Privacy, Data Retention And Data Protection In The Electronic Communications Sector - Providers Of Publicly Available Electronic Communications Services - Competent Supervisory Independent Administrative Authorities

Beyond the content, are communications data (traffic and location data) protected on the same level?

According to the article 9A Greek Constitution all persons have to be protected from the collection, processing and use, especially by electronic means, of their personal data. Furthermore, the protection of personal data is ensured by an Independent Authority: Data Protection Authority (D.P.A.). However, communications data as part of the electronic communications are protected in the some way and under the same requirements as the content.

Which is the competent Hellenic legal framework?

Law 2225/1994 provides the legal requirements and the judicial procedure for the lawful interception of the content of communications and access to communications data. Law 3115/2003 provides the legal framework relating to the constitution, the operation and the functions of the Independent Administrative Authority (A.D.A.E.) monitoring the protection of confidentiality of communications, procedure of lawful interception and access to communications data and application of the Data Retention Directive. Security Regulations for the Communication and Internet Service Providers have been issued by the Independent Authority (A.D.A.E.).

Presidential Decree 47/2005 under the title “Procedure, technical and organizational guarantees for ensuring lawful interception” provides the details for the technical and organizational measures for both lawful interception and access to data.

Law 4070/2012 (which replaced Law 3431/06) has implemented Directives 2002/19/EC, 2002/20/EC, 2002/21/EC, 2002/7/ EC and also provides the legal framework relating to the constitution, the operation and the functions of the National Regulatory Authority “Hellenic Telecommunications and Post Commission – www.eett.gr) Law 3471/2006 (as amended with Law 4070/2012) has implemented Directive 2002/58/EC (E-Privacy Directive) and modified Law 2472/1997 (implementation of Directive 95/46/EC). Law 3674/2008 refers to the security of the Provider’s services and their obligations. Law 3783/2009 refers to the traceability of mobile phone users and ban of anonymity pre paid SIM cards.

Law 3917/2011 has implemented Directive 2006/24/EC (Data Retention Directive). Despite the fact that the Court of Justice of the European Union (CJEU) has invalidated the Data Retention Directive (Joined Cases C-293/12 and C-594/12 – Judgment of 08 April 2014),

Law 3917/2011 is still in force. However, Ministry of Justice has formed a Special Legislative Committee for the proposition of annulment or amendment of national law in order to be in compliance to the CJEU Judgment.

For what reasons lawful interception of the content and access to communications data may be judicially ordered?

For investigating, detecting and prosecuting specific criminal offences (mainly felonies) and for national security reasons.

Under which conditions lawful interception of the content and access to communications data may be judicially ordered?

In the context of particularly serious crimes: justified suspicions of committing the crime, need of tracing the place of staying of the defendant, prior exhausting other means as an ultimum refugium (meaning that finding the defendant is by any other means [than lawful interception or access to data], impossible or extremely difficult).

In the context of national security: information or other elements which lead to estimation of danger for the national security (not justified or specific reasons or risks).

What is the procedure for lawful interception of the content and access to communications data?

After an application of the Investigating Judge or the Prosecutor or the Law Enforcement Agencies (LEAs) during the pre trial criminal procedure (inquire), the Judicial Council (consisted of three judges) orders lawful interception of the content of communications or access to communications data, or both. In case of emergency the Prosecutor or the InvesG. tigating Judge issues an order which has to be confirmed by the Judicial Council within three (3) days. The order is secret and the target of the inquiry shall not be notified. During a criminal trial, the Court has the right to issue the same order as above mentioned. In that case, the order is brought in the presence of the defendant.

In case of national security reasons the order is issued only by the Prosecutor of the Court of Appeal, under total secrecy.

May lawful interception of the content and access to communications data be ordered for other reasons?

No, the order may be issued only either for national security reasons, or for the investigation, detection and prosecution of criminal offences.

What is the procedure of executing the judicial order for lawful interception of the content and access to communications data?

The judicial order is sent to the Communications or Internet Service Provider (CSP or ISP – “The Provider”). The Provider is obliged to execute the order by giving access to the LEAs or the competent authorities.

COMMUNICATIONS AND INTERNET SERVICE PROVIDERS
Which are the Providers? Which enterprises are obligated to give access to lawful interception of the content and access to communications data after an order?

Every company or legal person or entity which falls into the definition of “provider of publicly available electronic communications service” according to Directives 2002/58/EC and 2002/21/EC.

Has the competent European legal framework been implemented? Where there any impacts after the CJEU decision on Data Retention Directive? Directive 95/46/EC has been implemented into Greek legislation with Law 2472/1997, Directive 2002/58/EC (“E-Privacy Directive”) has been implemented with Law 3471/2006 and Directive 2006/24/EC (“Data Retention Directive”) has been implemented with Law 3917/2011.

