Law 32/2008 of 17 July

Published in D.R. number 137 (Series I) of 17 July 2008

Assembleia da República (Assembly of the Republic)

Law


Transposes to the national legal order Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.

Pursuant to article 161 c) of the Constitution, the Assembly of the Republic hereby decrees as follows:

Article 1
Subject-matter

1 - This statutory instrument governs the retention and transmission of traffic and location data on both natural persons and legal entities, and of the related data necessary to identify the subscriber or registered user, for the purpose of the investigation, detection and prosecution of serious crime by competent authorities, transposing  to the national legal order Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks, and amending Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

2 - The retention of data revealing the content of electronic communications is prohibited, without prejudice to provisions laid down in Law no. 41/2004 of 18 August and in penal procedure law on recording and interception of communications.

Article 2
Definitions

1 - For the purpose of this law:

a) «Data» means traffic data and location data and the related data necessary to identify the subscriber or user;

b) «Telephone service» means any of the following services:

i) Call service, including voice, voicemail and conference and data calls;

ii) Supplementary services, including call forwarding and call transfer;

iii) Messaging and multi-media services, including short message services (SMS), enhanced media services (EMS) and multi-media services (MMS);

c) «User ID» means a unique identifier allocated to persons when they subscribe to or register with an Internet access service or Internet communications service;

d) «Cell ID» means the identity of the cell from which a mobile telephony call originated or in which it terminated;

e) «Unsuccessful call attempt» means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention;

f) «Competent authorities» means judicial authorities and criminal police authorities of the following bodies:

i)  Polícia Judiciária (Judicial Police);

ii) Guarda Nacional Republicana (Republican National Guard);

iii) Polícia de Segurança Pública (Public Security Police);

iv) Polícia Judiciária Militar (Military Judicial Police);

v) Serviço de Estrangeiros e Fronteiras (Aliens and Borders Department);

vi) Polícia Marítima (Maritime Police);

g) «Serious crime» means terrorist crime, violent crime, highly organised crime, illegal restraint, kidnapping and hostage-taking, cultural identity or personal integrity crimes, crimes against national security, counterfeiting currency or equivalent securities, and crimes covered by conventions on safety of air or sea navigation.

2 - For the purpose of this law, definitions provided for in Law no. 67/98 of 26 October, and Law no. 41/2004, of 18 August, shall apply, without prejudice to the preceding paragraph.

Article 3
Purpose of data processing

1 - The retention and transmission of data is exclusively intended for the investigation, detection and prosecution of serious crime by competent authorities.

2 - The transmission of data to competent authorities may only be ordered or authorized by reasoned Court order, pursuant to article 9.

3 - Files intended for data retention in the scope hereof must be stored separately from other files with different purposes.

4 - Data subjects shall not oppose to the retention and transmission of the respective data.

Article 4
Categories of data to be retained

1 - Providers of publicly available electronic communications services or of public communications networks shall retain the following categories of data:

a) Data necessary to trace and identify the source of a communication;

b) Data necessary to trace and identify the destination of a communication;

c) Data necessary to identify the date, time and duration of a communication;

d) Data necessary to identify the type of communication;

e) Data necessary to identify users' communication equipment or what purports to be their equipment;

f) Data necessary to identify the location of mobile communication equipment.

2 - For the purpose of point a) of the preceding paragraph, the following shall be deemed as data necessary to trace and identify the source of a communication:

a) Concerning fixed network telephony and mobile telephony:

i) The calling telephone number;

ii) The name and address of the subscriber or registered user;

b) Concerning Internet access, Internet e-mail and Internet telephony;

i) The user IDs allocated;

ii) The user ID and telephone number allocated to any communication entering the public telephone network;

iii) The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.

3 - For the purpose of point b) of paragraph 1, the following shall be deemed as data necessary to identify the destination of a communication:

a) Concerning fixed network telephony and mobile telephony:

i) the numbers dialled, and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;

ii) the name and address of the subscriber or registered user;

b) Concerning Internet e-mail and Internet telephony;

i) the user ID or telephone number of the intended recipient of an Internet telephony call;

ii) the names and addresses of subscribers or registered users and user ID of the intended recipient of the communication;

4 - For the purpose of point c) of paragraph 1, the following shall be deemed as data necessary to identify the date, time and duration of a communication:

a) Concerning fixed network telephony and mobile telephony, the date and time of the  start and end of the communication;

b) Concerning Internet access, Internet e-mail and Internet telephony:

i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;

ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;

5 - For the purpose of point d) of paragraph 1, the following shall be deemed as data necessary to identify the type of communication:

a) Concerning fixed network telephony and mobile telephony: the telephone service used;

b) Concerning Internet e-mail and Internet telephony, the Internet service used.

