Provision of Real-time Lawful Interception Assistance

ELECTRONIC COMMUNICATIONS ACT

Section 97(1) of Act No. 127/2005 Coll. on Electronic Communications (the Electronic Communications Act) states that a network provider is obliged on request to set up and secure an interface to enable the following authorities to carry out surveillance and recording of end telecommunication devices:

a. the Police of the Czech Republic for the purposes set out in Section 88 of the Act No. 141/1961 Coll., the Criminal Procedure Code (the Criminal Procedure Code);

b. the Security Information Service (Bezpečnostní informační služba) for the purposes set out in Sections 6–8a of the Act No. 154/1994 Coll., on the Security Information Service (the Security Information Service Act); and

c. the Military Intelligence (Vojenské zpravodajství) for the purposes set out in Sections 9–10 of the Act No. 289/2005 Coll., on Military Intelligence (the Military Intelligence Act).

There is no obligation imposed on the providers to directly intercept the communications.

If the request is made by the Police of the Czech Republic, it must include the file number under which the subject’s consent to surveillance is administered (if applicable).

The technical requirements for connecting with end telecommunication devices are prescribed by the Decree No. 336/2005 Coll. (the Information Decree). This sets out the form and extent of information provided from the database of the publicly available telephone service subscribers and on the technical and operating conditions, and connection points, of the message interception and recording terminal equipment.

POLICE OF THE CZECH REPUBLIC

Under Section 88 of the Criminal Procedure Code, the Police of the Czech Republic may only conduct surveillance and recording on the basis of an order for the surveillance and recording of a telecommunication operation. This order is issued by the competent chairman of the senate or a judge provided that the following conditions are met:

a. a criminal proceeding is underway for one of the crimes listed in the Criminal Procedure Code;

b. it can be reasonably presumed that the surveillance and recording will obtain important facts for the criminal proceedings; and

c. this aim cannot be achieved by different means, or would be substantially more difficult to achieve by different means.

The above order (which is a special type of judicial decision) must be issued by:

i.       the chairman of the senate of the competent court; or

ii.      the judge of the competent court within the preparatory proceedings, on the basis of a motion from the state prosecutor.

For certain crimes listed in the Criminal Procedure Code, surveillance and recording can be conducted without such an order, provided that the user of the respective device consents to the surveillance.

SECURITY INFORMATION SERVICE

The authorisation of the Security Information Service to request that an interface be set up and/or secured is regulated by Section 8a of the Security Information Service Act.

Under Section 9(1) of the Security Information Service Act, the Security Information Service may only conduct surveillance and recording:

i.  with the prior written approval of the chairman of the senate of the competent high court; and

ii. provided that the discovery or documentation of activities by any other means would be ineffective, substantially difficult or impossible.

MILITARY INTELLIGENCE

The authorisation of Military Intelligence to request that an interface be set up and/or secured is regulated by Section 9(5) of the Military Intelligence Act.

Under Section 9(1) of the Military Intelligence Act, the Military Intelligence may only conduct surveillance and recording:

i. with the prior written approval of the chairman of the senate of the competent high court; and

ii. provided that the discovery or documentation of activities by any other means would be ineffective, substantially difficult or impossible.

Disclosure of Communications Data

ELECTRONIC COMMUNICATIONS ACT

Under Section 97(3) of the Electronic Communications Act, a legal entity providing a public communications network or a publicly available electronic communications service (such as Vodafone) is obliged to store traffic and location data for a period of six months and is obliged to disclose such data (including metadata) to the following authorities on request:

a. the police bodies taking part in criminal proceedings, for the purposes and under the conditions prescribed by Section 88a of the Criminal Procedure Code;

b. the Police of the Czech Republic for the purposes listed in the Electronic Communications Act (such as preventing terrorism) and under the conditions prescribed by Section 66(3) of the Act No. 273/2008 Coll., on the Police of the Czech Republic (the Police Act);

c. the Security Information Service for the purposes and under the conditions prescribed by Section 8a of the Security Information Service Act;

d. the Military Intelligence for the purposes and under the conditions prescribed by Section 9 of the Military Intelligence Act; and

e. the Czech National Bank for the purposes and under the conditions prescribed by Section 8 of the Act No. 15/1998 Coll., on Supervision over the Capital Market (the Supervision Act).

