This post is the fourth in a series about our new State of Communications Privacy Laws report, a set of questions and answers about privacy and data protection in Argentina, Brazil, Chile, Colombia, Mexico, Paraguay, Panama, Peru, and Spain. The research builds upon work from the Necessary and Proportionate Principles—guidelines for evaluating whether digital surveillance laws are consistent with human rights standards. The series’ first three posts were “A Look-Back and Ahead on Data Protection,” “Latin American Governments Must Commit to Surveillance Transparency,” and "When Law Enforcement Wants Your Private Communications, What Legal Safeguards Are in Place in Latin America and Spain?." This fourth post adds to the third one, providing greater insight on the applicable standards and safeguards regarding communications metadata in Latin America and Spain.
Privacy advocates are working to undo antiquated and artificial distinctions between privacy protections afforded to communications “content” (the words written or spoken) and those provided to “metadata”. Metadata, such as the identification of parties engaged in communication, IP addresses, locations, the time and duration of communications, and device identifiers, can reveal people’s activities, where they live, their relationships, habits, and other details of their lives and everyday routines. As EFF, Article19, and Privacy International stated in PIETRZAK v. Poland before the European Court of Human Rights, “‘metadata’ is just as intrusive as the content of communications and therefore must be given the same level of protection.” Yet domestic privacy laws often treat metadata as less worthy of protection compared to the contents of a communication. Such distinctions were based on artificial analogies to a time when telephone calls used pulse dialing, and personal computers were a rarity.
International human rights courts are starting to become more sophisticated about this. The EU Court of Justice stated:
“that data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives … such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them… In particular, that data provides the means … of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.”
Similarly, in the case Escher et al v. Brazil, the Inter-American Court of Human Rights recognized that the American Convention on Human Rights applies to both communications content and metadata. The Court has ruled:
… Article 11 applies to telephone conversations irrespective of their content and can even include both the technical operations designed to record this content …, or any other element of the communication process; for example, the destination or origin of the calls that are made, the identity of the speakers, the frequency, time and duration of the calls, aspects that can be verified without the need to record the content of the call …. In brief, the protection of privacy is manifested in the right that individuals other than those conversing may not illegally obtain information on the content of the telephone conversations or other aspects inherent in the communication process, such as those mentioned.
Nevertheless, protecting metadata as much as we protect content is still a major challenge. A good chunk of countries in our updated reports do broadly require a court order for the government to access metadata (for example, Mexico, Chile, Peru, and Spain). Still, others apply this protection to communications content, but not to data that identifies a communication (as in Panama and Paraguay). In Brazil, the level of protection for telephone communications metadata is still contentious, while the need for a warrant is clear for accessing Internet communications related data.
Chile’s Criminal Procedure Code requires telecom companies to retain and disclose to prosecutors the list of authorized IP addresses and connection logs for at least a year. The Criminal Code, which regulates telephone interceptions, doesn't detail the procedure companies should follow to make this metadata available. However, it should abide by the rule requiring prior judicial authorization for all proceedings that affect, deprive, or restrict the constitutional rights of the accused or a third party, established by Article 9 of the same law. Chilean telecom companies show an uneven practice, though. While they usually require a previous judicial order to hand over call records, GTD and VTR don't mention this requirement for other metadata in their law enforcement guidelines. Entel, Claro, WOM, and Telefónica are sharper in providing commitments in this sense. The effect of Derechos Digitales’ ¿Quien Defiende tus Datos? Chile on this commitment cannot be overstated.
What About Subscriber Data?
Subscriber data includes a user’s name, address, and their device’s IMSI or IMEI (user identification numbers). Latam laws generally treat it like “traffic data” or give it less protection. Depending on the jurisdiction, traffic data can include IP addresses, call and message records, or location data. Spain, for example, requires prior judicial authorization for government access to traffic data but has certain legal exceptions for specific subscriber data. In Colombia, a 2008 resolution requires telecom service providers to allow the Directorate of Criminal Investigation of the National Police (Dijín, in Spanish) to make a remote connection to obtain subscribers’ names, home addresses, and mobile numbers. Companies must grant Dijín the ability to carry out individualized “queries” for each subscriber, providing a username and password for this purpose.
In Mexico, Metadata Equals Content
In Mexico, legal rules explicitly give equal protection to data that identifies communications and the content of communications. Law enforcement also needs a prior judicial order to access stored metadata. In a lawsuit filed by R3D.mx, the Mexican Supreme Court ruled in 2016 that metadata is equally protected by the Constitution as the content of communications. Unfortunately, the court did not overturn retention mandates compelling telephone operators and ISPs to retain massive amounts of metadata, as the EU Court of Justice did with the EU Data Retention Directive in 2014. The EU Court ruled that to compel ISPs to retain customer communications data in bulk for up to two years to “prevent” and “detect” serious crimes breached users’ rights to privacy and data protection under Articles 7 and 8 of the EU Charter of Fundamental Rights.
Argentina’s Supreme Court has also ruled that “the communications … and everything that individuals transmit through the pertinent channels are part of the sphere of personal privacy,” and enjoy constitutional privacy protections. However, Telefónica’s transparency report for Argentina casts doubt on whether authorities follow this ruling --giving the impression that metadata is being handed over to authorities without prior judicial order.
