Data Retention on the Internet – Legal Action by Access to Information Programme in Bulgaria - 2008

Background:

On January 7, 2008, the Regulation # 40 on the categories of data and the procedure under which they would be retained and disclosed by companies providing publicly available electronic communication networks and/or services for the needs of national security and crime investigation was issued by the State Agency on Information Technologies and Communication (SAITC) and the Ministry of Interior (MoI).

On January 29, 2008, the Regulation # 40 was promulgated in the Bulgarian State Gazette.

The Regulation # 40 allegedly puts Bulgarian legislation in conformity with the Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications and amending Directive 2002/58/EC.

Implications:

The Regulation # 40 binds the mobile operators and internet providers to retain data on electronic messages and phone calls:

Under the Regulation, certain operators will have to retain for 12 months data on all mobile phone calls, online calls, e-mails, SMS, even the communications in forums. The data actually does not include the content of the communication or message (though in forums the content is always public), but include information on who spoke or wrote to whom. The retained data will include: name and address of the user or registered user, date and time and duration of the connection. This also includes so-called attempted calls. These data will be accordingly kept and the access will be provided to a directorate within the Ministry of Interior – by default; to the pretrial investigation bodies and to the court – in order to carry out the punitive measures; and to the state security and public order bodies – to ensure national security.

Legal Action:

The adoption of the regulation triggered a massive wave of criticism and rage among the civil society and business community in the country, as it implies serious intrusion in private life and correspondence.

On March 19, 2008, Access to Information Programme (AIP) filed an appeal to the Bulgarian Supreme Administrative Court (SAC) against the Regulation # 40. According to AIP, the adoption of this regulation is in violation of the Constitution of the Republic of Bulgaria, the European Convention on Human Rights, and the European Union legislation.

Arguments in the complaint:
- the adoption of the Regulation # 40 violates the right of private life and correspondence. As set by Art. 32, para. 2 of the Constitution similar provisions shall be introduced by a law – an act issued by the legislative authority. The Regulation, however, represents a secondary legislation document;

- issues regarding the personal data and their technical processing, including retention and access to such data, are regulated by the Personal Data Protection Act. The Electronic Communication Act which entitles the SAITC and the MoI to adopt the Regulation does not contain provisions regarding the personal data. Consequently, the SAITC and the MoI are not authorized to issue a regulation on retention and access to the personal data;

- it is inacceptable that the regime of access to data qualified as personal, which is regulated by the Personal Data Protection Act, the Penal Procedure Code and the Law on Special Surveillance Devices is being changed by a Regulation. The Regulation provides for a “passive access through a computer terminal” of a directorate of the MoI to all retained data, which is a drastic violation of Art. 8 of the European Convention on Human Rights;

- the Regulation is not in compliance with the provisions set forth by the Directive 95/46/ЕC and the Convention # 108 stipulating the processing of personal data and their protection.

A three-member panel of the Supreme Administrative Court rejected the complaint with a decision as of July 17, 2008. According to the court:

- “passive access through a computer terminal” implies provision of access to retained data after the submission of a written request only;
- The Electronic Communication Act which entitles the SAITC and the MoI to adopt the Regulation does not violate itself the Constitution, nor the Art. 8 of the ECHR;
- the fact that the Regulation allows for the retention of data with the purpose of revealing any kind of crimes, opposed to the stated “serious crimes” in the Directive 2006/24/EC, does not increase the scope of the Regulation with regard to the retention of data.
- the Regulation does not oblige for the retention of the content of messages and hence is in line with existing legislation.

AIP appealed the decision of the SAC before a five-member panel.

With a decision as of December 11, 2008, a five-member panel repealed the decision of the lower instance court and Art. 5 of the challenged Regulation. Article 5 provides for a “passive access through a computer terminal” by the Ministry of Interior, as well as access without court permission by security services and other law enforcement bodies, to all retained data by Internet and mobile communication providers. More...