Article 07.05.2014 3 min. read Text All around the world we see public authorities requesting access to more and more individual user data, in particular from telecommunication operators and Internet service providers. Information revealed by Edward Snowden showed us how such measures can escalate into mass surveillance programmes that violate citizens' fundamental rights. In our first attempt at a “transparency report”, we looked at what happens at the interface of Internet service providers and public authorities in Poland. Who sends requests for users' data? How many and for what purpose? What legal procedures are followed and what safeguards apply? Our pilot study includes analysis of legal provisions and collection of data from both major Internet Service Providers and public authorities. The report explains systemic problems that were identified in our research and that should be solved in order to ensure adequate standard of protection for individuals. Data on requests made by public authorities was collected with the help of four Polish Internet Service Providers: Agora, Google, INTERIA.PL and Onet. The study showed that the unquestioned leader in terms of requests for Internet user data in Poland is the prosecutor’s office (62,7% of the requests reported by the ISPs participating in the study). The police placed second (33,2%). Requests submitted directly by courts are much less frequent, while requests from government authorities are entirely marginal. None of the companies participating in the pilot study gathers detailed data regarding the legal grounds which the government authorities rely on, and those public entities that make most data requests refused to answer the question about legal grounds for their requests. A vast majority of requests for Internet users’ data passes through judicial or law enforcement authorities that obtain data for the purposes of criminal proceedings. Assuming that the information provided is reliable, and the government does not make covert requests for data gathered by the companies, there are no premises for assuming that Polish government agencies implement programs of mass surveillance in the scope of collecting information on individuals using Internet services. Information regarding the number of requests from public institutions was made available by all four companies taking part in the pilot study. In the period included in the study, the number of requests from public authorities rose consistently. What is the reason for that growth? There is reason to believe that the rise in the number of requests for Internet users’ data on the part of government bodies is a side effect of increased social activity on the Internet. Due to the fragmented nature of the data analysed, it is difficult to judge whether or not the increase in data requests is a broader and permanent tendency. In any case, reducing the discussion on government authorities' willingness to know about their citizens and how this affects online service providers into simple numbers is an unnecessary and dangerous simplification. It is not the scale which is important, but primarily whether public authorities make requests only when they have valid grounds, and whether companies respond only when they have to. The principles for collecting and storing customer data in Poland are regulated by the Act on Providing Services by Electronic Means and the Act on Personal Data Protection (APSEM). However, these provisions may be disregarded by those companies which do not fall within Polish jurisdiction, even if they operate on the Polish market. Polish regulations do not allow for the free access of the government to databases in which companies store the data of Internet users. The prosecutor’s office, the police, and other bodies may only obtain information regarding specific individuals, and they must always present an appropriate decision that clearly spells out its legal grounds. The law does not precisely specify the elements which a data request addressed by government authorities to a private company should contain. This causes interpretative doubts which the companies have to resolve according to their own judgement and at their own risk. Access of public authorities to the data of Internet service users - Seven issues and several hypotheses The article was originaly published in EDRi-gram newsletter - Number 12.9, 7 May 2014. Fundacja Panoptykon Author Topic secret services personal data Internet Previous Next See also Article New chair of the Polish DPA appointed Jan Nowak, previously a general manager at the DPA’s office and a long-term member of PiS, the ruling party, will become the new chair of the Polish Data Protection Authority. The nomination raised controversy as to whether Jan Nowak meets the legal requirements for this position. 11.04.2019 Text Article The right to explanation of creditworthiness assessment – first such law in Europe Thanks to Panoptykon’s initiative bank customers in Poland will have the right to receive explanation of their creditworthiness. It’s the first right of this kind in Europe and a higher standard than the one envisioned in the GDPR. 12.06.2019 Text Article Polish law on “protecting the freedoms of social media users” will do exactly the opposite Polish government’s proposal for a new law on “protecting free speech of social media users” introduces data retention, a new, questionable definition of “unlawful content”, and an oversight body (Free Speech Council) that is likely to be politically compromised. In this context, “Surveillance and… 10.02.2021 Text
