Provision of Real-time Lawful Interception Assistance

CONSTITUTION OF MONTENEGRO (Official Gazette of Montenegro no.1/2007 and 38/2013, Ustav Crne Gore) (the “Constitution”)

Article 42 of the Constitution guarantees confidentiality of letters, telephone conversations and other means of communication and provides that derogation from this right is allowed only on the basis of a court decision if necessary in criminal proceedings or for the purposes of national security. These rights may only be limited by the law and pursuant to Article 24, for the purpose provided by the Constitution and to the extent necessary to satisfy the constitutional purpose of the limitation in question in an open and free democratic society.

ELECTRONIC COMMUNICATIONS ACT (Official Gazette of the Republic of Montenegro nos. 40/2013, 56/2013 and 2/2017, Zakon o elektronskim komunikacijama) (the “ECA”)

Article 172 paragraph 2 ECA prohibits interception which includes listening, eavesdropping or keeping data regarding communication and its interruption or monitoring by another person, without the consent of the user of such communication. Rarely, the acts defined in Article 172 paragraph 2 may be carried out if they are necessary, adequate and proportionate in the interests of national security, defence, the prevention of crime, the investigation of a crime, to reveal and prosecute criminal offenders or to combat the unauthorised use of a system for electronic communications, to find or rescue people or for the protection of lives and property pursuant to Article 172 paragraph 4.

In accordance with Article 172 paragraph 4 ECA, an operator is obliged to provide, upon the request of the competent government agency and at their own expense, necessary technical and organizational conditions to enable the interception of communication and to prove to the Agency for Electronic Communication (the “Agency”) that it had provided such conditions. An operator is also obliged under Article 180 to provide a permanent record of that measure, and to keep the collected data as an official secret in cooperation with the competent authority on whose request the interception is performed,.

The ECA does not impose an obligation on network operators and service providers to directly intercept individual customer communications, nor does it specify which government agencies are authorised to request such interception. The ECA also does not provide a maximum duration for an interception carried out. Interceptions are permitted under the Constitution for the purposes of conducting criminal proceedings or for the protection of national security. However, only the competent criminal court (whose order is implemented by the police) and the Agency for National Security (the “ANS”) are authorised to require such interception under the conditions stipulated in the ECA and the legislation concerning their activities. The maximum duration for each interception is regulated by the specific legislation applicable to the activities of the criminal courts and the ANS.

CRIMINAL PROCEDURE CODE (Official Gazette of Montenegro nos. 57/2009, 49/2010, 47/2014, 2/2015, 35/2015 and 58/2015, Zakonik o krivičnom postupku) (the “CPC”)

Under the CPC, the interception and surveillance of electronic communications is stated to be a secret surveillance measure available both at the pre-investigation stage and the investigation stage of criminal proceedings. Under Article 157, such measures may be ordered against a person suspected of committing or preparing certain categories of crimes if evidence of that crime cannot be collected in any other way, or if gathering of evidence by other means would cause disproportional risk or jeopardize lives. The relevant crimes for this purpose are those punishable by imprisonment of 10 years or more, organized crime, certain specifically listed crimes, such as money laundering and blackmail, cybercrime and bankruptcy crimes punishable with imprisonment of 8 years or more as per Article 158.

According to Article 157, interception may also be ordered against a person who is reasonably suspected of transferring messages to and from an individual suspected of committing one of the crimes outlined above, or whose phone or other means of communication has been used by a suspect. The order for such interception is issued by the competent criminal court upon the written request of the State Prosecutor for a maximum period of four months, with the possibility of an extension of up to 18 months as per Article 159. The court’s order must be accompanied with a separate order containing the phone number or email address of the suspect to be intercepted and the duration of the interception which will be implemented by the police, to whom the network operator or service providers shall provide all necessary assistance pursuant to Articles 159 and 160.