Despite the fact that the Court of Justice of the European Union (CJEU) has invalidated the Data Retention Directive (Joined Cases C-293/12 and C-594/12 – Judgment of 08 April 2014), Act 3917/2011 is still in force. However, Ministry of Justice has formed a Special Legislative Committee for the proposition of annulment or amendment of national law in order to be in compliance to the CJEU Judgment.

Which are the obligations of the Providers concerning the protection of the user’s privacy, data and communications?

Providers are obligated to respect as a minimum certain data security principles set out in the above mentioned Directives (as implemented into the national legal framework) and take the necessary and appropriate technical and organisational measures to safeguard security of their services and the security of the publicly available network, to ensure confidentiality and security of processing of data. Providers are obligated to inform the subscribers and/or users for any particular danger of the security of the network.

Providers are also obligated to respect and apply all the Regulations of the competent independent administrative authority (A.D.A.E.).

Does the Hellenic competent legal framework contains further legislative measures for the security of communications and data beyond the above mentioned of the three (3) Directives?

Law 3674/08 under the title “Ensuring the security of privacy and confidentiality in telephony services sector” imposes further obligations and stipulates that Providers are obligated to take the appropriate technical and organizational measures to safeguard security of their services, premises, equipments, hardware, software and any kind of systems for publicly available telecommunications services.

Providers are culpable for the security of their premises, equipments, hardware, software and any kind of systems for publicly available telecommunications services. They are obligated to have a special security Policy, following the Security Regulations of the competent administrative authority – A.D.A.E.. This Policy shall be approved by A.D.A.E. This special security Policy refers to: a) systems which shall be used for ensuring the secrecy of communications b) evaluation of the potential risks c) measures for prevention of risks. Law 3674/08 introduces the obligation of Providers to use cryptography for the voice signal of information in specific cases of transmission. It also introduces the obligation of the Providers to use a computer program of automatic registration (logs) of all the functions of the systems of the Providers. A.D.A.E. under the mentioned Law shall conduct audits and inspections of the Provider’s premises, equipments etc. and the Providers are obliged to inform immediately A.D.A.E., the public prosecutor and the subscribers in case of violation or potential risk of the systems and confidentiality of the communications. Administrative sanctions may be imposed by A.D.A.E. to the Providers in case of non complying to the above mentioned obligations.

What are the obligations of the Providers according to the Data Retention Directive as implemented?

Communications and Internet Service Providers are obligated according to Law 3917/2011:

• Not to erase but retain the traffic and location data of the communications as referred to the Law for a period of twelve (12) months (including unsuccessful call attempts).
• Not to retain content of communications.
• Retain the traffic and location data within the Hellenic territory premises.
• Give access to the said data under the requirements of the Law ful interception procedure.
• Take the appropriate technical and organizational security measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorized or unlawful access, storage, processing or disclosure, according to the no 01/2013 Joint Act of Data Protection Authority (D.P.A.) and Hellenic Authority for Communication Security and Privacy (A.D.A.E.) regarding the obligations of Service Providers for the protection and the data security.
• Take the appropriate technical and organizational security measures to ensure that they can be accessed by specially authorized personnel only.
• Take the appropriate technical and organizational measures for the automatic destruction of the non preserved data after one (1) year of the communication.
• Apply special security policy according to Regulation issued by A.D.A.E. and D.P.A.
•  Assign to an employee of the Provider (“Security Officer”) the application of the special security policy.

Is there any cost reimbursement by the State for the Providers supporting the data retention procedure and allowing access to communications data or content of communications in the context of the lawful interception procedure?

Under the provisions of the Presidential Decree 47/2005 all the revelant expenses and costs burden the Providers, and there is no cost reimbursement by the State. However, with a recent decision (no 4170/2011) the Supreme Administrative Court (Council of the State) annulled the provisions under which Providers bare the relevant the expenses and costs. A new legal provision, complying to the aforementioned judgment, is going to be voted by the Hellenic Parliament.

NATIONAL ADMINISTRATIVE INDEPENDENT AUTHORITIES - SANCTIONS
Which National Authorities are charged with tasks resulting from the above mentioned Directives concerning communications confidentiality and data security?

“Hellenic Authority for Communication Security and Privacy”(A.D.A.E. – www.adae.gr ) is the administrative independent authority which is responsible for ensuring the confidentiality of letters and all other forms of free correspondence or communications, for ensuring the procedure (especially between the Providers and the LEAs) of lawful interception and access to communications data, for ensuring the security of communications for publicly available electronic communications services and finally for monitoring the application of the Data Retention Directive as implemented with Law 3917/2011. A.D.A.E. has issued several Regulations for the security of communications, data retention and the technical procedure for lawful interception. Their application is obligatory for the Providers.

The second competent independent administrative authority is “Hellenic Data Protection Authority”(www.dpa.gr) consisted under Directive 95/46/EC and is responsible for monitoring the application of the statutes for the legal framework of any kind of personal data (Directives 95/46/EC and 2002/58/EC) and also for co-monitoring the application of the Data Retention Directive (2006/24/EC) as implemented with Law 3917/2011.

