- > Administrative Rule no. 469/2009, of 6 of May
- > Lays down the technical and security conditions under which electronic communications for the transmission of traffic and location data on natural persons and legal entities, as well as of related data necessary to identify the subscriber or registered user, must operate
- > D. Data protection and privacy
- > IV. Electronic communications
- > Legislation
- > Home Page
Published in D.R. number 87 (Series I) of 6 May 2009
Ministérios da Administração Interna, da Justiça e das Obras Públicas, Transportes e Comunicações(Ministries for Internal Administration, Justice and Public Works, Transport and Communications)
Law no. 32/2008, of 17 July, transposes to the national legal order Directive 2006/24/EC, of the European Parliament and the Council, of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
In the regulatory framework imposed by this Directive, Law no. 32/2008, of 17 July, requires that providers of publicly available electronic communication services or of public communications networks retain specific communication data, so that such data can be accessed by competent authorities, exclusively for the purpose of investigation, detection and prosecution of serious crime.
Acknowledging that the values at stake and the retention of data are both sensitive subjects, Law no. 32/2008, of 17 July, adopted special restrictions, cautions and security measures as regards the access to and processing of data and the supervision and monitoring of compliance with the obligations provided for under the law, among which the following must be highlighted: inclusion of an exhaustive list of types of crimes that integrate the notion of ''serious crime''; the strict prohibition to retain data revealing the content of communications; the provision that the access to data can only be requested by the Public Prosecution Office or by the competent criminal police authorities and is always dependant on a judicial decision; the establishment of a one-year-period as the time limit for data retention; the requirement that personnel responsible for carrying out the tasks associated to compliance with the obligations legally provided for, in the scope of providers of publicly available electronic communications services or of public communications networks, must be authorized by and registered at the ''Comissão Nacional de Protecção de Dados'' - CNPD (National Data Protection Commission).
As specifically regards the transmission of data legally provided for, paragraph 3 of article 7 of Law no. 32/2008, of 17 July, determines that such data must be provided by means of an electronic communication, under technical and security conditions set out in a joint administrative rule of members of the government for internal administration, justice and communications, which must meet the highest possible degree of codification and protection, according to the state of the art at the moment of transmission, including codification, encryption, or other methods.
In implementing this legal provision, this administrative rule introduces important measures, aiming to set out the technical and security conditions of the electronic communications of traffic and location data on natural persons and legal entities, as well as of the related data necessary to identify the subscriber or registered user, provided for in Law no. 32/2008, of 17 July.
Consequently, it is hereby determined, in the first place, that the electronic communication must be processed on the basis of a specific software, through which the judge sends out the data request and the providers of publicly available electronic communications services or of public communications networks notify the transmission of the file that corresponds to the search result.
In the second place, the placing of a digital signature, both in the reasoned Court order that orders or authorizes the transmission of data - the rule in paragraph 1 of article 17 of Administrative Rule no. 114/2008, of 6 February, being applied to this subject-matter - as well as in the reply file to the data request sent by providers, is made compulsory.
In the third place, it is established that all electronic communications under this Administrative Rule, as well as in the reply file to the data request sent by providers, must be encrypted, thereby providing to this matter the strongest possible guarantees.
In the fourth place, the electronic record of sent data requests is made mandatory, with the indication of who sent the request and the time and date when it was sent. The access to reply files is also subject to an electronic record, also with the indication of who requested the access and when.
Lastly, security audits to the software have been provided for, thereby expressly laying down herein a good practice being currently applied by computer systems of the judicial system.
This Administrative Rule enables also the judge to use the established technological platform to send data requests concerning crimes for which is not possible to order or authorize the transmission of data retained pursuant to Law no. 32/2008, of 17 July.
It is thus ensured that the judge is able to send data requests to providers under the same security conditions and always by electronic means, regardless of the type of crimes that the data concern.
