UPDATED: May 2017 | SOURCE: Vodafone with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
According to Article 19(1) of the Greek Constitution, the confidentiality of communications is absolutely inviolable; however, there are conditions under which a judicial authority is not bound by such confidentiality, where national security or particularly serious crimes are involved.
Law 2225/1994 was adopted on the basis of Article 19(1) of the Greek Constitution and sets out the procedure that judicial or other public authorities should follow when requesting the withdrawal of confidentiality. An application for the withdrawal of confidentiality (which would allow for the interception of individual customer communications) can only be made for reasons of national security (Article 3) or for the purposes of identifying certain criminal offences (Article 4). Withdrawal of confidentiality is also permitted in order to investigate the crimes listed in Article 253A and 253B of the Hellenic Criminal Procedure Code.
For the withdrawal of confidentiality, an order is issued by the competent judicial authority on the basis of Article 5 of Law 2225/1994. The order includes information on the public authority, public prosecutor or investigator requesting the withdrawal, the purpose of the withdrawal, the means of communication which form the object of the withdrawal and, in the case of criminal offences being investigated, the name of the person against whom the withdrawal is directed as well as his or her residential address. The excerpt of the order, containing its operative part, is delivered to the Chairman, Board of Directors, General Manager or representative of the company concerned (Article 5(4) of Law 2225/1994).
According to Article 6(1) of Presidential Decree 47/2005 (issued in order to provide the procedure for the withdrawal of confidentiality as this is stipulated by Law 2225/1994), when a competent authority seeks the execution of an order, a service provider, having the technical equipment and software available, is obliged to activate the equipment and software required for the withdrawal of confidentiality within three hours from notification of the order, regardless of the time when the order was actually served and, in cases of urgency, which have to be specifically mentioned, as early as possible. Article 7(2) of Presidential Decree 47/2005 specifies that the execution of an order for the withdrawal of confidentiality is performed by the competent authority in cooperation with the service provider.
In addition, the Hellenic Authority for Communications Security and Privacy (ADAE) was formed as a result of Article 1 of Law 3115/2003 and has issued guidelines on the measures that service providers, such as Vodafone, should have in place in order to ensure that confidentiality is protected during the real-time interception of communications (ADAE Decisions 52/2009 and 53/2009).
Following the execution of an order, one or more reports are prepared by the service that was involved in the withdrawal of confidentiality and these are submitted to the judicial authority that issued the order as well as to ADAE and the applicant authority (Article 5(5) of Law 2225/1994). Confidentiality cannot be withdrawn for a period of time that exceeds two months unless extensions are granted by the competent judicial authorities. However, extensions of the initial time of two months cannot exceed the time limit of two months per case and, in total, may not exceed a period of 10 months. Such restriction does not apply in cases where the withdrawal of confidentiality is ordered for reasons of national security (Article 5(6) of Law 2225/1994). The judicial authority that ordered the withdrawal of confidentiality may order its removal even before the expiry of the time set, if the purpose of the measure has been fulfilled or the reasons for its implementation no longer exist (Article 5(8) of Law 2225/1994).
Disclosure of Communications Data
Article 4 of Presidential Decree 47/2005 lists the specific communications data that a service provider may be required to disclose and this includes the content of customer communications and metadata, depending on the type of communication involved.
Law 3917/2011 (Article 1.1) states that the providers of publicly available electronic communications services or of public communications networks are obliged to retain certain data which are produced or processed by them, so that this data may be made available to the competent authorities for the identification of particularly serious criminal offences, as these are defined in Article 4 of Law 2225/1994. The law applies to traffic and location data on both legal entities and natural persons, and to the related data necessary to identify the subscriber or registered user. It does not apply to the content of electronic communications. According to Article 8(1) of Law 3917/2011, disclosure of communication data is performed according to the provisions of Law 2225/1994.
National Security and Emergency Powers
In the event of war, mobilisation due to external threats or an immediate threat to national security, or an armed coup to overturn democracy, under Article 48 of the Greek Constitution, the Greek Parliament has the power, following the government’s recommendation, to implement special measures. It is possible that such measures could include direct access to a service provider’s network to enable interception, although this is not expressly mentioned. The validity of these measures is limited to a period of 15 days; however, this term may be extended fortnightly by separate decisions of the Greek Parliament.
The decision of the Greek Parliament to adopt special measures in this situation is taken in one sitting by a three-fifths majority of the total number of members. In deciding to extend their duration, a majority of members must vote in favour in one sitting.
Oversight of the Use of Powers
Following the execution of an order, one or more reports are prepared by the service that was involved in the withdrawal of confidentiality and these are submitted to the judicial authority that issued the order, as well as to ADAE and the applicant authority (see Article 5(5) of Law 2225/1994).
Confidentiality cannot be withdrawn for a period of time that exceeds two months, unless extensions are granted by the competent judicial authorities. However, such extensions may not exceed, in total, a period of 10 months. Such restriction does not apply in cases where the withdrawal of confidentiality is ordered for reasons of national security. The judicial authority that ordered the withdrawal of confidentiality may order its removal even before expiry of the time set if the purpose of the measure has been fulfilled or the reasons for its implementation no longer exist.
