Tag Archive: poland

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

POLAND: A New Law Expanding Police and Secret Services Surveillance Powers Comes Into Force in Poland

As of 7 February 2016, access to electronic communications and digital data is easier for state authorities, due to an amendment that expands surveillance powers and restricts citizens’ rights to privacy.

By Paweł Tobiczyk

The Constitutional Tribunal’s judgment

The amendment of the Police Act and legislation regarding other secret services aims to enact Polish Constitutional Tribunal judgment dated 6 August 2014 finding that law enforcement operations did not have proper oversight.

Under previous legislation, law enforcement was entitled to collect billing data from telecommunication companies indirectly, immediately and without limits.  The Tribunal ordered implementation of legislation to oversee the disclosure of such data, and the immediate destruction of surveillance material subject to professional secrecy. The Tribunal also considered that a monitored person must be informed about activities relating to her/him once monitoring has finished. The Tribunal held too that the maximum duration of surveillance should be precisely defined in the law.

New police and secret services powers

The amendment brings important changes to the rules for accessing data and conducting surveillance of citizens’ activities, especially in relation to electronic communications and digital data.

  • Permissible surveillance techniques are much broader than previously, and notably include previewing and recording audio and video on premises, in transport and even in areas that are not public; controlling and storing the content of personal correspondence (including electronic); obtaining data from information media, telecommunications terminal equipment, and IT and telecommunications systems.
  • Surveillance generally does not require obtaining a court order, and may last up to 18 months, and in some cases indefinitely.
  • The court is entitled to oversee surveillance, but only ex post: police and secret services are obliged to provide the court twice a year with reports regarding the activities they have pursued concerning accessing personal data and confidential information of citizens.
  • Surveillance is allowed not only in case of reasonable suspicions that somebody committed an offence but also in order to prevent such situations.

Access to ‘Internet data’

The prerogatives of the police force were extended to so-called “Internet data”, which is not clearly defined by the Polish Act on Rendering Services by Electronic Means. Under this Act all data necessary for the provision of services by electronic means can be treated as Internet data, and potentially the definition can cover the content of private messages.The amendment raises serious doubts:

  • Internet data can be processed without consent of data subjects and the prior permission of a court.
  • Access to Internet data does not have to relate to a particular criminal proceeding, since police and other services are able to preview users “preventively” by checking which websites they visit and what activities are conducted, and then deciding whether an offence was committed.

By permitting access to such a breadth of data, taking into account the wide range of situations when surveillance is allowed, it is possible to understand with great precision the activities of internet users, including activities relating to their private life, which may infringe the right to privacy.

Incompatibility with the Constitutional Tribunal ruling

According to the majority of experts and the Constitutional Tribunal itself, the amendment does not correctly implement the Tribunal’s judgment and is not consistent with law currently in force:

  •  Persons who were under surveillance must be informed that their data is collected and processed.
  • The law must ensure independent oversight of each case of telecommunications data disclosure.
  • If telecommunications data of persons subject to professional secrecy (e.g., attorneys or journalists) is accessed, an independent authority (such as a court) must approve police or secret services collection of such data.
  • The conditions when access to telecommunications data is permitted must be limited (such access should be allowed only in case that use of other methods are ineffective).

As a consequence, it is likely that the amendment is contrary to national and EU law and a challenge could be mounted.

For more information, please contact Paweł Tobiczyk (pawel.tobiczyk@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-a-new-law-expanding-police-and-secret-services-surveillance-powers-comes-into-force-in-poland/