Ministérios da Administração Interna, da Justiça e das Obras Públicas, Transportes e Comunicações (Ministries of Internal Administration, Justice and Public Works, Transport and Communications)
Administrative Rule
Law no. 32/2008, of 17 July, transposed to the national legal order Directive 2006/24/EC, of the European Parliament and the Council, of 15 March, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
This statutory instrument determined that data on categories provided for in article 4 thereof (traffic and location data on natural persons and legal entities, and related data necessary to identify the subscriber or registered user) should be provided «by electronic means, under the technical and safety conditions provided for in paragraph 3 of article 7».
Administrative Rule number 469/2009, of 6 May, laid down those conditions, establishing important guarantees, namely:
The electronic communication must be processed on the basis of a specific software, through which the judge sends out the data request and the providers of publicly available electronic communications services or of public communications networks notify the transmission of the file that corresponds to the search result;
The placing of a digital signature, both in the judge order that authorizes the transmission of data as well as in the reply file to the data request sent by providers, is made compulsory;
All electronic communications, as well as the reply file to the data request sent by providers, must be encrypted;
The electronic record of data requests is made mandatory, with the indication of who sent the request and the time and date when it was sent, and access to reply files is electronically recorded, also with the indication of who requested the access and when.
In accordance with this framework, communications operators adopted the necessary preparation measures, in agreement with the Ministry of Justice, having the Instituto das Tecnologias de Informação na Justiça (ITIJ, I. P.) - the Institute of Information Technologies in Justice - ensured the development of the software the creation of which had been determined.
In order to enable a proper assessment of the software functionality and usability, an experimental period was established and subsequently extended.
The conditions to take actions that guarantee a response to questions raised by users are now met.
On the one hand, the different stages of the technological process of sending the data request are described in a technically more accurate way, in the light of improvements introduced during the implementation and test periods and of suggestions put forward by the Office of the Prosecutor.
On the other hand, the general conclusion that there is great advantage in using the software developed by ITIJ, I.P., must be upheld, in the scope of the investigation both of crimes identified in paragraph 1 g) of article 2 of Law number 32/2008, of 17 July, and also of other crimes which require requesting the provision of any type of information from electronic communications service providers.
This option, in fact, had already been outlined in article 6 of Administrative Rule number 469/2009, but it is possible and desirable to set more accurate and focused limits to the current legal authorisation.
The aim is not to change data access rules or their storage period, but to replace communications in paper or in loose digital form (which are now the vast majority) with a safe, more rapid, simpler, more effective and much more efficient form of electronic communications, thus avoiding an undesirable situation where the significant investment made by operators would only draw returns in very small number of cases, the overwhelming majority of requests (the response to which is compulsory under the law) being processed in the traditional way.
As the Conselho Superior da Magistratura (the High Council of Judges) referred in its opinion on this Administrative Rule, “Law number 32/2008 did not expressly repeal any rule of the CPP (Criminal Procedure Code), thus it is not incompatible with the rules therein”. In fact, “the legislator did not aim to eliminate the legitimate collection of traffic and location data as regards other crimes, namely those provided for, residually, in article 187, paragraph 1, of the Criminal Procedure Code, such as particularly violent crimes [articles 1, paragraph 1 l) and 187, paragraph 1 a)], smuggling, threat of crime or abuse and simulation of danger signals, threat, coercion, privacy intrusion and breach of the peace, where committed through the telephone or any other technical means (article 189, paragraph 1, of the CPP). Paragraph 1 a) of article 187 of CPP covers all crimes referred to in its paragraph 2 and included in article 2 of Law number 32/2008. Therefore, there is no incompatibility between the provisions of the new law and preceding rules of the Criminal Procedure Code”.
The use of a single communication channel - based notwithstanding on two different but complementary legal authorizations - enables not only a higher degree of security but also clear economy of scale gains for the justice system and also for electronic communications service providers, while also ensuring that the origin and processing of communications are checked, which will also improve the control by competent authorities.
Therefore:
Pursuant to paragraph 3 of article 7 of Law number 32/2008, of 17 July, to paragraph 3 of article 94 and paragraph 2 of article 189 of the Criminal Procedure Code, to article 150 of the Code of Sentence Enforcement and Liberty Deprivation Measures, to articles 155 and 159 of the Judicial Courts Organization and Operation Law, and articles 12 and 18 of Law number 109/2009, of 15 September, the Government, through its Ministers for Internal Administration, of Justice and for Public Works, Transport and Communications, hereby decrees as follows:
Article 1
Amendment to Administrative Rule number 469/2009, of 6 May
Articles 1, 2, 3, 4, 5, 6 and 6-A of Administrative Rule number 469/2009, of 6 May, are hereby amended to read as follows:
«Article 1
[...]