The traffic and location data (including metadata) shall be provided to the authorities listed above in the manner described in particular by Section 3 of the Decree No. 357/2012 Coll., on the preservation, transfer and deletion of traffic and location data.

POLICE TAKING PART IN CRIMINAL PROCEEDINGS

Under Section 88a of the Criminal Procedure Code, the police bodies (as defined in Section 12 of the Criminal Procedure Code) may only request traffic and location data on the basis of an order for the provision of such data. This order is issued by the competent chairman of the senate or a judge provided that the following conditions are met:

a. a criminal proceeding is underway for one of the crimes listed in the Criminal Procedure Code; and

b. this aim cannot be achieved by different means, or would be substantially more difficult to achieve by different means.

The above order (which is a special type of judicial decision) must be issued by:

i. the chairman of the senate of the competent court; or

ii. the judge of the competent court within the preparatory proceedings, on the basis of a motion from the state prosecutor.

The traffic and location data can be requested without such an order, provided that the user of the respective device consents to the provision of the data.

POLICE OF THE CZECH REPUBLIC

In relation to the form and extent of the data, Section 66(3) of the Police Act refers to Section 97 of the Electronic Communications Act.

SECURITY INFORMATION SERVICE

In relation to the form and extent of the data, Section 8a of the Security Information Service Act refers to Section 97 of the Electronic Communications Act.

MILITARY INTELLIGENCE

In relation to the form and extent of the data, Section 9 of the Military Intelligence Act refers to Section 97 of the Electronic Communications Act.

CZECH NATIONAL BANK

In relation to the form and extent of the data which the Czech National Bank may demand, Section 8(1d) of the Supervision Act refers to Section 97 of the Electronic Communications Act and prescribes further conditions for the request of the traffic and location data, including the prior written approval of the chairman of the senate of the competent high court.

The government and law enforcement agencies in the Czech Republic do not appear to have any specific intercept powers in order to compel Vodafone to disclose the content of stored communications.

National Security and Emergency Powers

ELECTRONIC COMMUNICATIONS ACT

Under Section 97(5) of the Electronic Communications Act, a provider of a publicly available telephone service is obliged to provide the Police of the Czech Republic and the General Inspection of the Security Forces on request with information from its database of participants, to the extent and in the form prescribed by the Information Decree.

Under Section 99 of the Electronic Communications Act, a legal entity providing a public communications network or a publicly available electronic communications service (such as Vodafone) is entitled to provide priority access to the network for emergency communication participants (ie Ministries and other authorities) on the basis of a request from the Ministry of the Interior. The provider is entitled to restrict or interrupt the provision of publicly available telephone services for this purpose. The provider is obliged to inform the Czech Telecommunication Office of the restriction or interruption. The restriction or interruption must not last any longer than necessary, and access to emergency numbers must be maintained.

POLICE ACT

The authorisation of the Police of the Czech Republic and the General Inspection of the Security Forces is regulated by Section 35(3) of the Act No. 341/2011 Coll., on the General Inspection of the Security Forces and Section 66(2) of the Police Act.

Moreover, under Section 39(1) of the Police Act, the police force has the right to interfere with the operation of electronic communication devices, the network and the provision of electronic communications services in the event of a threat to human lives, health or property with a value exceeding CZK 5 million. This typically includes situations where there is a threat of terrorism.

The police are obliged to inform the integrated rescue system information point, the Czech Telecommunication Office, and as necessary, the operator (provided that informing the operator will not jeopardise the police force’s fulfilment of its duties).

ACT NO. 222/1999

Finally, Act No. 222/1999 Coll., on Securing the Defence of the Czech Republic imposes further duties on legal entities and natural persons which can be requested by the Ministry of Defence and other authorities in order to ensure national security. However, this Act does not regulate any specific duties from communication service providers.

