European Data Retention Directive At Work: Polish Authorities Abuse Access to Users' Data
The Polish digital civil rights group Panoptykon Foundation recently published harrowing findings regarding abuses of Poland’s mandatory data retention law. Using a Freedom of Information Act request, Panoptykon obtained documents that reveal that in 2011, Polish authorities requested users’ traffic data retained by telcos and ISPs over 1.85 million times—half a million times more than in 2010. These findings underscore fundamental flaws in the Polish mandatory data retention law that was fast-tracked in legislation without public debate in 2009.
The law allows authorities to use the retained data in an almost limitless range of scenarios, including petty civil offenses and minor criminal investigations. Moreover, Polish authorities—ranging from law enforcement to intelligence agencies—can access the retained data without independent oversight and at no cost. Rather than require authorization from an independent judge, the law permits access to the data through a simple written or oral request authorized by the head of the Central Anticorruption Bureau, the Polish intelligence agency on anticorruption.
In addition, law enforcement agencies have no obligation to inform citizens that their privacy has been compromised. Under the law, though, telcos and ISPs are obliged to report annually to the Polish government the total number of requests received from law enforcement agencies. Using this provision, Panoptykon was able to acquire useful but ultimately incomplete statistics on government authority access to the retained data. Notably, the data doesn't indicate how often and for what purposes the data was accessed, making it impossible to assess whether this privacy-invasive law can be justified at all. Interestingly, the problem of excessive flawed government requests seems expand beyond the data retained by telcos and ISPs.
As in Poland, people everywhere are constantly relying on mobile companies and cloud services to communicate and store their most precious information on the network. We are leaving digital footprints at every moment that reveal the most sensitive information of our daily lives. As a result, governments are increasingly interested to access this vast amount of information. This seems to be the case in Poland. According to the Google Transparency Report within the period of January-June 2011, Google received 266 requests from Polish authorities to hand over Google’s users data. Of these, Google deemed less than 11% to be compliant with domestic laws. This is a far lower rate than in most European countries, making Poland second only to Hungary as the country with highest percentage of flawed government access requests.
To add insult to injury, Polish media reported two major cases where intelligence agencies used retained traffic and subscriber data to illegally disclose journalistic sources. For the first time, one of the affected journalists—Bogdan Wroblewski—has sued the Polish Central Anticorruption Bureau in a civil court to fight for his rights. Panoptykon intervened in the case arguing against the overbroad competence of the Polish Bureau. Wroblewski may have become a subject of interest to the Bureau after the publication of his articles describing the Bureau's activities. The next hearing will be held on April 12, 2012 in Warsaw.
For two years, Panoptykon and several other Polish groups have tirelessly fought against data retention mandates in Poland. Due to public pressure and increased media scrutiny, the Polish government announced last year a set of amendments to the law. Currently, Polish discussion is currently “in pause” after last year’s Polish elections but the public debate continues.
European Data Retention Directive
The Polish law originated as the misshapen offspring of the 2006 European Data Retention Directive. The highly controversial Directive obliged European Member States to adopt legislation to compel all ISPs and telcos operating in Europe to retain subscribers’ incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of 6 months to 2 years.
Panoptykon Foundation’s Executive Director Katarzyna Szymielewicz argues that Poland’s implementation of the Data Retention Directive is one of the worst in Europe with regard to privacy and transparency:
Polish data retention law goes even beyond what is permitted in the European Data Retention Directive. The retained data can be used for both general crime prevention purposes and civil cases. It therefore comes as no surprise that the number of government data requests operators receive has been constantly increasing. The situation will not get better unless we change the law.
Currently the European Commission is carrying out an impact assessment of the Directive, and has announced its intention to propose a revision of this infamous instrument. For now, the Commission has failed to demonstrate that this legislation is necessary and proportionate. Under the EU Charter on Fundamental Rights, the Directive will only be legal if both requirements are met. These requirements are important to ensure that Member States do not adopt severe legislative measures to address a problem that could otherwise be solved in a way that is less harmful to civil liberties. While the Commission is responsible to evaluate its compliance with EU law based upon evidence, they have continued to blindly support the Directive.
EFF, Panoptykon, and 27 other NGOs are a member of European Digital Rights (EDRI), a Brussels-based NGO fighting to repeal the European requirements regarding data retention in favor of a system of expedited preservation and targeted collection of traffic data. EDRI states:
The lack of data from the Member States has driven the Commission into the worst possible position, with no hope of support from Member States to repeal the Directive, no hope of data from the Member States to prove that data retention is necessary (because no such data appear to exist) and no legally defensible possibility to maintain the Directive as it is… The time has come for the Member States to either provide the data to prove their claim regarding the Data Retention Directive or for the Commissioner to take the only legal option available to her, to stand up to the Member States and the repeal of the Directive.
EFF supports EDRI’s call in urging the Commission to overturn this disproportioned mass surveillance legislation. This step would stop the ongoing violation of 500 millions of innocent Europeans, and prevent Member States such as Poland from using the Directive to legally justify this irrational massive collection and overbroad use of people's data.