UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE CONSTITUTION OF THE PORTUGUESE REPUBLIC
There are two instances in which the courts can authorise and demand the provision of real-time interception assistance:
1. According to Article 34,4 of the Constitution of the Portuguese Republic, interception of telephone communications is only expressly allowed in the context of criminal investigations which are not the responsibility of the government but of the Public Prosecutor jointly with a criminal judge; and
2. Articles 19, 134 and 138 of the Constitution, as well as Law No. 44/86 30 September (Legal Framework for the State of Siege and Emergency), permit the suspension of certain rights, liberties and guarantees by national bodies of sovereignty (including the government) in the event that a state of siege or emergency has been decreed by the President of the Republic and approved by the Portuguese Parliament. The states of siege or emergency decree shall expressly determine which rights, liberties and guarantees shall be suspended. In theory, this legal framework could enable the government to demand that a communications service provider assist in intercepting customer communications provided that it has been foreseen in the states of siege or emergency decree that the fundamental rights of Article 34 of the Constitution are suspended. Nevertheless, the government order should be communicated to a judge afterwards for validation.
Should interception of communications be carried out in any other context, this would be considered illegal, a breach of the Constitution and punishable as a crime.
PORTUGUESE CRIMINAL PROCEEDINGS CODE
For the interception of communications in the context of a criminal proceeding, following the rules established in Articles 187–190 of the Portuguese Criminal Proceedings Code, interception may only be authorised in cases of suspicion of crime and after criminal proceedings are opened.
The interception may only be authorised by a judge if the crime under investigation is, for example, one of the following:
i. crimes punished with imprisonment which maximum limit is not less than three years;
iii. possession of prohibited weapons and weapon trafficking;
v. crimes which consist of offending, threatening and disturbing privacy and carried out by telephone;
vi. terrorism; or
vii. organised crime
To perform communications interceptions an authorisation from a judge is always required. Only the Public Prosecutor (who is in charge of the investigation) may decide to request authorisation from the judge for the interception.
Law No. 9/2007 of 19 February, which sets out the legal framework for the Portuguese Information Security System (Sistema de Informações/SIS) and for the Portuguese Services for Strategic Defence (SIED), and also sets out the purposes and attributions of the bodies responsible for managing information, security and national strategic defence in Portugal, does not grant powers of interception, encryption/decryption, direct access to communications or the possibility of requesting such access being granted by electronic communications service providers. Such access is only possible under the terms of the Portuguese Criminal Proceedings Code, in the context of a judicial procedure, as set out above.
LAW NO. 53/2008
Law No. 53/2008 of 29 August, establishes the legal provisions applicable to homeland security in Portugal. This law states that access and control of communications may only be carried out following a judicial authorisation and performed solely by the police.
PORTUGUESE ELECTRONIC COMMUNICATIONS LAW
Under Article 27/o’ of the Portuguese Electronic Communications Law (Law 5/2004 of 10 February) and the operating licences granted to communications service providers, on the providers of electronic communications services and networks must provide, at their own expense, systems for legal interception by competent national authorities, as well as the means for decryption or decoding where these facilities are present.
Disclosure of Communications Data
Under Portuguese law, only ICP-ANACOM (National Regulatory Authority for the electronic communications sector) or Comissão Nacional de Protecção de Dados (National Data Protection Authority) can access or order the disclosure of metadata, and only within the scope of their powers to supervise, monitor and investigate (particularly in the case of a customer complaint) compliance with the laws and regulations applicable to the electronic communications sector and in respect of compliance with data protection and privacy laws.
ICP-ANACOM’s legal powers are defined in Law No. 5/2004 of 10 February (electronic communications law) and in Decree-Law No. 309/2001 of 7 December (ANACOM Statute). Comissão Nacional de Protecção de Dados legal powers are defined in Law No. 67/98 of 26 October (Portuguese Data Protection Act) and Law No. 43/2004 of 18 August (organic law for the National Data Protection Authority).