1 - This Administrative Rule lays down the technical and security conditions under which electronic communications for the transmission of traffic and location data on natural persons and legal entities, as well as of related data necessary to identify the subscriber or registered user, must operate, pursuant to Law no. 32/2008, of 17 July.
2 - This Administrative Rule also establishes the method of communicating by electronic means any lawful request for data storage or transmission made by the court or any competent agent under the law to providers of publicly available electronic communication services or of public communications networks, in the scope of criminal proceedings or of criminal investigations or inquiries.
Article 2
[...]
1 - The judge that ordered or authorized the transmission of data under article 9 of Law number 32/2008, of 17 July, shall communicate the decision by means of a software known as “system of access to or request of data from communication operators” (SAPDOC) specifically made available for this purpose.
2 - The communication shall be carried out by filling in the electronic form available in SAPDOC, which includes an order of the judge, based on a substantiated order included in the proceedings file only, which specifically authorizes the transmission of data in accordance with the following paragraph.
3 - The form shall include:
a) All information necessary to identify the applicant, the proceedings file and the court or organisational unit where it takes place, which must be filled in automatically where technically possible;
b) The order referred to in the preceding paragraph, drew up by the user trough the validation or alteration of an electronic model, which must be made available automatically where technically possible;
c) Data to be transmitted by providers of publicly available electronic communication services or of public communications networks;
d) The determined degree of urgency, where appropriate.
4 - After the form is fully filled in, the SAPDOC shall automatically generate, based on data entered, a portable document format (pdf) bearing the digital signature of the judge, pursuant to paragraph 1 of article 17 of Administrative Rule no. 114/2008, of 6 February.
5 - The inclusion of the electronic signature shall automatically and electronically trigger the submission to requested parties of structured data in the form and portable document format (pdf).
Article 3
[...]
1 - Upon receipt of a request for data, the provider of publicly available electronic communication services or of public communications networks (“the provider”') shall immediately carry out the respective search, according to the chronological order in which requests are received or to the determined degree of urgency.
2 - ...
3 - ...
4 - The provider shall request, through the software, the rectification or completion of the request for data where:
a) The judge order and remaining data in the electronic form do not match;
b) ...
Article 4
[...]
1 - ...
2 - Upon receipt of the notification referred in the preceding paragraph, the provider may remove from his system the copy of the file sent, without prejudice to data storage and preservation obligations in accordance with Law no. 32/2008, of 17 July.
Article 5
Security of the information
1 - In the interests of security of data contained in the electronic communication referred to in article 1, the following measures must be adopted:
a) ...
b) Encryption of the reply file, pursuant to paragraph 3 c) of article 3, ensuring that the data on that file may only be viewed electronically through the SAPDOC;
c) The judge order authorizing the data transmission and the reply file of the provider must both bear an electronic signature, pursuant to paragraph 4 of article 2 and to paragraph 3 b) of article 3, in order to guarantee the integrity of these files;
d) ...
e) ...
f) ...
g) Security audits to SAPDOC;
h) ...
2 - The judge shall access SAPDOC by introducing the respective user name and password.
3 - Provisions in the preceding paragraphs shall be without prejudice to the submission, conversion and processing of data for the purposes for which they were transmitted in other electronic forms, insofar as the submission, conversion and processing is carried out under the supervision of the competent judicial authorities, or any other competent authorities.
Article 6
Electronic submission of other requests
1 - The SAPDOC shall be used to submit electronically requests provided for in paragraph 2 of article 1, made by the court or any other competent agent under the law in the scope of criminal proceedings or of criminal investigations or inquiries.
2 - To the processing of requests referred to in the preceding paragraph shall apply rules herein duly adapted, namely:
a) The request shall be made directly by the legally competent interested party;
b) The SAPDOC shall make available for this purpose a form adapted to the request matter and to the requesting party;
c) Where data requested concern only the identification or location of the suspect, defendant or any other party in the proceedings, security measures regarding the communication of such data shall be those which result from applying the specific functions of the Justice Network and secure web services.
