Access to retained data
During 2012, Rodoljub Sabic, the Commissioner for Information of Public Importance and Personal Data Protection (CIPIPD), oversaw the implementation and enforcement of laws on the protection of personal data and electronic communications. His work involved investigating four telecommunications operators: Orion Telekom, Telenor, VIP Mobile and Telekom Serbia. This related inter alia to the legality of the Ministry of Interior (MUP) and secret services accessing user telecommunications data that had been stored by the operators.
On 6 July 2012 the CIPIPD publicly released findings showing that the national authorities had unauthorised, direct access to retained data (metadata) using the previous regulatory framework that allowed them to establish technical links with the systems used by telecommunications operators. The current legal framework requires that authorities submit an official request to the operator, together with a court order. The data released from one operator showed that the relevant authorities submitted only 3,600 official requests for access to retained data from 27 March 2011 until 27 March 2012. On the other hand, in the same period, the authorities approached one operator (Telenor) over 270,000 times. The number of unauthorised access requests is 130 times higher than official requests.
Policy and political background
The legal framework regulating surveillance in Serbia is outdated and imprecise. In addition, some provisions of the relevant laws have been declared unconstitutional. Constitutional safeguards regarding the protection of privacy are very strong. Article 41, Paragraph 2 of the Constitution of the Republic of Serbia prescribes that any restriction on the privacy of communication is only possible temporarily, and is only allowed on the basis of a court decision – if it is necessary for investigating a crime or for the protection of the national security of the country in line with the law.
However, most of the laws regulating access to retained data have been contrary to the safeguards provided by the constitution, and most provisions of these laws have been challenged and repealed in constitutional court proceedings. In addition, in practice, constitutional safeguards are often violated by various authorities and secret services. Although pressure from civil society and independent institutions is strong, there has been no progress in the reform of the legal framework and no changes in the way that secret services operate.
Regulatory cul-de-sac gives security agents free access to databases
As noted above, the CIPIPD supervision over telecom operators revealed that the MUP and secret services have direct access to retained data, and that the access takes place in a manner which is contrary to the constitutional safeguards regarding the privacy of communications. It all started in 2008, when the Republic Agency for Electronic Communications (RATEL) prescribed technical conditions for operators that also determined their obligation to state bodies authorised for electronic surveillance. Technical conditions were adopted according to the provisions of the Law on Telecommunications, which was abolished in 2010 when the new Law on Electronic Communications was enacted. The technical conditions were related to telephony, internet and cable distribution operators, and they were the “legal basis” for establishing the technical link between state authorities and operators. These links enabled state authorities to access retained communications data without any control, and without any evidence that such access is legally based (in accordance with the mentioned constitutional safeguards).
In July 2010, the new Law on Electronic Communications, in line with the European Framework for Electronic Communications 2003, was adopted by the National Assembly. In the public debate over the draft of the law, the CIPIPD and Protector of Citizens (PC) argued that some of the provisions of the law are contrary to the constitutional safeguards regarding the privacy of communications. The provisions in question were related to accessing retained data. The draft prescribed that accessing retained data is “possible for the purpose of conducting investigations, crime detection and criminal proceedings, in accordance with the law regulating criminal proceedings, as well as for the purpose of protecting national and public security of the Republic of Serbia, according to the law which governs the operation of security services of the Republic of Serbia and the operation of the authorities in charge of internal affairs.” Other laws contained problematic provisions that gave the secret services access to retained data even without a court order in exceptional cases.
After the adoption of the Law on Electronic Communications, both independent institutions (the CIPIPD and the PC) launched separate proceedings before the Constitutional Court. The result was that controversial provisions from the Law on Electronic Communications, the Law on the Military Security Agency and Military Intelligence Agency, as well as the Law on Criminal Proceedings, were repealed. The decision of the Constitutional Court meant that access to retained data is possible only on the basis of a court order. For example, before the decision of the Constitutional Court, the Law on Criminal Proceedings prescribed that the police are authorised to obtain telephonic listing data and data regarding the usage of a base station, as well as data on location of a communication, simply upon the order of the Public Prosecutor. After the Constitutional Court decision, the provision was changed in a way that obtaining this data is possible only upon the order of an authorised court (a court dealing with the initial proceedings of a case).
However, without provisions prescribing the manner and conditions of access on the technical level, and with existing technical links to telecommunications operators, there was still a high risk of unauthorised access. Unfortunately, data released by the CIPIPD showed that unauthorised access is common practice among the secret services and other state bodies. Over 270,000 unauthorised data requests for just one operator showed that constitutional safeguards and even legal provisions are not respected. The only basis for direct access is RATEL’s technical conditions, which could not be in force, because they are bylaws adopted according to the Law on Telecommunications that ceased to exist. Somehow it is still applicable because new technical conditions have not been adopted. It is obvious that such a regulatory cul-de-sac creates a situation in which state authorities can access and use the retained data without any control.
After its findings concerning telecommunications operators, on 4 November 2013 the CIPIPD began to investigate internet operators. The supervision is still ongoing, but there is a high level of certainty that similar or even worse results will be revealed regarding the protection of privacy.
The findings of the CIPIPD showed that there is a huge gap between constitutional safeguards and practice. Unauthorised access by state bodies implies that there is no appropriate balance between the legitimate interests of protection of privacy on one side, and investigating crimes and protection of security on the other. The privacy of communication, among other human rights, can be restricted. However, there are standards that should be fulfilled. Any restriction has to be prescribed by the law and must be necessary to protect vital interests of society (e.g. national security). There also has to be proportionality in the imposed restriction and the goal which the restriction intends to achieve, and any restrictions should be the least intrusive on the free exercise of human rights (principle of proportionality). Unfortunately, these conditions are not fulfilled at the moment, and it is clear that something has to be changed.
The current state of affairs is not satisfactory, because there is wide scope for interfering with telecom users, regardless of the type of communications technology they use. As long as state bodies have opportunities to access large amounts of data without any restrictions, such as data about the location of telecommunications devices, and data regarding the destination of communications, or duration of communications, users will be in constant fear that their “everyday” life is monitored by government. The protection of state security is undoubtedly in the interests of every society, but the manner of protection must be in line with human rights standards. This implies the oversight and involvement of as many stakeholders as possible, from state bodies to independent institutions and NGOs dealing with human rights.
In order to improve the privacy of communications, the legal framework should be completely in line with constitutional safeguards. That means that laws which regulate access to retained data should be changed in a manner which provides clear and unambiguous rules about who is authorised to access the data, what their obligations are, and what safeguards exist when it comes to the misuse of data. Second, civil society, state authorities and independent bodies have to initiate a public debate on all aspects of the work of secret services and other state bodies, including their access to retained data. Finally, state bodies which are authorised to access retained data have to adapt so that their work conforms to the principles of transparency, civil control and accountability. Only through such an approach is it possible to achieve mutual understanding between various stakeholders, and only then will it be possible to achieve the appropriate balance between privacy and security.