Apart from these authorities, no other government department or law enforcement agency can order the disclosure of metadata. Such information can only be obtained under the rules set out above for provision of real- time lawful interception assistance, namely in the context of a criminal proceeding, and provided that a judicial authorisation has been sought and the rules established in Articles 189–190 of the Portuguese Criminal Proceedings Code are followed. However, if a state of siege or emergency has been decreed, the exceptional rules set out above may also apply.
National Security and Emergency Powers
The Portuguese National security agency is exclusively competent to gather intelligence to prevent threats to national security. Therefore, under the Law No. 30/84 of 5 September, the agency is not allowed to pursue actions that may constitute an offence to the fundamental rights, liberties and guarantees set out in the Portuguese Constitution and Law.
Additionally, this law establishes that the agency does not have powers to pursue any acts that are within the scope of the courts, and police authorities’ competence.
If it is suspected that a crime is being committed against national security, the Portuguese National security agency must inform the Public Prosecutor so that a criminal proceeding can be opened and, if relevant to the investigation, the Public Prosecutor may request to a judge the gathering of evidence (eg through real-time interception or disclosure of metadata) according to the regime described above.
CONSTITUTION FOR THE PORTUGUESE REPUBLIC
Articles 19, 134 and 138 of the Constitution of the Portuguese Republic, as well as Law No. 44/86, dated 30 September (Legal Framework for the State of Siege or State of Emergency) permits the suspension of certain rights, liberties and guarantees in the event that a state of siege or emergency has been decreed by the President of the Republic, after consulting the government, and approved by the Portuguese Parliament. The state of siege or emergency decree shall expressly determine which rights, liberties and guarantees shall be suspended.
The state of siege or emergency decree would only be effective upon specific enforcement by the President. These powers are exceptional and may only last for a maximum of 15 days (or if otherwise decided by law). These states of siege or emergency may only be determined if absolutely necessary, in the event of an effective or imminent aggression by foreign forces, grave threat or disturbance of the normal, democratic constitutional order, or public calamity. Any powers granted to the government in this respect will apply in very limited circumstances and only to the extent required and adequate for the purpose at hand.
Oversight of the Use of Powers
The provision of oversight in respect of the powers of interception and disclosure of communications data are set out in the sections above.
SHUT-DOWN OF NETWORK AND SERVICES
Constitution for the Portuguese Republic and Law No. 44/86 of 30 September
The Portuguese government may order the shut-down of providers’ networks and services (including Vodafone’s) should a ‘state of siege or emergency’ be declared.
A state of siege or emergency is declared by the President of the Portuguese Republic and it depends on the hearing of the government and parliamentary approval. It is exceptional and is only declared when absolutely necessary in the event of a serious threat or disturbance to Portugal’s normal, democratic constitutional order, such as a public calamity or imminent aggression by foreign forces. It may last up to a maximum of 15 days, subject to possible renewal for one or more similar terms if the situation that gave rise to the declaration of state of siege or emergency persists.
Articles 19, 134 and 138 of the Constitution of the Portuguese Republic and Law No. 44/86 of 30 September (Legal Framework for the State of Siege and Emergency) allow the suspension of rights, liberties and guarantees by sovereign national bodies (including the Portuguese government) in the event that a state of siege or emergency is decreed. This power is wide-ranging and therefore could allow the government to shut down Vodafone’s network or services.
Electronic Communications Law (Law No. 5/2004 of 10 February)
Under Articles 110 and 111 of the Electronic Communications Law, the Portuguese national authority for telecommunications (ANACOM) is empowered to take certain measures where a telecommunications provider (such as Vodafone) is in breach of its legal obligations under the Electronic Communications Law and the breach in question represents a serious and immediate threat to public security or health, or raises serious economic or operational problems for other electronic communications providers or network users.
In case of severe or repeated breaches of these obligations, where interim measures are unlikely to be sufficient, ANACOM may suspend an electronic communications provider’s activities for up to two years or entirely revoke the provider’s authorisation to provide network services. Therefore, ANACOM could suspend or revoke Vodafone’s ability to provide its network and services (effectively shutting them down) if Vodafone were found to have committed a serious breach, or be repeatedly breaching, its obligations.