Which are A.D.A.E.’s main responsibilities?

• Inquiring and conducting inspections and audits at the premises, equipments, archives, databases and documents of the Hellenic National Intelligence Service (NIS) and Providers in order to ensure the application of the legal framework for the protec422 tion of confidentiality of communications, for data retention procedure, for the lawful interception and for the security of the services, the network, the hardware and the software of the Providers.
• Confiscating any means used for violating the confidentiality of communications and security.
• Issuing instructions, recommendations, opinions and regulations for ensuring confidentiality and security of communications, data retention, and the procedure of lawful interception.
• Imposing administrative sanctions (e.g. fines) in case of violation of the legal framework for the protection of the confidentiality and security of communications, for data retention procedure and for the lawful interception procedure.
• Receiving from Providers every four (4) months a Report containing a list of all the judicial orders issued for lawful interception and access to communication data.

Which are the main Regulations of A.D.A.E. for the Providers?

• Regulations for ensuring confidentiality and security of :
  -- Mobile communications services (no 629a/2004).
  -- Fix communications services (no 630a/2004).
  -- Wireless communications services (no 631a/2004)
  -- Internet communications services (no 632a, 633a, 634a/2005) which have been replaced by:
• Regulation for Ensuring Confidentiality and Security of Electronic Communications (no 165/2011).
• Regulation for the Security and the Integrity of Networks and Electronic Communication Services no 205/2013
• The no 01/2013 Joint Act of Data Protection Authority (D.P.A.) and Hellenic Authority for Communication Security and Privacy (A.D.A.E.) regarding the obligations of Service Providers for the protection and the data security.

What are the sanctions in case of infringements of the provisions for unlawful interception, access to data and data protection procedure?

Criminal liability : a) sanction of imprisonment up to ten (10) years for the individual, b) sanction of imprisonment up to ten (10) years and a fine up to € 100,000.00 and 200,000.00 for the Providers (legal representative, member of the board, security manager etc.) and c) sanction of imprisonment up to ten (10) and twenty (20) years and a fine up to € 300,000.00 and 350,000.00 in case of danger for the democracy or the national security because of the breach.

By virtue of article 9, of Law 3674/2008 a new type of crime has been introduced to Penal Code under the title “Crimes against the security of telephone communications services” (art. 292A P.C.). There are several sanctions of imprisonment for whoever (including unauthorized
personnel of the Providers) without legal right and unlawfully accesses to connection, network, hardware or software of the Provider and creates a danger for the security of telephone communication.

Administrative liability by imposing monetary sanctions (fines) from the competent Independent Administrative Authorities to the Providers (legal representative, member of the board, security manager etc.). Fines go up to € 5,000,000.00 and there is also the fine of suspension or revoke of the services of the company. Civil liability (compensation) may arise because of moral or other damages. In that case the minimum compensation decided by the civil court shall not be less than € 10,000.00, unless the applicant asks for less.

PRIVACY -ANONYMITY ON THE AREA OF TELEPHONY SERVICES-OBLIGATIONS OF THE PROVIDERS
Which means or measures have been taken to increase the traceability of users of communications services so as to assist LEAs in the attribution of end user devices to the persons using them?

The traceability of mobile phone users, in particular those using prepaid SIM cards, and the matter of their anonymity has been dealt with Law 3783/2009, which imposes the obligations on the Providers and the users to make identifiable the persons, the services and the mobile equipments for national security reasons and investigation-prosecution of serious crimes. The obligation is imposed only for the mobile phone services.

What are the obligations of the users?

All users, either subscribers or not, has been obligated to register with the Providers their name, surname, place and time of birth, copy of ID card or Passport or Green card (foreigners permission of staying) and TAX identification number etc. If the user is a legal entity, the same obligation shall exist and it shall be needed to register the name of the company, the registered offices of company, name and surname of the legal representative and number for TAX Authority.

What are the obligations of the Providers?

There shall be also an obligation for the Providers to register the telephone number, IMSI, IMEI, date and time of the first activation of the service, CELL ID, SIM card number. For the new users (after issuing of the Law of 2009), the Provider shall be obliged to collect the above mentioned data, which shall be retained in its archive, as a requirement of activating the service. The Provider shall activate the service, only upon the condition of declaration of the required data.

Is there any cost reimbursement by the State for the Provider?

No, there is no cost reimbursement for collecting and retaining the data from the Provider.

How the LEAs may access the retained data?

The LEAs may access the data under the conditions and requirements of Law 2225/94 for national security reasons and for investigation-prosecution of particularly serious crimes, after a judicial order.

Which is the competent administrative independent authority for monitoring the procedure?

National Regulatory “Commission of Telecommunications and Postal Services” (E.E.T.T.) supervises the procedure and is responsible for monitoring the application of the law.