6 - For the purpose of point e) of paragraph 1, the following shall be deemed as data necessary to identify users' communication equipment or what purports to be their equipment:

a) Concerning fixed network telephony, the calling and called telephone numbers;

b) Concerning mobile telephony:

i) the calling and called telephone numbers;

ii) the International Mobile Subscriber Identity (IMSI) of the calling party;

iii) the International Mobile Equipment Identity (IMEI) of the calling party;

iv) the IMSI of the called party;

v) the IMEI of the called party;

vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and cell ID from which the service was activated;

c) Concerning Internet access, Internet e-mail and Internet telephony:

i) the calling telephone number for dial-up access;

ii) the digital subscriber line (DSL) or other end point of the originator of the communication;

7 - For the purpose of point f) of paragraph 1, the following shall be deemed as data necessary to identify the location of mobile communication equipment:

a) the cell ID at the start of the communication;

b) Data identifying the geographic location of cells by reference to their cell ID during the period for which communications data are retained.

Article 5
Scope of the obligation to retain data

1 - Telephony data and Internet data relating to unsuccessful call attempts must be retained where those data are generated or processed and stored by bodies referred to in paragraph 1 of article 4, in the context of provision of communication services.

2 - Data relating to unconnected calls shall not be retained.

Article 6
Period of retention

Bodies referred to in paragraph 1 of article 4 shall retain data provided for therein for a one-year-period from the date of the communication.

Article 7
Data protection and security

1 - Bodies referred to in paragraph 1 of article 4 shall:

a) Retain data concerning categories provided for in article 4 in such a way that they can be provided without undue delay to the competent authorities, by reasoned Court order;

b) Ensure that the retained data are of the same quality and subject to the same security and protection as those data on the network;

c) Take all appropriate technical and organisational measures to protect the data provided for in article 4 against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

d) Take all appropriate technical and organisational measures to ensure that data provided for in article 4 are accessed by specially authorised personnel only;

e) Destroy data at the end of the period of retention, except those that have been preserved by court order.

2 - Data concerning categories provided for in article 4, except for data on subscribers' names and addresses, shall be blocked as from the moment they are retained, and shall only be unblocked in order to be provided to competent authorities, pursuant to provisions hereof.

3 - Data concerning categories provided for in article 4 shall be provided by means of an electronic communication, under technical and security conditions set out in a joint administrative rule of members of the government for internal administration, justice and communications, which must meet the highest possible degree of codification and protection, according to the state of the art at the moment of transmission, including codification or encryption methods, or other.

4 - The preceding paragraphs are without prejudice to compliance with principles or rules on quality and safeguard of confidentiality and security of data, provided for in Law no. 67/98 of 26 October, and Law no. 41/2004, of 18 August.

5 - The Comissão Nacional de Protecção de Dados - CNPD (National Data Protection Commission) shall be the public authority incumbent for the monitoring of provisions hereof.

Article 8
Registration of specially authorised personnel

1 - The CNPD shall maintain and permanently update an electronic record of personnel specially authorised to access data, under paragraph 1d) of the preceding article.

2 - For the purpose of the preceding paragraph, providers of publicly available electronic communications services or of public communications networks shall submit exclusively by electronic means to CNPD the necessary elements to identify personnel specially authorised to access data.

Article 9
Transmission of data

1 - The transmission of data referring to categories provided for in article 4 shall only be authorized, by reasoned order of the investigating judge, where there is reason to believe that such a step is crucial to the truth-finding process, or that otherwise it would be impossible or very difficult to secure evidence in the scope of the investigation, detection, and prosecution of criminal offences.

2 - The authorization provided for in the preceding paragraph may only be requested by the public prosecutor or by the competent criminal police authority.

3 - Authorization for data transmission shall only concern:

a) The suspect or defendant;

b) The person who acts as an intermediary, where there are clear grounds for believing that such person receives or transmits messages to or from the suspect or defendant;

c) The crime victim, through his/her actual or presumed consensus.