Exceptionally, if written approval cannot be issued in time and any delay would be detrimental to the investigation, interception may be commenced based on the oral approval of the investigation judge or the State Prosecutor. In this case, a written order for interception must be issued within 12 hours of obtaining oral approval as per Article 159. Under Article 159 and Article 160, network operators and service providers are obliged to enable the interception of communications by authorised police officers. If the State Prosecutor decides not to initiate criminal proceedings against the suspect, the collected materials must be delivered to the investigation judge for destruction under Article 160. Pursuant to Article 161, evidence collected by interception which was not ordered or performed in accordance with this procedure will be declared inadmissible and the competent court shall order their destruction.

THE AGENCY FOR NATIONAL SECURITY ACT (Official Gazette of Montenegro, nos. 28/2005, 86/2009, 73-2010, 20/2011 and 8/2015 Zakon o Agenciji za nacionalnu bezbjednost) (the “ANSA”)

The ANSA authorises the ANS to collect data by secret interception and surveillance of electronic communications if other investigation measures would not be expected to provide an adequate result or if it would cause disproportionate risk or threaten lives or health as per Articles 9 and 13.

Article 14 states that when there is a reasonable suspicion of a threat to national security, an interception may be ordered by the decision of the President of the Supreme Court of Montenegro, or in his/her absence the designated judge of that court.

Such interception is ordered for a period of three months and for serious reasons may be extended for additional three month periods. However under Article 15, the interception’s overall duration must not exceed 24 months. Article 15 also provides that network operators and service providers are obliged to enable and guarantee conditions necessary for such interception.

Disclosure of Communications Data

ELECTRONIC COMMUNICATIONS ACT (Official Gazette of Montenegro nos. 40/2013, 56/2013 and 2/2017, Zakon o elektronskim komunikacijama) (the “ECA”)

Network operators and service providers are obliged to retain certain data on traffic and location, as well as data relevant for the identification and registration of their customers. Such data may only be retained for the purposes of national security, defence, the prevention of crime, to investigate, reveal and prosecute criminal offenders or for the unauthorised use of a system for electronic communications. It may also be used pursuant to Article 181 to find or rescue people or for the protection of lives and property.

Under Article 181, network operators and service providers must also provide, at their own expense, necessary technical and organizational conditions which would enable competent government agencies to take over such data. This would oblige a network operator or service provider to decrypt encrypted data when required to do so by a court order.

According to Article 181 paragraph 5, the period of retention must not be shorter than six months nor longer than two years from the moment the communication occurred. Note however that government agencies may request access to the metadata retained by network operators and service providers. Network operators and service providers are obliged to keep annual records and statistics on data which have been delivered to government agencies and records on requests for the delivery of retained metadata which could not be executed under Article 181 paragraph 6.

According to Article 182, network operators and service providers are obliged to retain data on:

(a) tracing and identifying the source and destination of a communication;

(b) identifying the location of the parties to the communication;

(c) determining the date, time and duration of a communication;

(d) identifying the type of communication;

(e) identifying users’ terminal equipment; and

(f) identifying the location of the users’ mobile terminal equipment.

Under the provisions of Article 181 paragraph 3, network operators and service providers must not retain the content of customer communications. However, since Article 180 paragraph 2 allows interception of electronic communications on the basis of a court decision, if such a court decision contains an order for the retention of the content of electronic communications, the network operators and service providers would be obliged to act upon it.

Article 183 paragraph 1 further obliges network operators and service providers to ensure that the quality and level of protection of retained metadata is the same as the quality and level of protection of the data circulating on the network. In addition, operators should undertake adequate technical and organizational measures to prevent unlawful or accidental destruction, loss or modification of retained metadata and the unauthorised storage, processing, access or disclosure of the retained metadata. Access to the retained metadata should only be granted to those persons authorised by the network operator or service provider. Any metadata not accessed at the end of a prescribed period of retention must be destroyed.

