Article 17 of the Constitution provides that every person has the right to respect for, and to the secrecy of, his correspondence and other communication if such other communication is made through means not prohibited by law, and that there may be no interference with the exercise of this right except in accordance with the law.
The Law on the Retention of Telecommunications Data for the Investigation into Criminal Offences, Law 183(I) of 2007 as amended, transposes EU Directive 2006/24/EC on data retention. Interceptions of communications may only occur in circumstances provided for by law and with the authorisation of a court. The relevant section came into effect on the 15 of March 2009 and imposes an obligation on service providers to maintain data in regard to fixed network telephony, mobile telephony, internet, web call and email services for a period of six months.
The data to be retained are both incoming and outgoing calls fixed or mobile and internet access, data relating to the equipment used and location data and identity of the subscribers. However the content of the communication is specifically excluded.
Service Providers are obliged to:
- Take the appropriate measures to ensure that the preserved data are of the same quality and enjoy the same protection and security as data of the network.
- Take the appropriate technical and organizational security measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorized or unlawful access, storage, processing or disclosure.Take the appropriate technical and organizational security measures to ensure that they can be accessed by specially authorized personnel only.
- Take the appropriate technical and organizational measures for the automatic destruction of the non preserved data after six (6) months of the communication.
The Law provides for a power of the Court to Order the retention / preservation or disclosure of such data to the Police for the purposes of detecting and prosecuting. Furthermore only the Court, upon an application submitted by the Police, subject to the approval of the Attorney General, may authorize the disclosure/use of the data retained.
The Court when issuing an order imposes conditions as to the extend, use, disclosure or destruction of such data. The data disclosed, if proved to be irrelevant to the crime under investigation, should be destroyed.
Service Providers are obliged to comply with such Court Orders but they are also obliged to resist any other attempts at disclosure or surveillance. If they fail to comply with either obligation they could be held liable of an offence. According to the Law, service providers, upon the presence of the Court Order, are obliged to comply immediately and in any case without unreasonable delay.
Currently, there is no specific legal basis for the government to require disclosure of encryption keys. The police is in consultation with the Ministry of Justice and the Attorney General’s office with a view to introducing new legislation to compel the disclosure of encryption keys in the context of a criminal investigation after the issuance of a relevant court order.