As the previous examples show, courts play a pivotal role in applying constitutional and legal safeguards in a manner consistent with the evolving nature of digital communications and the simultaneously in-depth and wide reach of the data they yield. However, a ruling of Paraguay’s Supreme Court in 2010 authorized prosecutors to directly request metadata from telecom companies without a judicial order. This came despite a provision in the Telecommunications Law asserting that the inviolability of communications ensured in the Constitution refers not only to the content itself but also to what indicates the existence of communication, which would cover traffic data. In Panama, it is the country’s extensive Data Retention Law that allows prosecutors to directly request traffic and subscriber data from ISPs. Among other uses, the retained data can enable authorities to identify and track the origin of communications, establish the time, date, and duration of communications as well as the location of the mobile device and the cell where the communication originates.
Location Data Deserves Particular Attention
Location data can reveal intimate details of daily life, including who we see, where we go, when we visit the doctor or a self-help group, and whether we participate in protests or engage in political activity. Many communication services and apps gather our location data on a nearly continuous basis over long periods of time. Our privacy is threatened by government seizure of our location data as much as it is threatened by government seizure of the content of our communications. Despite this, stored location data is usually treated like other metadata (and thus may receive limited legal protection in many jurisdictions).
Specific laws authorizing real-time location tracking are found in Spain, Colombia, Mexico, and Peru. Panama’s Criminal Procedure Code refers to “satellite tracking.” The provisions (except in Colombia) generally require a previous judicial order, while Spain, Mexico, and Peru provide an exception in certain emergency situations. Brazil’s Criminal Procedure Code has a specific rule by which prosecutors and police authorities may request a judicial order to compel telecom companies to reveal the location of victims or suspects of an ongoing human trafficking crime. Yet, if the judge doesn’t decide within 12 hours, authorities are allowed to demand the data directly. This provision is currently under constitutional challenge before Brazil’s Supreme Court.
In Peru, Legislative Decree 1182 grants the country’s specialized police investigation unit power to request from telecom operators access to real-time phone or electronic device location data without a warrant when three requirements are met simultaneously: there is a blatant crime (delito flagrante, in Spanish), the punishment for the crime under investigation is greater than four years of imprisonment, and the access to this information is necessary to the investigation. Judicial review is performed after the police have already accessed the data. The decree requires a judge to review whether the real-time access was legal within 72 hours of the location data being accessed. The process by which device location data is turned over to police has not been made public. Peruvian news reported that, to implement Legislative Decree 1182, the Ministry of the Interior signed a secret protocol with ISPs in October of 2015 for police access to location data. As of 2020, the document remains classified. Seeking to shed at least some light on how the measure is used, Peru’s digital rights group Hiperderecho filed a set of FOIA requests in 2016. The responses have been incomplete and delivered in a way that has revealed few meaningful answers. Peruvians need far more transparency about this location surveillance program.
Reverse Searches: From Locations to Suspects?
A troubling location data investigative practice on the rise relates to backward, or reverse, requests. Rather than starting with a suspect, an account, or a specific identifier (or a few of them), the request aims to search for all active devices within a certain geographic area during a particular period of time. The investigation sweeps in a massive amount of data from the devices of people who happened to be in the area around the time of the crime, regardless of whether they are linked to criminal activity.
Early last year, Chile’s media outlets reported that prosecutors asked telecom companies to turn over all mobile phone numbers connected to towers and base stations near five subway stations in Santiago between 6:00 p.m. and midnight on a particular day. The requests were part of an investigation into disorder sparked by fare hikes that led to an intense period of social unrest and protests. According to information released, prosecutors requested a court to order the search after some of the mobile network companies refused to comply with a direct request.
In Brazil, the Superior Court of Justice (STJ) has upheld a judicial request for Google to turn over data, such as IP addresses, of all users who, during a 15-minute time period on December 2, 2018, passed through a toll gate on an expressway that runs through Rio de Janeiro. On that day, cameras in the toll gate identified the car used in an ambush that killed councilwoman and human rights advocate Marielle Franco, and her driver, Anderson Gomes, in March 2018. The crime has sparked outrage as a dire demonstration of political violence. Suspects in the crime are in custody, but investigations have yet to identify who ordered the attack. The STJ's ruling in August 2020 was followed by Google's appeal to Brazil's Constitutional Court. A thorough examination of necessary and proportionate standards is needed to guard against authorities abusing the court ruling in the future.
In the U.S., reverse searches are often called geofence warrants. In one case involving searches of historical mobile phone location information held by Google, as we’ve noted, the warrants follow a multi-stage process. It starts with compelling Google to provide anonymized location data for all devices that reported their location within a specific area. It ends with prosecutors requiring Google to turn over information identifying Google accounts for specific devices located within the geofence area. Recent U.S. federal magistrate judge opinions have held these warrants violate the U.S. Constitution’s Fourth Amendment probable cause and particularity requirements. Arguments raised in Latin America closely align with the case EFF and others have been making against geofence warrants in the U.S.