CRIMINAL PROCEDURE CODE (Official Gazette of Montenegro nos. 57/2009, 49/2010, 47/2014, 2/2015, 35/2015 and 58/2015, Zakonik o krivičnom postupku) (the “CPC”)

Under the CPC, if there is a reasonable suspicion that a prosecutable offence has been committed by the registered owner or user of a telecommunication device, the police may, based on the order of the investigation judge, request from the operators of the telecommunication services verification of the identity, duration and frequency of communication with certain electronic communication addresses, the location of the person who is being communicated, as well as the identification of the device. The police may also identify via technical devices the international identification number of the user (IMSI number), the international mobile equipment identification number (IMEI number) and the location of telephones and other means of electronic communication. The police may also make such requests with respect to a person connected to the registered owner or user of a telecommunication device.

The order of the investigation judge must be accompanied with a separate order containing the phone number, email address, IMSI number, IMEI and IP address of the suspect.

Exceptionally, if written approval cannot be issued in time and any delay would be detrimental to the investigation, the collection of metadata may commence based on the oral approval of the investigation judge. In such a case, a written order for the interception must be issued within 24 hours of obtaining oral approval. If the State Prosecutor decides not to initiate criminal proceedings against the suspect, the collected materials must be delivered to the investigation judge for destruction. Metadata collected contrary to this procedure will be declared inadmissible under Article 257a and the competent court shall order its destruction.

POLICE ACT (Official Gazette of Montenegro nos. 44/2012, 36/2013 and 1/2015, Zakon o unutrašnjim poslovima) (the “PA”)

Under the PA, the police is authorized to collect personal and other data to the extent necessary for the performance of their activities aimed at the prevention and suppression of crimes and protection of public order under Article 37 PA. State bodies, local authorities and legal entities are obliged to enable inspection and to deliver it at the request of the police data from their records.

A request made by the police to collect such data must contain the following:

(a) the legal grounds for the collection of the data;

(b) the details of the requested data;

(c) the purpose for which the data is requested;

(d) sufficient information necessary for determining the identity of the person to whom the requested data is related to; and

(e) a warning that it is a criminal offence to reveal to any third party the content of the request or what data is provided under it.

The police may also electronically inspect the records kept by legal entities if the entity has the technical arrangements to allow electronic inspection.

Note however under Article 39, if the data is requested:

(a) for the purpose of commencing or continuing a criminal investigation – the police is not obliged to state in the written request why the criminal investigation is starting or continuing; and

(a) based on a court order or state prosecutor`s order – the police do not have an obligation to explain why the data is being requested.

THE AGENCY FOR NATIONAL SECURITY ACT (Official Gazette of Montenegro, nos. 28/2005, 86/2009, 73/2010, 20/2011 and 8/2015, Zakon o Agenciji za nacionalnu bezbjednost) (the “ANSA”)

On the basis of a court decision, the ANS is authorised to collect data by the secret interception and surveillance of electronic communications which encompasses the content of the electronic communication, communication data (data on traffic, unsuccessful attempts to establish the communication and data on location of a user of an electronic communication), if other investigation measures would not be expected to provide an adequate result or if they would cause a disproportionate risk or threaten people’s lives or health as per Articles 9 and 13. On the written request of the ANS, network operators and service providers are required pursuant to Article 8 to enable access to the data contained in their records and to keep all such requests a secret.

Moreover, according to Article 15, operators and service providers are obliged to enable and guarantee the conditions for performance of such surveillance.

National Security and Emergency Powers

DEFENCE ACT (Official Gazette of Montenegro, nos. 47/2007, 86/2009, 88/2009, 25/2010, 40/2011, 14/2012 and 2/2017, Zakon o odbrani) (“DA”)

In a “state of emergency”, defined as a natural disaster, a technology or environmental disaster, an epidemic, a danger to the public security or a threat to the constitutional order according to Article 5 paragraph 1, subparagraph 6 or a “state of war”, defined as the state of imminent war, danger or military attack on the territory of Montenegro under Article 5 paragraph 1, subparagraph 7, legal entities in the field of postal-telegraph-telephone traffic and other carriers of telecommunications systems must prioritise the delivery of the services as specified by the Ministry of Defence pursuant to Article 21 paragraph 1.

