Paraguay is debating a new data retention mandate bill, compeling ISPs to keep, for a period of 12 months, the details of who communicates with whom, for how long and from where. It also allows authorities to have access to this historical data with a court order, providing geo-localized information that reveals the whereabouts of Paraguayans across time. This regime strengthens the ability of the Paraguayan government to massively spy on its entire population, thus harming Paraguayan's fundamental freedoms.

How Data Retention Works?

Most ISPs and telcos give subscribers an IP address that changes periodically. Mandatory data retention proposals force ISPs and telecom providers to keep records of their IP address allocations for a certain period of time. This allows law enforcement to ask ISPs and telecom providers to identify an individual on the basis of who had a given IP address at a particular date and time.

Why You Should Care

Government mandated data retention impacts millions of ordinary users compromising online anonymity which is crucial for whistle-blowers, investigators, journalists, and those engaging in political speech. National data retention laws are invasive, costly, and damage the right to privacy and free expression. They compel ISPs and telcos to create large databases of information about who communicates with whom via Internet or phone, the duration of the exchange, and the users’ location. These regimes require that your IP address be collected and retained for every step you make online. Privacy risks increase as these
databases become vulnerable to theft and accidental disclosure. Service providers must absorb the expense of storing and maintaining these large databases and often pass these costs on to consumers.

Which are the risks of mandatory traffic data retention? Mandatory traffic data retention creates an enormous potential for abuse and it ought to be rejected because it is a grave breach of the personal data protection‘s right and people‘s fundamental freedoms. This law initiative promotes the massive surveillance of all peoples, which cannot be tolerated in a country that values freedom and democracy. Also, it affects the confidentiality of communications between doctors and patients, lawyers and clients, journalists and their sources, among other communications that fall under the jurisdiction of the private sphere.

The data retention bill in Paraguay uses vague language that it gives room for applying it to any physical person or entity that offers access to Internet, such as cyber coffees, coffee shops, libraries, or firms that provide their employees with access to Internet at work.

Which are the conditions that restrict access to traffic data? An important question to ask refers to the conditions under which public servers of the Paraguayan government can have access to the stored data. In contrast to other law initiatives, this one does not limit access to stored data only to those cases where there are serious offenses. Instead, it permits data use for any type of offense such as p2p downloads, defamation and any other type of minor.
A related question to ask also is the source of authority that grants access (although it is necessary to have the authorization of a judge-in-charge). The law initiative does not specify whether there should be a certain degree of suspicion or justification that must be met in order to access the data that the judge-in-charge will evaluate. Unfortunately, the law initiative does not adequately limit the traffic data that will be kept. On the contrary, it provides a merely illustrative and non-restrictive list, including IP address, its origin and destination, date and time of connection and disconnection.
The norm specifically excludes the content of communications, creating an artificial distinction between content and metadata. Predictable as it is, this distinction is based on the traditional model of the postal service, which distinguishes between written information on the envelope and the contents of the envelope.

As we explained in a legal analysis and comparative jurisprudence of the International Principles about the Implementation of Human Rights to Communications Surveillance, this old-fashioned distinction is, however, frequently rendered meaningless by modern interception methods; unlike conventional postal mail; for example, the interception of e-mail involves making both the content and the metadata instantly accessible to the agency carrying out the interception.
Moreover, metadata is now stored in digital formats by service providers and can be acquired en masse through production orders in ways that had no postal service equivalent.28 Additionally, there is no “postal” comparator for the significant amount of anonymous online activity that can be linked to an individual when subscriber information is revealed to the state:

