Karl Schembri Government has enacted new regulations that will bind service providers to give the police and security services personal data held by fixed and mobile telephony companies and Internet service providers.
Published as a legal notice under the Data Protection Act, the amendments make it possible for police to request, process and retain location data in their investigation of “serious crimes”.
Such data includes incoming and outgoing telephone numbers, subscribers’ details, Internet protocol addresses, log-in and log-out times of Internet access and email services, and location data identifying the geographic location of mobile phones.
The latter data was the subject of a legal wrangle between mobile phone operators and the police, when both Vodafone and Go Mobile had turned down police detectives’ requests to access location data as part of their investigations into the string of arson attacks on journalists’ residences.
Legal notice 198 even gives the power to police to request personal data orally in urgent cases, stating that service providers have to provide the data “without undue delay”.
Police sources have told MaltaToday that its legal unit already had the power, mandated by the Criminal Code, to ask for this information from service providers. The only type of query that needed a Court’s judicial review – an effective warrant – was if this was a ‘fishing expedition’ that did not focus on a specific investigation or specific individuals under reasonable suspicion.
The new rules also provide for data conservation orders – which force companies to retain data for periods up to two years – in line with the EU’s controversial data retention directive.
The legislation, which the EU says is necessary to help fight terrorism and organised crime, was passed by justice ministers in Brussels to force Internet service providers and fixed-line and mobile operators to keep details of their customers’ communications for up to two years.
But Malta’s rules allow the retention of data for any investigation that constitutes “serious crime” – which is defined as anything that could lead to imprisonment of over one year.
Information including the date, destination and duration of communications will be stored, although the content of such communications will not be recorded.
Critics of data retention law in Europe simply fear that police are gaining access to data which allows them to build a historical databank of information that can literally draw up an electronic map of people’s lives.
“These laws were enacted in order to transpose the provisions of the EU’s Directive 2006/24/EC of the 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, which had to be transposed by Malta by September 2007,” a spokesman for Home Affairs Minister Carmelo Mifsud Bonnici said.
Vodafone Malta said it would assist the authorities in accordance with the timeframes specified in it.
“The legal notice is a transposition of an EU Directive on Data Retention which caters for assistance to law enforcement agencies in serious crimes. It is but a reaction at EU level to combat serious crimes such as terrorism,” Vodafone said.
“We will provide the data only in accordance with the legal requirements and within the remits of the law. Vodafone has clear internal procedures to vet such requests from law enforcement agencies and to ensure that the requests are in accordance with the law and only impinge on customers’ personal data to the minimum extent possible, and strictly in those areas which are allowed by law specifically.”
A spokesman for Go confirmed the company will be retaining data and making it available to the police in cases of serious crimes.
“Regarding the reassurances to our subscribers kindly note that Go will only process subscribers’ data in line with the applicable legislation,” the spokesman said.
Arson case
Last year, Go and Vodafone won an appeal in the court of Judge Philip Sciberras, when they resisted the disclosure of their clients’ location data to the police in the investigations of arson attacks.
Citing data protection regulations, the two operators refused to hand over the data to the police despite a ruling to do so by the Data Protection Commissioner, which was also confirmed by the data protection Appeals Tribunal.
The information requested by the police would reveal the numbers of all subscribers who had their mobile sets in the vicinity of the arson attacks, as captured at the time by the mobile operators’ antennae, also called repeaters.
The police had made specific requests by location and timeframes surrounding the individual attacks in a bid to trace the users in the vicinity and match them with other evidence, including closed circuit camera footage.
But the police’s request, for location data of mobile calls and text messages over a wide area that included Msida, Pembroke, B’Kara, Sliema, Marsaskala, Naxxar, Bidnija, Mgarr, Burmarrad and Dwejra, could never respect the narrow disclosure requirements found in European law according to Judge Philip Sciberras, who presided the Appeals Court in the case lodged by Vodafone against the Data Protection Commissioner in 2007.
Even the Data Protection Commission and its appeals tribunal conceded that the information requested would disclose “a very high volume of personal data of persons who are completely unconnected with the investigations” and that “the police authorities have no ‘carte blanche’ to ask Vodafone and Go Mobile or any other service provider, information regarding data subjects in a general and most ample manner covering a particular geographical area for any alleged crime committed.”
The late Data Protection Commissioner Paul Mifsud Cremona had defended his ruling to hand the data to police, arguing the arson cases “verged on terrorist attacks”.
“I gave the go ahead to the mobile telephone companies to provide the information after I made sure that the risks against individual privacy were outweighed by the seriousness of the crimes,” Mifsud Cremona had said. “However I established a whole set of safeguards, especially that any information retrieved has to match the police investigations, the information has to be used exclusively in relation to this case, and that the data cannot be stored.”
The two telephony companies had argued however that the police requests were “blanket requests” that would effectively put all the mobile subscribers within the location of the arsons under suspicion – a claim to which the Data Protection Commissioner replied that police would anyway investigate and query all people on location in investigations even before they have reasonable suspicion in individuals.
Go’s spokesman said the requests contested in last year’s court judgement and the merits of the case were not related to the remit of the new law.
A spokesman for Vodafone said the legal notice was distinct from last year’s judgement in that the new law caters for the types of data which need to be stored by electronic communications operators and which may be requested by law enforcement agencies only in cases of serious crimes.
“There has been an extensive consultation process led by the Data Protection Commissioner’s office including all stakeholders, and Vodafone has had the opportunity to provide its input during this process. The distinction between the legal notice and the judgment lies in the fact that the legal notice ties the request to a suspect whilst the case brought forward by Go and Vodafone related to data privacy principles and the lack of proportionality exercised by the police when requesting excessive amounts of information relating to location data which could have also involved individuals who would have had nothing to do whatsoever with the alleged crimes,” the Vodafone spokesperson said.
But data protection expert Antonio Ghio said that had the law been in place when the police requested data in connection with the arsons investigations, the outcome would have been different.
“This proves that the decision of the data protection tribunal and the appeals tribunal were right,” Ghio said, adding that there are other regulations stating specifically that data that is not relevant to a specific investigation would have to be discarded.
“The police are still bound by other regulations in their treatment of personal data, so the checks and balances are still there,” Ghio said. “Essentially this means that the police are forbidden from establishing a super database and from going on fishing expeditions to find incriminating evidence.”
The minister’s spokesman said: “Since the Regulations are enacted under the Data Protection Act, they fall within the remit of the functions of the Data Protection Commissioner. By virtue of the Act, the Commissioner has the function of exercising control and, either of his own motion or at the request of a data subject, verify whether the processing is carried on in accordance with the provisions of the Act or Regulations made thereunder. Besides, in order to avoid any possible problems of interpretation and to establish the manner in which the Police, the Security Service and the service providers will manage requests and obligations, these entities are currently in the process of finalising and signing memoranda of understanding that should guide them in the implementation of this legislation.”
Telephony, fixed and mobile: Numbers, name and address of subscribers, numbers dialled or called, calls forwarded, the date and time of the start and end of the communication, the telephone service used, the international mobile equipment and subscriber identities of both caller and called parties, and data identifying the location of mobile telephones.
Internet: Used ID, telephone number allocated to the communication, name and address of IP address subscriber, user ID of internet telephonic caller and recipients, log-in and log-off times, IP addresses, log-in and log-off times for e-mail services, the internet service used, and calling telephone numbers for dial-up access.
Any comments?
If you wish your comments to be published in our Letters pages please click button below. Please write a contact number and a postal address where you may be contacted.