Poland: the government declares no further extension of data retention obligation

Data retention obligation will not be further extended in Polish law on electronic communication. However, the current, unlawful scope of telecommunication data retention remains unchanged.

By Panoptykon Foundation (guest author) · March 1, 2023

Polish government’s long overdue effort to introduce the directive establishing the European Electronic Communication Code, dated 11 December 2018, created an unwelcomed fuss among privacy activists.

The regulations would indeed benefit from synchronising it with the 21st-century ways of how we communicate (like with e-mail or internet messaging). But apart from necessary changes, the Polish government tried to include in the law a data retention obligation for a new branch of the communication industry: companies offering number-independent interpersonal communications services, such as communicators or e-mails. Providers of communication services such as e-mail or internet messaging would have to store “users’ identification data” for 12 months, and make it available for law enforcement purposes, just like telecoms do now.

Panoptykon presented an opinion on the proposed law. It emphasised that the current national data retention regulations, obliging telecommunication companies to keep users’ data for 12 months and allow secret services to access them through an internet interface, without court supervision, is contradictory to the EU law. Further broadening the data retention obligation would be faulty in the same way.

Panoptykon was not alone in the critics, followed by the Ministry for the European Union, criticising the unlawful data retention obligation. Cybersecurity experts also raised the alarm that the new law may possibly oblige internet companies to introduce a backdoor to their encrypted services.

Though the government seemed at first to ignore the critical legal opinions, it reacted to the media headlines. On 6 February 2023 the government representative officially declared that the data retention obligation will not be expanded and backdoor law will not be introduced.

Though we welcome this declaration, we remain concerned that no visible effort has been made so far to curb the current unsupervised secret services powers in this respect.

The problem is two-fold. First of all, Polish secret services have broad and technically easy access to telecommunication metadata (like billings, localization) of every single user, compulsory stored by telecoms for a period of 12 months. And they do not restrain themselves from using it. In 2021 alone they accessed telecom data about 1.8 million times – and this number does not include how many times they verified users’ data (like who the given number belongs to).

Secondly, secret services in Poland remain beyond scrutiny. Panoptykon is trying to change it through strategic litigation in front of the European Court of Human Rights

Contribution by: Anna Obem, CEO & CFO, Member of the Board & Wojciech Klicki, Monitoring & Advocacy Expert, EDRi member, Panoptykon Foundation