4 - The judicial decision to provide data shall meet the requirements of adequacy, necessity and proportionality, namely as regards the definition of categories of data provided and competent authorities with access to data and the protection of professional secrecy, under the law.

5 - The preceding paragraphs are without prejudice to the collection of data on location of mobile equipment necessary to remove danger to life and physical well-being, pursuant to article 252-A of the Penal Procedure Code.

6 - Bodies referred to in article 4, paragraph 1, shall prepare records of data retrieved and provided to competent authorities and send them to CNPT on a quarterly basis.

Article 10
Technical conditions for transmission of data

Data on categories provided for in article 4 shall be provided exclusively by electronic means, under the technical and safety conditions provided for in paragraph 3 of article 7.

Article 11
Destruction of data

1 - The judge shall determine, of his own motion or upon request by any interested party, the destruction of data held by competent authorities, as well as data preserved by bodies referred to in paragraph 1 of article 4, as soon as they are no longer required for their intended purpose.

2 - Data are deemed to be no longer required for their intended purpose where one of the following circumstances occurs:

a) Definitive closure of criminal proceedings;

b) Final acquittal;

c) Final conviction;

d) Proceedings that becomes time-barred;

e) Amnesty.

Article 12
Breaches

1 - Without prejudice to criminal liability under the law, the following shall be deemed to be breaches:

a) Failure to retain categories of data provided for in article 4;

b) Non-compliance with the period of retention provided for in article 6;

c) Failure to provide data to competent authorities holding authorization under article 9;

d) Failure to send data necessary to identify specially authorised personnel, pursuant to article 8, paragraph 2.

2 - Breaches provided for in the preceding paragraph are punishable by penalties between (Euro) 1.500 and (Euro) 50.000 or between (Euro) 5.000 and (Euro) 10.000.000, according to whether a natural person or legal entity is concerned.

3 - Attempt and negligence are punishable.

Article 13
Crimes

1 - The following actions shall be deemed as crimes, punished by imprisonment of up to two years or fine up to 240 days:

a) Failure to comply with any of the provisions on data protection or security provided in article 7;

b) Failure to block data under paragraph 2 of article 7;

c) Access to data by an unauthorised person under paragraph 1 of article 8.

2 - Penalties shall be doubled where the crime:

a) Is committed through infringement of safety technical standards;

b) Has made personal data available to the infringer or third parties; or

c) Has provided the infringer or third parties with material benefits or advantages.

3 - Attempt and negligence are punishable.

Article 14
Breach procedure and application of penalties

1 - The CNPD is incumbent for examining the breach procedures and for the corresponding application of penalties concerning actions provided for in the preceding article.

2 - Amounts of penalties imposed shall be distributed as follows:

a) 60% to the State;

b) 40% to the CNPD.

Article 15
Applicability of sanction regimes provided for in Law no. 67/98, of 26 October, and Law no. 41/2004, of 18 August

Provisions in articles 12 and 14 are without prejudice to the application of chapter vi of Law no. 67/98, of 26 October, and chapter iii of Law no. 41/2004, of 18 August.

Article 16
Statistics for annual information provided to the Commission of the European Communities

1 - The CNPD shall provide the Commission on a yearly basis with statistics on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or a public communications network.

2 - For the purpose of the preceding paragraph, bodies referred to in paragraph 1 of article 4 shall convey to the CNPD by 1 March every year, the following information, concerning the preceding year:

a) The cases in which information was provided to the competent authorities;

b) The time elapsed between the date on which the data were retained and the date on which the competent authority requested the transmission of the data; and

c) The cases where requests for data could not be met.

3 - Information provided in the preceding paragraph shall not contain personal data.

Article 17
Assessment

At the end of each period of two years, the CNPD, in collaboration with Instituto das Comunicações de Portugal - Autoridade Nacional de Comunicações (ICP-ANACOM), shall assess all procedures provided for herein and prepare a detailed report including recommendations, which shall be submitted to the Assembly of the Republic and to the Government.

Article 18
Taking of effect

This law shall take effect 90 days after the publication of the administrative rule referred to in paragraph 3 of article 7.

Approved on 23 May 2008.

The President of the Assembly of the Republic, Jaime Gama.

Promulgated on 1 July 2008.

Let it be published.

The President of the Republic, Aníbal Cavaco Silva.

Counter-signed on 2 July 2008.

The Prime Minister, José Sócrates Carvalho Pinto de Sousa.