9.5 Access to data
9.5.1 Introduction
Data retained as per § 2–8 a may be accessed in accordance with the procedure laid down in § 2-8 b. The provision clarifies that the confidentiality obligation set out in § 2–9 does not prevent the police and prosecuting authority from accessing the data. Furthermore, it lays down conditions concerning purpose, criminality, and necessity, and provides some safeguards.
9.5.2 Purpose, who that may access the data, and personal scope
Pursuant to § 2–8 a retained data may be disclosed to “the police or prosecuting authority” in a criminal investigation. As indicated in § 2-8 a, the investigation must concern “serious crime”, and the relevant offences are further specified in § 2-8 b as follows:
any offence with a statutory level of punishment of imprisonment of 3 years or more, or
the following offences with a lower level of punishment as set out in the Criminal Code: §§ 125, 168, 184, 201, 202, 204, 205, 251, 263, 266, 297, 298, 305, 306, or 309. In addition, the Copyright Act § 104 in conjunction with § 79.
The specification includes offences for which internet is deemed to be a practical and sometimes necessary tool to commit. Thus included are sexual offences of children, such as lascivious speech, grooming and solicitation of sexual services (§§ 297, 298, 305, 306 and 309), forcefully submitting a person to one’s own will, or use of threat (§§ 251, 263), breach of an official contact restraint order, etc. (§ 168), identity theft (§ 202), ruthlessness (266), offences targeting computer and electronic communication systems (§§ 201, 204 and 205), neglectful exposure of state secrets (§ 125) and disturbance of the peace of another state (§ 184). Finally, the Copyright Act § 104 protects the right to one’s own photograph, that is, the right of an identifiable person on a photograph. Making such photo public without consent from the identifiable person is punishable with a fine or imprisonment for a period not exceeding one year (§ 79).
The criminality condition for access to retained data is lower than the one applicable to secret collection of data related to electronic communication, as per strpl. § 216 b. For the latter the condition is imprisonment for a maximum period of at least 5 years, instead of 3 years as set out for retained data. The difference may be explained in light of the measures’ difference in scope; strpl. § 216 b providing access to traffic and location data including data related to internet communication, whereas NECA § 208 b is limited to concern internet access data.
9.5.3 The necessity condition
Providing access to IP-addresses etc., is deemed to interfere with the right to private communication. To be lawful, such interference must be “necessary” to the investigation of a serious crime, as per § 2–8 b. A concrete assessment of the necessity of the data for the purpose of the investigation must be made, and it is implied that the assessment also involves proportionality. The assessment must balance the needs of the investigation against the interests in protecting private communication. Concretely, the condition entails that the request put forward to the e-com provider must not ask for more data than needed for the purpose. Necessity does not imply that the data must be critical to the investigation, but it is not sufficient that the data would be “nice” to have. For instance, if a different yet more cumbersome option is available, the necessity condition might not be fulfilled. The assessment is highly contextual as the right to private communication may weigh in differently depending on the circumstances of the case.
The assessment is to be conclusively made by the police or public prosecutor. The provider receiving the request shall not review the assessment.
9.5.4 Formal conditions – safeguards
The request may be issued by the police or a public prosecutor. It shall be made in writing, stating what the investigation is about, the purpose of the request and the data necessary for that purpose. The request may go both ways, meaning that subscriber data may be disclosed based on data about the IP-address, and IP-addresses may be disclosed on basis of subscriber data (historic list of IP-addresses allocated to a subscriber). This opens the possibility for using data collected in the investigation as basis for a request to the provider, for instance to find out which IP-addresses a specific person used at a point in time relevant to the crime under investigation.
The request shall further confirm that the necessity assessment has been performed.
NECA § 2-8 b fourth paragraph, emphasises that data that are stored “solely” pursuant to § 2–8 a, may not be disclosed for purposes other than those already specified. Production orders issued pursuant to other provisions, e.g., in the Civil Procedural Code, the Copyright Act or other acts, may not compel disclosure of the data.
Retention of IP-addresses etc., is regarded as less intrusive than retention of traffic data, as the IP-addresses are not suitable for making profiles of subscribers’ internet habits. Hence there is no court review, and the procedure for gaining access is rather informal. However, the police and the prosecuting authority shall produce an annual report describing the collection of data (NECA § 2–8 b). The report shall be submitted to the National Authority for Electronic communication (Nkom).
9.5.5 Crime prevention
The preparatory works show that the legislator considered whether the police should have access to retained subscriber data related to internet access, also in crime prevention. This is relevant, i.a., to intelligence activities in order to prevent and detect economic crime, serious crime, and protect national security. It was concluded that the issue needed further deliberation. As per current the data may be used for the purpose of criminal investigation only.