UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
Service providers and operators of public electronic communication networks may be required to intercept communications in the following scenarios:
CRIMINAL PROCEDURE ACT
a. A judge may, either ex officio or following an initiative by the judicial police or Public Prosecutor, issue an interception order if the criminal investigation for which a court authorisation is requested is carried out in relation to the prosecution of:
- one of the criminal offences referred to in Article 579.1 of the Criminal Procedure Act and approved by the Royal Decree of 14 September 1882 that was later modified by the Act 13/2015 of 5 October to strengthen procedural safeguards and regulate the technological investigation measures which entered into force in December 2015 (the Criminal Procedure Act); or
- other criminal offences perpetrated through an IT-based instrument or any other information or communications technology or communications service.
Requests for a court authorisation must contain the legal requirements set out by Article 588 bis b in relation to Article 588 ter d of the Criminal Procedure Act.
b. The Criminal Procedure Act states (according to Article 588 ter d3) that in cases of urgency, when the investigations are carried out in the context of the prosecution of criminal offences related to the activities of armed gangs or terrorist elements, the interception of communications may be ordered by the Minister of Home Affairs (Ministro del Interior), or by the Secretary of State for Homeland Security. In such cases, the measure has to be communicated within 24 hours. A reasoned opinion must be made in writing to the relevant judge, who will revoke or confirm it, also with a reasoned opinion, within 72 hours of when the measure was ordered.
c. Article 588 ter e of the Criminal Procedure Act obliges all providers of telecommunication services, providers of access to a telecommunications network or information society services to assist and collaborate with the judge, the Public Prosecutor or the agents of the judicial police to ensure compliance with the interception orders, while maintaining secrecy about the measures required. Failure to do this may lead to an offence of disobedience.
ACT 2/2002 OF MAY 6 ON PRIOR JUDICIAL CONTROL APPLICABLE TO THE NATIONAL INTELLIGENCE CENTER
d. According to Act 2/2002 of 6 May on prior judicial control as applied to the National Intelligence Centre, the National Intelligence Centre (CNI) may ask the operator to intercept communications in cases where the Secretary of State- Director of the CNI has obtained an authorisation from a competent judge of the Supreme Court, in accordance with the specific requirements under such law.
e. In cases of justified urgency (based on the authorisation request submitted by the Secretary of State-Director of the CNI), the competent judge may confirm or deny the requested authorisation with a reasoned opinion issued within 24 hours (rather than the usual 72 hours).
THE UNIVERSAL SERVICE REGULATION
Articles 83 to 101 of the Regulation on the conditions for the provision of electronic communication services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April and modified by Royal Decree 726/2011 of 20 May (the Universal Service Regulation), determine the procedure and the measures to be adopted by service providers and operators of public electronic communication networks to intercept communications in cases where they are obliged to do so by law. The Universal Service Regulation establishes, among other things, the general requirements of the procedure, access requirements, the information to be delivered to the authorised agent (judicial police or CNI agent) and other operational requirements (previous information, locations, authorised personnel, confidentiality, real-time access, interception interfaces, etc).
A court order or an authorisation must be issued by the relevant judge before the interception takes place, except in case (b) outlined above.
In addition, Order ITC/110/2009 of 28 January on the general framework applicable to the specifications to be followed for the legal interception of communications (General Framework Order) establishes the relevant technical requirements and interfaces to be implemented by service providers and operators of public electronic communication networks to carry out the interception of a communication.
GENERAL TELECOMMUNICATIONS ACT 32/2003
Article 39 of the General Telecommunications Act 9/2014 of 9 May (LGTel) sets out the operator’s duty to intercept communications when required to do so by the relevant authorities through the appropriate interfaces and technical resources, that should be ready for this purpose. This Act, the Universal Service Regulation and the General Framework Order together provide a detailed description of the obligations of operators in terms of measures, procedures, interfaces and technical requirements to be put in place in order to comply with their interception duties.
In addition, there are further Orders which aim to regulate particular technologies, such as:
- Order ITC/313/2010 of 12 February implementing and adapting the technical specification ETSI TS 101 671 on Lawful Interception (LI) and on the handover interface for the LI of telecommunications traffic; and
- Order ITC/682/2010 of 9 March implementing and adapting the technical specification ETSI TS 133 108 (3GPP TS 33.108) on the Universal Mobile Telecommunications System (UMTS), as well as 3G security and the handover interface for LI.
These laws do not appear to grant government and law enforcement agencies the legal powers to allow direct access into a communication service provider’s networks without the operational or technical control or cooperation of the communications service provider.
Disclosure of Communications Data
DATA RETENTION ACT 2007
Act 25/2007 of 18 October on data retention related to electronic communications and public communication networks (Data Retention Act) regulates:
- the operator’s obligation to retain traffic and localisation data, as well as other necessary data to identify the user (traffic data) generated or processed in the provision of electronic communication services or public communication networks; and
- the duty to transfer such traffic data to the relevant agents whenever they are required to do so, through the relevant court order or judicial authorisation. In addition to the judicial police and CNI agents, the Data Retention Act explicitly includes the staff members of the Office of Customs Surveillance as authorised agents in this regard.
