Blogs | EDRi-gram | Open internet and inclusive technology | Data protection standards | Equal access to the internet | Freedom of expression online | Surveillance and data retention

Polish law on “protecting the freedoms of social media users” will do exactly the opposite

EDRi member Panoptykon Foundation carefully analyses the Polish law on “the protection of freedoms of social media users” which turns out to introduce data retention, a new, questionable definition of “unlawful content”, and an oversight body that is likely to be politically compromised.

By Panoptykon Foundation (guest author) · February 10, 2021

In January, the Polish Ministry of Justice announced a new law on “the protection of freedoms of social media users”. Although the idea was conceived before Twitter and other platforms banned Donald Trump, the timing couldn’t have been more perfect. The goal of the new law – as revealed by the Ministry – was to curb the arbitrary power of social media platforms by making it illegal to delete content that does not break Polish laws. Panoptykon does not fully agree with the method of a blanket ban on deleting harmful, but legal content for a number of reasons and believes that issues of platform power should be regulated on a European level, in the Digital Services Act. However, in Panoptykon’s view the Polish government accurately identified the problems related to platforms’ power over content.

However, the actual text of the law – published two weeks after it was announced – goes against these very promises. A careful analysis of the proposed new rules reveals that the law – in theory designed to “protect freedoms of social media users” – introduces data retention, a new, questionable definition of “unlawful content”, and an oversight body (Free Speech Council) that is likely to be politically compromised. In this context, Panoptykon believes that “Surveillance and Censorship Act” would be a more accurate name for the law. Let’s unpack this.

Without warning, the Ministry of Justice has proposed to introduce a data retention obligation for online services. Providers of these services would have to store internet data (e.g. IP addresses, email, name, browsing history) for 12 months and make it available to law enforcement bodies upon request. So far companies did not store this type of data longer than it was necessary to provide the service. As a result, the number of requests from law enforcement agencies was relatively small (less than 20,000 in 2019). A data retention obligation creates a huge risk of a rapid increase of the number of requests. Especially when it is paired with a possibility to create a direct, fast lane between law enforcement agencies and companies, which enables the police and secret services to access the data without the need to send a separate request in each case (this possibility was introduced in 2016 in a so-called Surveillance Act). In fact, we can already see the consequences of these tools in mass collection of data held by telecom providers (phone records, location) – existing data retention obligation for these companies and a direct communication pipeline between them and law enforcement agencies resulted in a shocking number of 1.3 million records collected in 2019. It is also worth noting that a bulk data retention obligation for online services is illegal under EU Law, which has been explicitly confirmed by the EU Court of Justice in October 2020. The law is all the more problematic, given that in Poland there is no effective oversight and control over the activities of law enforcement agencies.

In terms of curbing platform’s power, the law also falls short. It creates a questionable definition of “unlawful content” which includes – among others – disinformation, content infringing on personal rights, and on… “public decency”. Users’ appeals from platforms’ decisions would go to a new oversight body called the Free Speech Council. The problem is that requirements for its members and their election procedures create a serious risk of ensuring that the Council becomes politically dependent on the government. For instance, there are no requirements for the political independence of members and if they fail to gain the support of 3/5 of the parliament, they can be elected by a simple majority. A similar mechanism applies to electing members of the oversight body for the judiciary which has in practice become a political arm of the ruling majority. Apart from this, the proposed rules of due process and redress are also weaker than those presented by the European Commission in the Digital Services Act.