SHUT-DOWN OF NETWORK AND SERVICES
Although the power to shut down a network is not expressly provided for, Article 3(a) of Law 4070/2012 states that restrictions may be imposed on the operation of a network for the purposes of safeguarding public order, security and health.
Under Article 20(9)(c) the Minister of Infrastructure, Transport and Networks, upon the recommendation of the Hellenic Telecommunications & Post Commission (EETT), can prohibit the provision of any electronic communications service within a specific radio spectrum range, provided this is sufficiently justified by the need to ensure safety of life. Exceptionally, the Minister may extend these measures to fulfil other objectives in the public interest.
EETT has the authority to revoke or suspend a service provider’s operating licence in Greece (known as a ‘General Licence’) where serious or repeating breaches of the telecoms law have been committed, pursuant to Article 77 of Law 4070/2012.
Regulation on the Use and Assignment of Rights for the Use of Radio Spectrum
Article 14(2) of EETT’s Regulation on the Use and Assignment of Rights for the Use of Radio Spectrum states that an entity’s right to use radio spectrum may be suspended where this is in the public interest.
BLOCKING OF URLS & IP ADDRESSES
Constitution of Greece
Article 5A(1) of the Greek Constitution states that all persons have the right to information (and to participate in the internet ‘information society’), as such constitutional provision is specified by the relevant legislative provisions. Restrictions may be imposed by law only as far as they are absolutely necessary and justified for reasons of national security, combating crime or protecting the rights and interests of third parties. Facilitation of access to electronically transmitted information, as well as of the production, exchange and diffusion of it, constitute an obligation of the State, in compliance with Articles 9, 9A and 19 of the Constitution of Greece.
Presidential Decree 131/2003
Under Article 2(4) of Presidential Decree 131/2003 the State has the power to adopt restrictive measures with respect to information society services originating from other EU member states if these measures are necessary for reasons relating to public order (especially the protection of minors and the fight against incitement to hatred because of religion, nationality, etc), protection of public health, public security, national security and defence, as well as the protection of consumers and investors.
Article 4 of Presidential Decree 109/2010 states that the Greek National Council for Radio and Television may prohibit the retransmission, by any means, of television programmes originating from other EU member states which manifestly, seriously and gravely infringe the rules concerning the protection of minors and/or incite hatred on grounds of race, sex, religion or nationality, disability, age and sexual orientation.
Similarly, the Greek National Council for Radio and Television can take measures to restrict or prohibit the provision, by any technical means, of on-demand audiovisual media services from other EU member states, including for breach of the rules previously mentioned.
Law 4002/2011, Article 48(10) and Article 51(5)
In the gaming sector, pursuant to Law 4002/2011, internet service providers are prohibited from providing access, attempted by an IP address located in Greece, to websites of gaming operators who have not obtained a Greek licence, the details of which are included in a black list that is kept by the Hellenic Gaming Commission.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Constitution of Greece
Under Article 48 of the Constitution of Greece, in the event of war, mobilisation due to external threats, an immediate threat to national security or an armed coup to overturn democracy, the Parliament has the power, following the government’s recommendation, to implement special measures. In this case, applicability of Article 19 of the Constitution of Greece, among others, may be suspended. Potentially, such measures could include taking control of Vodafone’s network, although this is not expressly mentioned. The validity of these measures is limited to a period of 15 days, although this term may be extended fortnightly by Parliament.
The decision of the Parliament to adopt special measures in a national emergency situation must be taken in one sitting by a three- fifths majority of the total number of its members. In deciding whether to extend the duration of those special measures, a majority of members of the Parliament must vote in favour of the extension in one sitting.
Oversight of the Use of Powers (Censorship-related)
Decisions taken by public authorities, such as EETT, are subject to judicial review by the competent administrative courts.
The measures adopted pursuant to Article 20(9)(c) of Law 4070/2012 are reviewed regularly and at least every two years, at which point the results of the review are published.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. Article 8(7) of Presidential Decree 47/2005 expressly provides that, during the execution of an order, a service provider who encrypts data should deliver or forward the requested data in decrypted form. According to Article 8(9) of Presidential Decree 47/2005, service and network providers are obliged to provide competent authorities with:
a. all interfaces from which requested communication data may be transferred to monitoring facilities;
b. communication content and data at the time communication is carried out;
c. information and assistance in order to be verified that communication data reaching the interface are identical to the target; and
d. assurances that the reliability of the interconnection system is at the same level as the one offered through provided services to subscribers and users.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
No explicit reference is made in statutory law to encryption applied by a third party; however, the following may apply:
Article 3(1) of Presidential Decree 47/2005 expressly states that the withdrawal of confidentiality refers to any type of communication which is being carried out either through a communications network or through a service provider and by a subscriber or user against whom the withdrawal of confidentiality is being ordered.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
There are no specific statutory rules applicable to end-to-end encryption in this type of scenario. However, as it results from the spirit of the law, service and network providers should always be in a position to cooperate with the authorities and provide the requested information.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimate to be circa 1990) has been applied to contemporary cases involving encryption.
There are no such legal precedents in Greece.