ELECTRONIC COMMUNICATIONS ACT (Official Gazette of Montenegro nos. 40/2013, 56/2013 and 2/2017, Zakon o elektronskim komunikacijama) (the “ECA”)

Paragraphs 1 and 3 of Article 61 obliges network operators and service providers to prepare an action plan for the protection of the integrity of electronic communications networks and their usage in a state of emergency or war and to submit this plan to the Ministry of Information Society and Telecommunications, the Agency for Electronic Communications, any other competent state bodies in charge of defence and security and the administrative body in charge of inspection control.

In cases of emergency, network operators and service providers are obliged to make available their electronic communications networks to the competent state bodies as per Article 61 paragraph 4, and to provide prioritised communication between certain terminal points which are defined by the government. For the purpose of enabling such prioritised communication, the government may order a network operator or service provider to temporarily disable its other network connections or to undertake other measures, if it deems it necessary pursuant to Article 62.

CONSTITUTION OF MONTENEGRO (Official Gazette of Montenegro no.1/2007 and 78/2013, Ustav Crne Gore) (the “Constitution”)

Article 25 provides that in a state of emergency or a state of war, the Constitution allows the introduction of measures which derogate from the overarching principle of confidentiality of letters, telephone conversations and other means of communication and the protection of personal data. Consequently, in such instances government agencies may request access to customer communications data and/or their networks held by the network operators and service providers, without following the usual procedure of presenting a court decision authorising the interception or access to retained data. According to Article 132 and 133, a state of war or emergency is proclaimed by the Parliament or by the Council for the Security and Defence if the Parliament is not in position to convene.

Oversight of the Use of Powers

JUDICIAL OVERSIGHT

Since the CPC and ANSA provide that interception of electronic communications is allowed on the basis of a court order, each interception is overseen by the competent criminal court which ordered the interception and which monitors its enforcement as per Article 180 paragraph 2 ECA; Article 159 paragraphs 1 and 5 and Article 160 CPC; and Articles 14 and 15 ANSA.

ELECTRONIC COMMUNICATIONS ACT (Official Gazette of Montenegro nos. 40/2013, 56/2013 and 2/2017, Zakon o elektronskim komunikacijama) (the “ECA”)

Although the ECA does not explicitly deal with the oversight of the interception procedure, it does contain provisions concerning the general oversight of network operators and service providers operations conferred to the Agency for Electronic Communications (the “Agency”) and to the administrative state body for inspection tasks as per Articles 184 and 185. According to Article 189, paragraph 1, subparagraph 6, the Agency monitors the security of an operator’s or a service provider’s electronic communications network and service and their compliance with the provisions relating to the confidentiality of communications. The Agency under Article 189 paragraph 3 is authorised to order a network operator or service provider to undertake, within a reasonable deadline, measures necessary for adjusting their activities to ensure they are in line with the statutory requirements to keep communications confidential.

Article 180 paragraph 1 obliges network operators and service providers to inform the Agency regarding conditions that network operators and service providers secure technical and organizational capabilities which enable the interception of electronic communications. The Agency, pursuant to Articles 188 and 189, monitors the work of network operators and service providers and is authorised to request a network operator or service provider to correct any irregularity in its technical and organizational settings.

According to Article 183 paragraph 2, control over the measures taken by network operators and service providers for the purpose of ensuring security of retained metadata is performed by the Agency for Personal Data Protection (the “Agency for PDP”). The Agency for PDP is authorised to request information from network operators, service providers and government agencies performing an interception relating to the collection and protection of personal data of customers. If data is not processed in accordance with the law, the Agency for PDP may order one of the following measures: the rectification of irregularities within a specified period of time; a temporary ban on any data processing carried out contrary to the provisions of the law; and the deletion of personal data collected without proper legal grounds (Article 71 Personal Data Protection Act (Official Gazette of Montenegro nos. 79/2008, 70/2009, & 44/2012, Zakon o zaštitu podataka o ličnosti).

POLICE ACT (Official Gazette of Montenegro nos. 44/2012, 36/2013 and 1/2015, Zakon o unutrašnjim poslovima) (the “PA”)

According to Articles 114, 115 and 119 PA, police activities are generally supervised by a special department of the Ministry of Police for Internal Control, which monitors the legality of police work, especially with regards to the respect and protection of human rights in the performance of police tasks and applying police powers. The Ministry of Police for Internal Control delivers its reports to the Minister of Police and the government at least once a year.