These distinctions were adopted as a kind of rough proxy for privacy—the idea that merely knowing who a single envelope went to at a single point of time was not as revealing as the content of the letter. Yet, the increasing wealth of metadata, and the techniques for aggregating and analysing it, means that even “mere metadata” is capable of revealing far more about an individual’s activities or thoughts than was the case thirty or forty years ago. This is due in part to the increasing amount and scope of data collected: In the early 1980s, for instance, when the European Court of Human Rights first heard a complaint about the use of phone metering to collect details of a suspect’s telephone calls, the only information that was recorded was the telephone numbers called and the length of the phone calls. In the present day, state agencies seek to collect not only the identities of the callers, but also their billing data, addresses, credit card details, the make and model of the phones used, and geo-location data of their physical movements. In the case of Internet browsing, a simple URL typed into an Internet browser (which would constitute “metadata” rather than content in certain jurisdictions), can easily be as revealing—and sometimes even more revealing—than the actual content of the webpage. Likewise, identifying the owner of an IP address, mobile device identifier or an email’s IP address, a mobile subscriber identifier (IMSE), or an email address can be highly revealing in an ecosystem where individuals leave their electronic footprints behind in all their digital interactions. In this way, metadata can be a “proxy for content.” In addition, people simply use communications technologies more often today than they did when most communications were via paper letters. Finally, and equally as important, the government’s ability to gather much more of this data, over a longer period of time, and organise this data using modern surveillance techniques allows an intimate portrait of a person’s life to be quickly and easily created from simple metadata.

Corte Interamericana De Derechos Humanos: Escher y Otros vs. Brasil 

Over the question of whether communications metadata is protected by the right to privacy, the Inter American Court for Human Rights has established in Escher v Brasil that content as well as metadata are protected (Read more):

"114. As this Court has indicated previously, ev en though telephone conversations are not expressly mentioned in Article 11 of the Convention, they are a form of communication included within the sphere of the protection of privacy. Article 11 protects conversations using telephone lines installed in private homes or in offices, whether their content is related to the private affairs of the speakers, or to their business or professional activity. Hence, Article 11 applies to telephone conversations irrespective of their content and can even include both the technical operations design ed to record this content by taping it and listening to it, or any other element of the communication process; for example, the destination or origin of the calls that are made , the identity of the speakers, the frequency, time and duration of the calls, aspects that ca n be verified without th e need to record the content of the call by taping the conversati on. In brief, the protection of privacy is manifested in the right that individuals other than those conversing may not illegally obtain information on the content of the telephone conversations or other aspects inherent in the communication process, such as those mentioned".

The Paraguayan Regulatory Framework

People‘s documentary heritage has constitutional status on article 36 of the 1992 National Constitution of Paraguay. The article protects the inviolability of correspondence, a protection that extends to all communications that take place through any means. In article 137, the Constitution also recognizes the international treaties that the Paraguayan state has ratified, reaffirming their legality on human rights.

Moreover, Paraguay has ratified the Pacto de San José de Costa Rica, which protects civil and political rights in its article 11.2, declaring as follows:

“Nobody will be the subject of arbitrary or abusive interference in its private life, family, home or correspondence, nor illegal attacks to its honor or reputation“. Paraguay is also a member of Mercosur, a reason why it must adhere to the Lawyers Code of Ethics for Mercosur, in article 4.2, which says:

“Communications are presumed confidential – the correspondence between lawyer and client cannot be revealed to any third party“

Unfortunately, Paraguay does not have a Personal Data protection law. The law No 1682/2001 only regulates the credit information systems of banks and financial entities. This poses a challenge to the protection of sensible data. In spite of this proposal, Paraguay still has an interesting set of norms that protect civil rights.
Perhaps the debate about this law initiative should be taken to another level. On one hand, the need for a law that will genuinely protect personal data should be introduced. Alongside, Paraguay must uphold its current international human rights obligations: this means that any surveillance measure should abide by the law (to be legal in virtue of international human rights law). Also, it must be “necessary“ to achieve a legitimate aim and proportionate. This requisite is important in order to ensure that the government does not adopt surveillance measures that threaten the foundations of a democratic society. For all of this, it will be good to turn back from a point of no return that will be the mandate of traffic data retention, and as it was already mentioned, the Paraguayan state should uphold its international commitments on human rights. By its very nature, massive surveillance does not carry any kind of direction or selection, much less any type of obligation on the part of the authorities to demonstrate a reasonable suspicion or a viable justification. In consequence, massive surveillance is inevitably disproportionate as a simple matter