With almost two million requests for telecommunication data and more than two thousand requests for Internet data concerning Polish citizens in 2015, it is clear that the access to metadata in Poland by the country’s secret services is still out of control.
Compared to 2014, the Polish Panoptykon Foundation found that the number of requests for telecommunication slightly decreased, while the number of requests for Internet data quadrupled. Secret services are most interested in billing and user information. In 2014, police asked for telecommunication data less frequently than in previous years, but they were much more interested in Internet data that before. As to why, we can only guess. Polish law does not impose control over the secret service activities. However, research has confirmed that data is requested not only in prosecuting serious crime or preventing terrorism, but also minor crimes. The secret services are not obliged to provide full information to the public in what types of cases and for what reasons – statistically speaking – they gain access to such data. As a result, we also don’t know why the numbers are sometimes higher, sometimes lower.
Despite the European Court of Justice (CJEU) ruling in April 2014 and the ruling of Polish Constitutional Tribunal, regulations still give secret services open access to telecommunication and Internet data, without an adequate control mechanism with judicial oversight. Instead of limiting secret services powers regarding accessing data, the new Surveillance Act (which entered into force in February 2016) made the procedure of accessing Internet data even easier. So far requesting Internet data required a written request to the Internet operator. The company could reject it – which was often a case – and in any case had control over what data is obtained by the police. When the new Police Act is fully operational, no active cooperation from the ISP will be necessary– once the planned, so-called “fast and secure connections” between ISPs and police or secret services are established, even bulk transfers of data will be possible without sending a single request.
According to the new law, secret services are due to submit a report to the court every 6 months – which means ex post control instead of the prior consent of court proposed by the CJEU. The report will not include queries for users’ data, which is approximately 40% of all queries. This solutions provides neither transparency nor adequate control over secret services’ activities. Citizens will have to rely on secret services chiefs’ promise that innocent people do not have to worry – which is far from the standards set by the European Court of Justice and Polish Constitution.
The arcticle was originally published on EDRI website, 8 April 2016.