According to Article 112 and 113, police activities are also generally monitored by the Council for Civil Control, a special body comprised of members of the Bar Association, Doctors Association, Lawyers Association, University of Montenegro and nongovernmental human rights organizations, which evaluates police work and provides recommendations for improving their activities to the Minister of Police.

THE AGENCY FOR NATIONAL SECURITY ACT (Official Gazette of Montenegro, nos. 28/2005, 86/2009, 20/2011 and 8/2015 Zakon o Agenciji za nacionalnu bezbjednost) (the “ANSA”)

Pursuant to Article 40, the work of the ANS is monitored by the Chief Inspector appointed by the Government (the role of which is outlined above – internal control)). Political supervision over the work of the police and the ANS is conferred to Parliament as per Article 110 and 111 PA and Article 43 ANSA.

LAW ON CONSTITUTIONAL COURT OF MONTENEGRO (Official Gazette of Montenegro, no. 12/2015, Zakon o ustavnom sudu Crne Gore)

Network operators and service providers may also file a constitutional appeal against an individual decision of a government agency which violates the constitutional guarantees, when other legal remedies, such as complaints or appeal procedures with the relevant agency or court have been exhausted or are not prescribed or where the right to their judicial protection has been excluded by law (under Article 68 in connection to Articles 48 and 49.

CONSTITUTION OF MONTENEGRO (Official Gazette of Montenegro no.1/2007 and 38/2013, Ustav Crne Gore) (the “Constitution”)

According to Articles 132 and 133, all measures which would provide for derogation from confidentiality of letters, telephone conversations and other means of communication and protection of personal data, which would be adopted by the Council for the Security and Defence, must be ratified by the Parliament when in a position to convene.

Furthermore, under Article 149, the Constitutional Court of Montenegro, which is authorised to assess constitutionality and legality of laws and other general acts, may find that a measure of derogation introduced during a state of war or a state of emergency is unconstitutional.

Censorship-related Powers

ENFORCEMENT AND SECURITY ACT (Official Gazette of Montenegro, no. 36/2011, 28/2014 and 20/2015 Zakon o izvršenju i obezbeđenju) (“ESA”)

Although there is no specific provision which explicitly regulates censorship or the blocking of IP addresses, network operators and service providers would be obliged to censor customer communications pursuant to the ESA, if such an order were given by a competent court in the form of an interim measure or in the form of a final court decision.

Publication of Laws and Aggregate Data

There is no law prohibiting the publication of any of the laws mentioned in this report or any description of the powers set out in those laws.

ELECTRONIC COMMUNICATIONS ACT (Official Gazette of the Republic of Montenegro nos. 40/2013, 56/2013 and 2/2017, Zakon o elektronskim komunikacijama) (the “ECA”) and

Under Article 30 paragraph 1 ECA, network operators and service providers must deliver to the Agency for Electronic Communications all available data concerning the development of the electronic communications network or the services provided, with the exception of data relating to intercepted communications and disclosure of metadata. Furthermore, Article 180 paragraph 3 ECA requires network operators and service providers to make a permanent record of all interceptions in collaboration with the government agency that requested the interception. These records must be kept secret.

This indicates that the records of interception activities and requests for provision of metadata by the police and other government agencies (except for the Agency of National Security, see section 6.2 of this report below) may not be published by network operators or service providers. However, there is no law to prevent the publication of aggregate data (i.e. the number) relating to these requests.

THE AGENCY FOR NATIONAL SECURITY ACT (Official Gazette of Montenegro, nos. 28/2005, 86/2009, 20/2011 and 8/2015, Zakon o Agenciji za nacionalnu bezbjednost) (the “ANSA”)

Article 8 ANSA provides that network operators and service providers must keep secret all details relating to any requests received by the Agency of National Security. Aggregate data relating to these requests, therefore, may not be published.