Pursuant to paragraph 3 of article 7 of Law no. 32/2008, of 17 July, to paragraph 3 of article 94 of the Criminal Procedure Code and to paragraph 3 of article 176 of the Civil Procedure Code:
The Government, through its Ministers for Internal Administration, for Justice and for Public Works, Transport and Communications hereby decree as follows:
This Administrative Rule lays down the technical and security conditions under which electronic communications for the transmission of traffic and location data on natural persons and legal entities, as well as of related data necessary to identify the subscriber or registered user, must operate, pursuant to Law no. 32/2008, of 17 July.
Requests for data
1 - The judge that ordered or authorized the transmission of data under article 9 of Law no. 32/2008, of 17 July, shall issue the corresponding request by means of software specifically made available for this purpose (''the software'').
2 - The request for data is carried out by filling in the electronic form available in the software, to which must be attached the reasoned Court order that orders or authorizes the transmission of data.
3 - The request for data consists of:
a) The reasoned Court order that orders or authorizes the transmission of data, in portable document format (pdf) or in a text file, bearing a digital signature, pursuant to paragraph 1 of article 17 of Administrative Rule no. 114/2008, of 6 February; and
b) The electronic form, filled in according to the Court order referred to in the preceding point.
Reply of providers to requests for data
1 - Upon receipt of a request for data, the provider of publicly available electronic communications services or of public communications networks (''the provider'') shall immediately carry out the respective search, according to the chronological order in which requests are received or to the degree of urgency determined in the reasoned Court order.
2 - As soon as the data search has been finalised, the provider shall:
a) Transfer the file that corresponds to the search result, through a secure and encrypted connection, authenticated with a user name and password; and
b) Send the notification of the reply file transfer through the software, indicating the name of the transferred file.
3 - The reply files shall comply with the following technical requirements:
a) Files must be produced in portable document format (pdf);
b) Files must bear a digital signature;
c) Files must be encrypted by means of asymmetric keys, made available through digital certificates.
4 - The provider shall request, through the software, the rectification or completion of the request for data where:
a) The reasoned Court order and data filled in the electronic form do not match;
b) Any of the elements referred to in paragraph 3 of article 2 is missing.
Notification of the receipt of the reply file
1 - The software shall notify the provider that the reply file was successfully received and stored.
2 - Upon receipt of the notification referred in the preceding paragraph, the provider may remove from his system the copy of the file under consideration, without prejudice to the obligation to retain data pursuant to Law no. 32/2008, of 17 July.
Security of the information
1 - In the interests of security of data contained in the electronic communication referred to in article 1, the following measures must be adopted:
a) Encryption of all electronic communications performed pursuant to the present Administrative Rule;
b) Encryption of the reply file, pursuant to paragraph 4c) of article 3, thus assuring that the data on that file may only be viewed electronically through the software;
c) The reasoned Court order and the reply file of the provider must both bear a digital signature, pursuant to paragraph 3 a) of article 2 and to paragraph 4b) of article 3, in order to guarantee the integrity of these files;
d) Electronic record of sent data requests, with the indication of who sent the request and the time and date when it was sent;
e) Electronic record of all accesses to reply files, with the indication of who requested the access and the respective time and date;
f) Storage of reply files in separated folders according to each provider, which must be provided with security mechanisms to avoid the interconnection of data;
g) Security audits to the software;
h) Further measures provided for in Law no. 67/98, of 26 October, and Law no. 32/2008, of 17 July.
2 - Court judges shall access the software by introducing a user name and password.
Electronic submission of other requests
Where the judge uses the software to request, under the law, data relating crimes for which is not possible to order or authorize the transmission of data retained pursuant to Law no. 32/2008, of 17 July, article 2 hereof shall apply to the submission of the request, duly adapted.
Entry into force
This Administrative Rule shall take effect on the day following that of its publication.
The Minister for Internal Administration, Rui Carlos Pereira, on 28 April 2009 - The Minister for Justice, Alberto Bernardes Costa, on 27 April 2009 - The Minister for Public Works, Transport and Communications, Mário Lino Soares Correia, on 23 April 2009.