BLOCKING OF URLS & IP ADDRESSES
Decree-Law No. 7/2004 of 7 January
According to Decree-Law 7/2004 of 7 January (Portuguese Electronic Commerce Law) only specific ‘competent authorities’ may order the blocking of IP addresses and/or ranges of IP addresses. These measures can be taken in case there is a serious threat to public health; public safety, particularly national safety and defence; consumers, including investors; and human dignity or public order, and include the protection of minors and repression of hatred incitement on grounds of race, sex, religion or nationality, especially for reasons of prevention or prosecution of crimes or misdemeanours. The measures undertaken must, of course, be proportionate. The competent authorities empowered to make such orders include the judicial courts, the National Regulatory Authority and, in certain circumstances, the National Authority for Cultural Activities (Inspeção Geral das Atividades Culturais).
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Constitution of the Portuguese Republic and Law No. 44/86 of 30 September
See ‘Shut-down of network and services’ above. The government powers under a state of siege or emergency would extend to enabling the government to take control of Vodafone’s network, should it choose to do so.
Oversight of the Use of Powers (Censorship-related)
CONSTITUTION OF THE PORTUGUESE REPUBLIC & LAW NO. 44/86 OF 30 SEPTEMBER
Any powers granted to the Portuguese government in a state of siege or emergency are subject to the terms of the authorisation set by Parliament and must be proportionate. In addition, the declaration of state of siege or emergency does not preclude an individual’s right of access to Portugal’s courts under general law.
ELECTRONIC COMMUNICATIONS LAW (LAW NO. 5/2004 OF 10 FEBRUARY)
The National Regulatory Authority must exercise its powers in an impartial, transparent and timely manner. Also, the measures undertaken by the National Regulatory Authority must be proportionate and reasonable. Decisions, orders or other measures adopted by the National Regulatory Authority are subject to judicial appeal.
DECREE-LAW NO. 7/2004, 7 JANUARY
Measures undertaken pursuant to the Electronic Commerce Law can be judicially challenged.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
No. The authority to require the telecommunications operator to intercept individual customer communications (and consequently unlock such data) lies only with a judge in the context of a criminal proceeding.
Note that the possible allocation of powers to the government in this context was discussed by the Portuguese Constitutional Court, and addressed in the Constitutional Court Judgment No. 403/2015. This discussion decided on the compliance of a proposed bill with the Portuguese Constitution. The purpose of the bill was to grant the Portuguese Information Security System (Sistema de Informações/SIS) and the Portuguese Services for Strategic Defence (SIED) the right to directly access traffic data and connected data regarding individuals’ communications (along with other information). The Constitutional Court decided that the creation of any such right, in this context and on the terms proposed, did not comply with constitutional principles, including Article 34.4 of the Constitution.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
No. There is a specific framework for decryption obligations under Article 27(o) of the Electronic Communications Act whereby electronic communications service providers may be required to ensure the installation, at the undertaking’s own expense, and provision of systems of legal interception to competent national authorities – Public Prosecutor and the courts (see ‘Provision of real-time lawful interception assistance’ above) – as well as the supply of means of decryption or decoding where these facilities are present, in accordance with legislation governing personal data and privacy protection within the scope of electronic communications. Note that in referring to the decryption framework in the Electronic Communications Act, the law does not state that the decryption obligation applies to any encrypted communication transmitted through the provider’s network (ie including those communications that are encrypted by a third party).
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and content of the communication on receipt of a lawful demand?
The answer to this question will depend on the circumstances of the particular service in hand – this is a grey area of the law and there are a number of possible legal interpretations. For example, the answer to this question may vary depending on whether the telecommunications operator is offering a ‘business as usual’ telecommunications service (where the communication routes over the network as a data packet) or an ‘over the top’ communications service (where the delivery of a communication is made via Internet Protocol (IP) over the network) because such services may not be subject to the same type of decryption obligations. Vodafone is not aware of this topic having been expressly raised by a regulator to date in Portugal.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates as circa 1990) has been applied to contemporary cases involving encryption.
Vodafone is not aware of any examples where the government has applied legislation predating the advent of commercial encryption to this effect in Portugal.