What: 

When Poland implemented the European Data Retention Directive, a law that compelled telecommunications services to retain metadata for a certain period of time, Poland not only opted for the most privacy-intrusive law but in some respects went further than what was permitted by the EU directive. For over five years, Panoptykon fought against its dangerous implementation as well as other laws that allow for non-targeted surveillance.

Who: 

Panoptykon Foundation, Polish digital rights organization

Where: 

Poland

The Surveillance Practice: 

The European Data Retention Directive compels all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of six months to two years. This European data retention mandate was introduced in order to increase availability of telecommunication data for the purposes of investigating and prosecuting serious crimes.

All European countries were obliged to implement the Directive into national legislation. The Polish data retention law is graver than the Directive itself. It allows for the use of the retained data by law enforcement and nine intelligence agencies not only for serious crimes, but also for minor ones and crime prevention.

 As a result, both law enforcement and the intelligence agencies can use telecommunication metadata with insufficient limitations and oversight. Because of this flawed legal framework, the official number of requests for telecommunication data in Poland is staggering: almost 2 million per year (versus hundreds of thousands in other EU member states, although these differences may be due to different reporting standards).

Interestingly enough, research carried out by Panoptykon Foundation showed that these official statistics cannot be relied upon because various public entities apply different methodologies. Lack of reliable data makes any effort to increase transparency and accountability of intelligence agencies even more difficult.

 Polish law does not require public entities (law enforcement or any of the nine intelligence agencies) to report how many times and for what purposes they asked for citizens' personal data. This problem affects all types of data and all types of requests: metadata and content, telecommunication, electronic services, banking, and social security data. Public entities aren't obliged to register their requests nor publish their numbers or other details. Only telecommunication operators are required to collect statistics showing how many times they are asked for their clients' personal information.

The Campaign: 

Since 2009, the Panoptykon Foundation has criticized the Polish data retention law as well as other laws providing for non-targeted surveillance and called for their revision. For their campaign, Panoptykon collected hard evidence (statistical data, personal stories) in order to back up their policy claims. They sought out the scope of government requests for citizens' data in order to educate the general public on the severity of the surveillance problem.

Additionally, Panoptykon, in collaboration with other organizations from the European Digital Rights coalition (EDRi), challenged data retention laws all across Europe. EDRi wrote a shadow report when the European Commission published its own official report summarizing the evaluation of how Data Retention Directive was being implemented. Panoptykon referenced EDRi's report as a source of arguments for Poland. The organization used comparative analysis to show that the implementation of the Data Retention Directive in Poland was practically the worst out of all the member states.

Through an organic process, Panoptykon cultivated relationships—in particular with the media—and positioned themselves as experts on the topic. They spoke at conferences and meetings where they knew journalists and decision makers would be.  Panoptykon connected with a journalist who was passionate about their issues and further relayed their message by covering many of their stories. After five years, hundreds of articles had been published about data retention and other aspects and non-targeted surveillance. As a result, more organizations
joined the cause. Panoptykon organized meetings, roundtables and conferences that involved people from all sides of the policy spectrum—including representatives of the intelligence agencies. Through this dialogue, the organization learned about the differing opinions regarding data collection and use for security purposes. This understanding turned out to be necessary to convince prosecutors, judges, intelligence community and decision makers that substantive change is needed.

Their campaign yielded results. In 2011, the Polish Ombudsman brought a few cases to the Constitutional Tribunal, claiming that existing legal provisions were unconstitutional. In particular, it criticized Poland's inadequate legal safeguards for citizens. The case is pending. Similar arguments and recommendations were made by the Supreme Audit Office in 2013. As a result the government is under pressure to revise the existing law and increase its checks and balances.

In 2012 the period of retaining telecommunication data was shortened from 24 to 12 months. 
The revised law also clarified that civil courts cannot use this data (before, telecommunication data were used in, for example, divorce cases). Additionally, the draft law providing for the creation of an external supervisory body is under discussion. While there is still work to be done—with details and modalities still being negotiated—they have come a long way to change the mainstream debate. When Panoptykon started their campaign, data retention was not considered a problem by mainstream commentators and officials. Now even the Polish government and police, secret surveillance, and other important institutions agree there is need for change.

The Strategy: 

Panoptykon worked in coalition with other organizations in order to share knowledge and experiences.

Instead of simply fighting against blanket data retention, Panoptykon identified precise problems with the implementation of the Data Retention Directive that they could challenge. For example, it was a major problem that intelligence agencies and police could use telecommunication data without any external control. The limitations of data usage weren't clear. Furthermore, citizens could not even inquire about whether or not their data was being collected.

Because the topics Panoptykon has been dealing with are quite technical, it is difficult to explain their problem diagnosis and recommendations to the general public. So over the years, Panoptykon learned how to effectively communicate their message and develop precise recommendations. At first, they were too general, which made converting them into the specific language required by policy makers and bureaucratics difficult. To achieve change, Panoptykon's lawyers and activists had to understand how the law enforcement and the legal framework worked in practice in order to sharpen their recommendations.

Lessons Learned: 
  • Strategize outreach and cultivate strong relationships with the media.
  • Use data and evidence to highlight the scale of surveillance and win
people's support.
  • If you are new to a topic, establish a coalition and network of allies who are influential and can help you along the way.