The request is led through the competent contact points of the Police of the Czech Republic.

ACT NO. 239/2000

Moreover, under Section 18 of the Act No. 239/2000 Coll., on the Integrated Rescue System, providers of communication services are obliged to cooperate with the Ministry of the Interior on the preparation and resolution of emergency communications and European unified emergency numbers.

CRISIS MANAGEMENT ACT

The Act No. 240/2000 Coll., on Crisis Management (the Crisis Management Act) imposes further duties on legal entities and people conducting business in case of emergency. In particular, these subjects are obliged to cooperate on request in the preparation of the emergency plan (ie a plan which includes a list of emergency measures and procedures for emergency situations) and fulfill the duties prescribed in it. Moreover, legal entities and people can also be required to perform duties above and beyond the duties prescribed by the emergency plan. The Crisis Management Act does not regulate any specific duties from communication service providers.

A legal entity providing a public communications network or a publicly available electronic communication service has a statutory obligation to provide the above assistance.

Oversight of the Use of Powers

CRIMINAL PROCEDURE CODE

Under Section 88(3) of the Criminal Procedure Code, the police bodies must continuously evaluate whether the issuance of a surveillance and recording order is still justified. If the grounds no longer exist, the police bodies are obliged to immediately cease surveillance and recording, and notify the chairman of the senate or the competent judge who issued the order. Moreover, the state prosecutor may supervise the activities of the Police of the Czech Republic (including surveillance and recording).

SECURITY INFORMATION SERVICES ACT

Under Section 11 of the Security Information Service Act, the competent judge is authorised to request information from the Security Information Service for the purpose of considering whether the use of surveillance and recording is still justified. The judge will cancel the approval if he or she concludes that this is not the case.

MILITARY INTELLIGENCE ACT

Under Section 11 of the Military Intelligence Act, the competent judge is authorised to request information from the Military Intelligence for the purpose of considering whether the use of surveillance and recording is still justified. The judge will cancel the approval if he or she concludes that this is not the case.

In addition, the activities of all of the authorities listed in this report are supervised by special supervision bodies comprising members of the Chamber of Deputies.

Censorship-related Powers

SHUT-DOWN OF NETWORK AND SERVICES

Crisis Management Act

Under present law there are currently no specific regulations which would enable the Czech government to shut down Vodafone’s network or services. Theoretically, any provider’s network could be shut down in responding to a crisis under the general principles of Act No. 240/2000 Coll. on Crisis Management, but this is considered highly unlikely.

Act on Cyber Security

Under Act No. 181/2014 Coll. on the Cyber Security, which became valid on 1 January 2015, the Czech National Security Authority (‘NSA’) is entitled to issue decisions on reactive measures to address cyber security incidents or secure information systems or networks and electronic communication services from cyber security incidents. The Act on Cyber Security provides the NSA with wide-ranging authority and it may impose an obligation on Vodafone to shut down its network as necessary.

BLOCKING OF URLS & IP ADDRESSES

Criminal Procedure Code

Vodafone could be asked to block specific IP addresses or ranges of IP addresses under Section 8(1) of the Criminal Procedure Code. Under Section 8(1) all legal entities are generally obliged to assist the police in tackling criminal matters. The police may therefore request an internet service provider (such as Vodafone) to block websites featuring illegal content. However, in practice, the police do not request this type of assistance from internet service providers.

Act on Cyber Security

Under Act No. 181/2014 Coll. on Cyber Security, the NSA is entitled, inter alia, to impose an obligation on Vodafone to block URLs and/or IP addresses if reacting to a cyber-security incident.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

The government does not have legal authority to take control of Vodafone’s network.

Oversight of the Use of Powers (Censorship-related)

CRISIS MANAGEMENT ACT

There is no judicial oversight of the government’s powers under the Crisis Management Act.