The Data Retention Act, among other things, regulates the traffic data to be retained, the obligation to store traffic data, the period of time during which such traffic data must be stored or retained by the operator, the procedure and security measures involved in the transfer of the traffic data to the relevant agents, and the sanctions to be imposed on operators that do not comply with such obligations.
The content of the communications is explicitly excluded from the scope of this Act.
In accordance with Articles 6 and 7 of the Data Retention Act, operators have the obligation to disclose the retained data to the authorised agents (see above), following the instructions contained in a court order issued by the relevant judge and according to the provisions of the Criminal Procedure Act and the principles of necessity and proportionality.
ACT 13/25 THAT MODIFIES THE CRIMINAL PROCEDURE ACT
On December 2015, Act 13/2015 of 5 October which modified the Criminal Procedure Act entered into force stating that electronic traffic or associated data retained by service providers may only be disclosed for inclusion in the process by a court order. When such information contained in a service provider’s automated archives is deemed indispensable for the ongoing investigation, the appropriate authorisation must be requested from the competent judge.
In addition to this, either the Public Prosecutor or the judicial police may require any legal person to retain and protect certain data or information in a computerised storage system until the appropriate court order authorising its disclosure is obtained. The maximum timeframe for this retention cannot be more than 180 days.
Moreover, Articles 588 ter k, 588 ter l and 588 ter m set out the conditions for accessing non-traffic data without a court order, provided this is necessary for the purposes of identifying users, terminals and connected devices, and as long as the applicable requirements are met. In this sense:
i. Article 588 ter k concerning ‘Identification through IP number’ states that whenever the agents of the judicial police have access to an IP address used to commission a crime, they may ask the competent judge to prompt the subjects under the assistance and collaboration duties of Article 588 ter e, to disclose the data allowing them to identify and localise the terminal or connected device and also identify the suspect;
ii. according to Article 588 ter l, in the context of a criminal investigation, the agents of the judicial police may use technical tools to gain access to identification codes or technical tags belonging to a communication device or any of its components (eg IMSI or IMEI numbers), provided that the subscriber’s number could not be obtained and it is deemed indispensable for the purposes of the investigation; and
iii. under Article 588 ter m, whenever the Public Prosecutor or the judicial police, in the exercise of their functions, need to know the ownership of a telephone number or of any other means of communication, or conversely, require the telephone number or the identifying data of any means of communication, they may address the provider directly and such provider will be obliged to provide that information.
National Security and Emergency Powers
According to Article 4.6 of the General Telecommunications Act (LGTel), the government may, exceptionally and temporarily, enable the General Administration to take over direct management of certain services or exploit certain electronic communications networks in order to ensure public safety and national defence.
Moreover, on the basis of a breach of public service obligations (under the Title III General Telecommunications Act), the government, following a mandatory report from the telecoms regulatory authority (CNMC), may also, exceptionally and temporarily, enable the General Administration to take over the direct management of the services or exploit corresponding networks. Regarding the latter, it may also, under the same conditions, intervene in the provision of electronic communications services.
According to the exceptional regulations provided by Act 4/1981 of 1 June on the states of alarm, emergency and siege (LSAES):
- during a state of alarm (in the case of essential goods running out in the whole of Spain or in a certain region – Article 4.d), the government may issue necessary orders (Article 11.e) or decide to intervene in those services or mobilise its personnel (Article 12.2) in order to ensure the functioning of the affected services;
- during a state of emergency (which may be requested because of a serious alteration of essential public services or for other reasons), the government may intercept any kind of communications provided this is necessary to clarify alleged criminal offences or to maintain public order (Article 18); and
- during a state of siege, the government directing military and defence policies will assume all exceptional prerogatives (Article 33.1).
The declaration of a State of Alarm will be conducted by Decree agreed by the Cabinet.
Once the government has obtained an authorisation from the Congress, it shall declare a State of Emergency, by Decree agreed by the Cabinet. The authorisation must include the suspension of article 18.3 of the Spanish Constitution, related to the secrecy of communication, in order for Article 18 LSAES to be applicable.
The government proposes the declaration of State of Siege before the Congress.
In addition, Article 8.2 of Act 34/2002 of 11 July on information society services and electronic commerce (LSSI) states that in order for the competent authorities to identify an alleged infringer, they may ask information society service providers (ISSPs) (which may include telecommunications operators) to disclose data which would permit such identification. This request must be based on a previous judicial authorisation, in accordance with Article 122 bis of the Law 29/1998 of 13 July governing Administrative Jurisdiction (LJCA).
Article 122 bis of the LJCA refers to the necessary requirements that must be met in order to obtain judicial authorisation: an initial request by the competent authorities, that must include the pertinent reasons for the request and also the relevant documents. The court, within 24 hours from the request and once the Public Prosecutor has been heard, may issue the requested authorisation, provided that it will not affect Article 18 paragraphs 1 and 3 of the Constitution.
