panoptykon intervened in the case arguing against the overbroad competence of the Polish Bureau. Wroblewski may have become a subject of interest to the Bureau after the publication of his articles describing the Bureau's activities.