ACT ON CYBER SECURITY

The Act on Cyber Security does not include any special regulation and therefore decisions of the NSA are subject to judicial review.

CRIMINAL PROCEDURE CODE

A police request to an internet service provider to block certain IP addresses may be reviewed by the state prosecutor. This can be at the state prosecutor’s request; at the request of the internet service provider subject to the order; or at the request of another party to the criminal proceedings.

Encryption and Law Enforcement Assistance

1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?

Yes. The relevant law is the Electronic Communications Act and the Information Decree which are defined earlier in this chapter (see ‘Provision of real-time interception assistance’).

Under Section 97 (6) of the Electronic Communications Act, if a legal entity providing a public communications network or a publicly available electronic communications service (hereinafter referred to as the ‘CSP’) implements encoding, compression, encryption or other technologies that make the transferred data unintelligible, it is obliged to ensure that the communication and related traffic and location data are intelligible at the end point for the access of the telecommunication devices of authorised authorities.

Moreover, Section 8 (4) of the Information Decree, on the form and extent of information provided from the database of the publicly available telephone service subscribers and on the technical and operating conditions, and connection points, of the message interception and recording terminal equipment (the ‘Information Decree’), stipulates that if a part of the network or service is encrypted or encoded by the CSP, the content of the messages shall be provided from the part of the network or service where there is no such modification.

If the whole network or service is provably encrypted or encoded and the CSP provably does not hold the encryption key, the content of the messages shall be provided in the available form. Therefore, if the telecommunications operator as a CSP holds the encryption key (ie when the communication is encrypted by the CSP), it may be required by the authorities to decrypt the communication data.

The Electronic Communications Act applies to both ‘business as usual’ communication services (where the communication routes over the network as a data packet) and ‘over the top’ communication services (where the delivery of the communication is made via Internet Protocol (IP) over the network), provided that the ‘over the top’ services are publicly available, ie that no user is excluded from using it beforehand.

2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?

No. As already stated above, Section 8 (4) of the Information Decree stipulates that if the whole network or service is encrypted or encoded and the CSP probably does not hold the encryption key, the content of the messages shall be provided in the available form.

Therefore, the telecommunications operator as a CSP can be forced to decrypt communication data only if it holds the encryption key to do so. There is no obligation for the CSP to employ any other decrypting technologies other than the encryption key in order to decrypt the communication.

The statutory law on law enforcement does not contain any provisions dealing with encryption. With regard to the form in which the communication data should be disclosed, it refers to the Electronic Communications Act. There is no relevant case law relating to the interpretation of these provisions.

The Electronic Communications Act applies to both ‘business as usual’ communication services (where the communication routes over the network as a data packet) and ‘over the top’ communication services (where the delivery of the communication is made via Internet Protocol (IP) over the network) provided that the ‘over the top’ services are publicly available, ie that no user is excluded from using it beforehand.

3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?

Under Section 97 (6) of the Electronic Communications Act, if a CSP implements encoding, compression, encryption or other technologies that make the transferred data unintelligible, it is obliged to ensure that the communication and related traffic and location data are intelligible at the end point for the access of the telecommunication devices of authorised authorities.

If a CSP fails to comply with this provision, it commits an administrative offence and faces relevant charges as set out under Section 118 of the Electronic Communications Act.

Should a CSP offer end-to-end encryption, it could not comply with its duties to ensure the intelligibility of the communication and related traffic and location data. Therefore, this is not an option.

The Electronic Communications Act applies to both ‘business as usual’ communication services (where the communication routes over the network as a data packet) and ‘over the top’ communication services (where the delivery of the communication is made via Internet Protocol (IP) over the network) provided that the ‘over the top’ services are publicly available, ie that no user is excluded from using it beforehand.

The statutory law on law enforcement does not contain any provisions dealing with encryption. With regard to the form in which the communication data should be disclosed, it refers to the Electronic Communications Act. There is no relevant case law relating to the interpretation of these provisions.

4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.

No such legislation was used for these purposes in the Czech Republic.