Article 6-A
Trial period
1 – The use of SAPDOC is optional during the respective trial period, which shall start on the date this Administrative Rule takes effect and which shall end progressively, according to how the system functions are made available to users, and when determined by joint order of the members of the Government responsible for the internal administration and justice areas.
2 – In the course of the trial period, requests for data and replies from providers which are not submitted through the software, shall be carried out in the traditional way, reply files, prepared pursuant to paragraph 3 a) and b) of article 3 hereof, being submitted in CD-ROM, DVD-ROM or any other digital means.»
Article 2
Addition to Administrative Rule number 469/2009, of 6 May
The following articles 4-A and 5-A are hereby added to Administrative Rule number 469/2009, of 6 May, and shall read as follows:
«Article 4-A
Data forwarding by the judge
1 - After receiving the request, the judge must decrypt it and make it available to the competent judge or agent, where possible by electronic means.
2 - Data made available pursuant to the preceding paragraph shall be used by judicial authorities or other competent authorities, specifically in the scope of the investigation, detection and prosecution of serious crime, and may be converted or processed, in compliance with leges artis, under suitable conditions for their intended purposes.
Article 5-A
Harmonization of different storage periods of time
Taking into account that the same datum may be stored for different periods of time according to the applicable legal standards, communication operators shall ensure that:
a) Where legal timescales differ, data are stored for the longest timescale and transmitted whenever requested;
b) Where there is a judicial order for data preservation for a specific period of time, data are transmitted whenever requested;
c) Data are not transmitted where legal or judicial storage timescales have expired.»
Article 3
Repealing provision
Administrative Rule number 131/2010, of 2 March, is hereby repealed.
Article 4
Republication
Administrative Rule number 469/2009, of 6 May, with the new wording, is hereby republished in annex hereto, being deemed to be an inherent part hereof.
Article 5
Entry into force
This Administrative Rule shall take effect on the day following that of its publication.
The Minister of Internal Administration, Rui Carlos Pereira, on 23 July 2010. - For the Minister of Justice, José Manuel Santos de Magalhães, Secretary of State of Justice and Judicial Modernization, on 22 July 2010. - The Minister for Public Works, Transport and Communications, António Augusto da Ascenção Mendonça, on 2 August 2010.
ANNEX
(referred to in article 4)
Administrative Rule number 469/2009, of 6 May
Article 1
Subject-matter
1 - This Administrative Rule lays down the technical and security conditions under which electronic communications for the transmission of traffic and location data on natural persons and legal entities, as well as of related data necessary to identify the subscriber or registered user, must operate, pursuant to Law no. 32/2008, of 17 July.
2 - This Administrative Rule also establishes the method of communicating by electronic means any lawful request for data storage or transmission made by the court or any competent agent under the law to providers of publicly available electronic communication services or of public communications networks, in the scope of criminal proceedings or of criminal investigations or inquiries.
Article 2
Requests for data
1 - The judge that ordered or authorized the transmission of data under article 9 of Law number 32/2008, of 17 July, shall communicate the decision by means of a software known as “system of access to or request of data from communication operators” (SAPDOC) specifically made available for this purpose.
2 - The communication shall be carried out by filling in the electronic form available in SAPDOC, which includes an order of the judge, based on a substantiated order included in the proceedings file only, which specifically authorizes the transmission of data in accordance with the following paragraph.
3 - The form shall include:
a) All information necessary to identify the applicant, the proceedings file and the court or organisational unit where it takes place, which must be filled in automatically where technically possible;
b) The order referred to in the preceding paragraph, drew up by the user trough the validation or alteration of an electronic model, which must be made available automatically where technically possible;
c) Data to be transmitted by providers of publicly available electronic communication services or of public communications networks;
d) The determined degree of urgency, where appropriate.
4 - After the form is fully filled in, the SAPDOC shall automatically generate, based on data entered, a portable document format (pdf) bearing the digital signature of the judge, pursuant to paragraph 1 of article 17 of Administrative Rule no. 114/2008, of 6 February.
5 - The inclusion of the electronic signature shall automatically and electronically trigger the submission to requested parties of structured data in the form and portable document format (pdf).
Article 3
Reply of providers to requests for data
1 - Upon receipt of a request for data, the provider of publicly available electronic communication services or of public communications networks (“the provider”') shall immediately carry out the respective search, according to the chronological order in which requests are received or to the determined degree of urgency.
