The shadow of mass surveillance: Italian Parliament to approve new rules for traffic data retention

Background

Back in July we talked about an Italian legislative proposal allowing the retention of traffic data for a period of 6 years.

On 5 October 2017, the Italian Senate started the debate concerning the approval of the European Law 2017 (the “Law”), i.e., the national law which annually implements the obligations deriving from Italian membership to the European Union (e.g., EU Directives). The Law was already adopted by the Italian Chamber of Deputies on 19 July and it is currently before the Italian Senate for its final approval.

Among other things, the Law will result in two significant changes in the Italian legal system: the first being the amendment of the rules on traffic data retention; the second being the introduction of web monitoring without prior judicial review.

Specifically, the former will increase the retention period of telephone traffic data, electronic communications traffic data and data related to unsuccessful calls (hereinafter, “traffic data”) up to six years with the view of detecting and suppressing serious criminal offences and fighting terrorism.

The latter will introduce new powers for the Italian Authority for Communications Guarantees (hereinafter, “AGCOM”) to ensure the respect and the protection of copyright on websites, forums and blogs.

Legislative framework and main issues

Among data protection experts, it is widely thought that the amendment concerning traffic data retention deserved a closer attention from the Italian Parliament. It was proposed during a session on the security of elevator lifts and integrated into the draft Law without involving the Italian Data Protection Authority (hereinafter, “Garante”). Following the publication of the draft Law, the President of the Garante expressed his concern about implications for citizens’ rights and impact on business.

The current limit established in Article 132 of the Italian Personal Data Protection Code provides a data retention period of twenty-four months for telephone traffic data, twelve months for electronic communications traffic data and thirty days for data related to unsuccessful calls.

Decree Law n. 7 approved on 18 February 2015, as further amended by Article 4-quater of Decree Law n. 210/2015, derogated from the ordinary rules and imposed the retention of all traffic data until 30 June 30 2017.

The Law at stake does not make any distinction between telephone traffic data, electronic communications traffic data and data related to unsuccessful calls and extends their retention period up to six years, derogating once again from the Article 132 of the Italian Personal Data Protection Code.

Practically speaking, Internet service providers cannot know in advance which traffic data may be the subject of investigation activities related to terrorism or other serious crimes and therefore they would have to store all generated traffic data.

Furthermore, a data retention period of six years for all traffic data will likely be considered incompatible with the principle of proportionality as stated in the European legislation and jurisprudence.

In the Digital Rights Ireland and Seitlinger and Others case of 2014, the Court of Justice of the European Union (“CJEU”) declared Directive 2006/24/EC (“Data Retention Directive”) invalid because it entailed a wide-ranging and particularly serious interference with the respect for private life and the protection of personal data without such interference being limited to what was strictly necessary. The principle of “necessity” was further expanded in the Watson case where the CJEU stated that a Member State is not prevented from “adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. […] In order to satisfy such requirements, that national legislation must, first, lay down clear and precise rules governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse. That legislation must, in particular, indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary”.

Finally, the draft Law assigns AGCOM the significant power to adopt protective copyright measures on websites, blogs and forums by ordering the removal of illegal contents and deploying deep packet inspection of all internet traffic. This all may take place without the intervention of a judge. This direction seems to be widely endorsed by Italian administrative case law. In a recent statement (T.A.R. Lazio, no. 4101/2017), the Regional Administrative Court of Lazio confirmed the power of AGCOM and clarified that the administrative authority power complements, but does not replace the power of judicial authority.

Practical implications

The Law is still a draft and discussion in the Italian Senate is expected in the coming days. Should the Law come into force, the consequences on communications providers may prove to be very burdensome. Specifically, providers will have to consider:

1) updating their traffic data retention policies and procedures;

2) an increase of costs in terms of long-lasting storage services and related security measures;

3) alignment efforts will have to take place quickly and may nevertheless prove useless in the long term should be the Law be brought before the CJEU and declared invalid.

We will continue to observe the evolution of the draft Law.