2 - As soon as the data search has been finalised, the provider shall:
a) Transfer the file that corresponds to the search result, through a secure and encrypted connection, authenticated with a user name and password; and
b) Send the notification of the reply file transfer through the software, indicating the name of the transferred file.
3 - The reply files shall comply with the following technical requirements:
a) Files must be produced in portable document format (pdf);
b) Files must bear a digital signature;
c) Files must be encrypted by means of asymmetric keys, made available through digital certificates.
4 - The provider shall request, through the software, the rectification or completion of the request for data where:
a) The judge order and remaining data in the electronic form do not match;
b) Any of the elements referred to in paragraph 3 of article 2 is missing.
Article 4
Notification of the receipt of the reply file
1 – The software shall notify the provider that the reply file was successfully received and stored.
2 - Upon receipt of the notification referred in the preceding paragraph, the provider may remove from his system the copy of the file sent, without prejudice to data storage and preservation obligations in accordance with Law no. 32/2008, of 17 July.
Article 4-A
Data forwarding by the judge
1 - After receiving the request, the judge must decrypt it and make it available to the competent judge or agent, where possible by electronic means.
2 - Data made available pursuant to the preceding paragraph shall be used by judicial authorities or other competent authorities, specifically in the scope of the investigation, detection and prosecution of serious crime, and may be converted or processed, in compliance with leges artis, under suitable conditions for their intended purposes.
Article 5
Security of the information
1 - In the interests of security of data contained in the electronic communication referred to in article 1, the following measures must be adopted:
a) Encryption of all electronic communications performed pursuant hereto;
b) Encryption of the reply file, pursuant to paragraph 3 c) of article 3, ensuring that the data on that file may only be viewed electronically through the SAPDOC;
c) The judge order authorizing the data transmission and the reply file of the provider must both bear an electronic signature, pursuant to paragraph 4 of article 2 and to paragraph 3 b) of article 3, in order to guarantee the integrity of these files;
d) Electronic record of data requests, with the indication of who sent the request and the time and date when it was sent;
e) Electronic record of all accesses to reply files, with the indication of who requested the access and the respective time and date;
f) Storage of reply files in separated folders according to each provider, which must be provided with security mechanisms to avoid the interconnection of data;
g) Security audits to SAPDOC;
h) Further measures provided for in Law no. 67/98, of 26 October, and Law no. 32/2008, of 17 July.
2 - The judge shall access SAPDOC by introducing the respective user name and password.
3 - Provisions in the preceding paragraphs shall be without prejudice to the submission, conversion and processing of data for the purposes for which they were transmitted in other electronic forms, insofar as the submission, conversion and processing is carried out under the supervision of the competent judicial authorities, or any other competent authorities.
Article 5-A
Harmonization of different storage periods of time
Taking into account that the same datum may be stored for different periods of time according to the applicable legal standards, communication operators shall ensure that:
a) Where legal timescales differ, data are stored for the longest timescale and transmitted whenever requested;
b) Where there is a judicial order for data preservation for a specific period of time, data are transmitted whenever requested;
c) Data are not transmitted where legal or judicial storage timescales have expired.
Article 6
Electronic submission of other requests
1 - The SAPDOC shall be used to submit electronically requests provided for in paragraph 2 of article 1, made by the court or any other competent agent under the law in the scope of criminal proceedings or of criminal investigations or inquiries.
2 - To the processing of requests referred to in the preceding paragraph shall apply rules herein duly adapted, namely:
a) The request shall be made directly by the legally competent interested party;
b) The SAPDOC shall make available for this purpose a form adapted to the request matter and to the requesting party;
c) Where data requested concern only the identification or location of the suspect, defendant or any other party in the proceedings, security measures regarding the communication of such data shall be those which result from applying the specific functions of the Justice Network and secure web services.
Article 6-A
Trial period
1 – The use of SAPDOC is optional during the respective trial period, which shall start on the date this Administrative Rule takes effect and which shall end progressively, according to how the system functions are made available to users, and when determined by joint order of the members of the Government responsible for the internal administration and justice areas.
2 – In the course of the trial period, requests for data and replies from providers which are not submitted through the software, shall be carried out in the traditional way, reply files, prepared pursuant to paragraph 3 a) and b) of article 3 hereof, being submitted in CD-ROM, DVD-ROM or any other digital means.
Article 7
Entry into force
This Administrative Rule shall take effect on the day following that of its publication.