Oversight of the Use of Powers
In line with the Criminal Procedure Act, the relevant court order will determine the extension and scope of the disclosure to be carried out. The relevant judge has a duty of supervision to ensure compliance with such a court order.
The competent judge must be notified immediately and in reasoned writing of the intervention determined from Article 18 of the LSAES.
SHUT-DOWN OF NETWORK AND SERVICES
Act 4/1981 of 1 June on the States of Alarm, Emergency and Siege
Under Act 4/1981 of 1 June on the states of alarm, emergency and siege, certain constitutional rights are suspended and an exceptional legal regime is provided for those situations when Spain experiences one of these states. The most relevant to the shut-down of Vodafone’s network and/or services are the powers which the government obtains when a state of alarm or siege is declared.
A state of alarm occurs when there is shortage of essential goods or services in either the whole of Spain or a certain region of it (for example, as a result of a general strike); it can only be declared by decree of the government that must report this state to the Congress (Parliament). Without this authorisation, the government cannot extend the initial period of 15 days. Under Article 11 of the LSAES, during a state of alarm, the government may intervene to remedy the shortage. It is feasible, therefore, that should a major issue arise in respect of Spain’s communications, the government might intervene in relation to Vodafone’s network. It is most likely that such an intervention would be used to improve or restore the affected network or communication service. However, it is possible that such an intervention could extend to closing the network or shutting the service down.
A state of siege occurs when the government is concerned with military and defensive policies related to protecting the national security. The government must submit its proposal before Parliament in order to declare a state of siege. During a state of siege, the government may assume all exceptional prerogatives which come with it – including the ability to order a shut-down of Vodafone’s network or services.
General Telecommunications Act 9/2014 of 9 May
Articles 79 (sanctions) and 82 (interim measures in the framework of sanctioning proceedings) of the LGTel establish that the government or the telecoms regulatory authority, CNMC, may suspend (as an interim measure) or withdraw a network provider’s right to provide electronic communications networks, services and/or utilities. They may only do so in the case of serious and repeated breaches by the network provider relating to service provision, network exploitation or the granting of usage rights, or specific conditions that the regulator has imposed on that operator, when previous measures to request the cease of the breach have been unsuccessful. The government and CNMC, therefore, have the power to shut down Vodafone’s network or certain parts of Vodafone’s services, but only if they deem Vodafone to have seriously or repeatedly breached its obligations as a network provider.
In addition, Article 28.1 of the LGTel, together with its complementary regulations (Articles 17 and 53 of the Royal Decree 424/2005), states that the government may, for reasons of national defence, public security or civil protection, impose other public service obligations that differ from the Universal Service Regulation.
BLOCKING OF URLS & IP ADDRESSES
Act 34/2002 of 11 July on Information Society Services and Electronic Commerce
Under Article 11.1, where a competent authority has found certain content to infringe the principles set out in Article 8.1, a court may order a network provider (such as Vodafone) to suspend access on its network to such content. In practice, Vodafone would do this by blocking the URL or IP addresses which link to the content being hosted. The principles set out in Article 8.1 include:
a. safeguarding public order, security and national defence;
b. protecting public health and consumers;
c. respecting fundamental rights (dignity, non-discrimination);
d. child protection; and
e. safeguarding intellectual property rights.
Copyright Act 1/1996
In connection with the Act above, the Copyright Act, approved by Royal Decree 1/1996 of 12 April and modified by Act 21/2014 of 4 November, developed the safeguarding of intellectual property rights over the internet by broadening the liability of intermediary service providers and increasing penalties for copyright infringement.
In particular, Section Two of the Copyright Commission represents the body in charge of the notice of takedown procedure against alleged copyright infringing activities by information society service providers (ISSPs) (eg blogs, websites) and ISSPs providing the description and location of presumably infringing works displayed on the website by means of an active contribution (not merely technical intermediation). Especially relevant is the fact that whenever ISSPs refuse to collaborate with the requests of the Copyright Commission over the removal of infringing content, intermediary service providers (such as Vodafone) may be required to suspend the services offered to such ISSPs.
To request a suspension of the service or the blocking of access to infringing resources, the Copyright Commission must be granted prior authorisation by a judge. In addition, in cases of serious infringements or where the social impact of the infringement is high, the ISSP may be required to cease its activities for a maximum of one year. To ensure the effectiveness of this measure, the intermediary service providers may be requested (provided that the authorisation of a judge is obtained) to suspend the service provided to such ISSP. In both scenarios, and under the amended Copyright Act, the lack of cooperation with the Copyright Commission (ie not suspending the service) is regarded as a very serious infringement under the LSSI.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
Act 4/1981 of 1 June on the State of Alarm, Emergency and Siege
See ‘Shut-down of network and services’ above.
General Telecommunications Act
In principle, the LGTel allows the government, in a state of emergency or siege, to manage the telecommunications service as a ‘temporal’ public service. In particular, Article 4.6 (telecommunications services for national defence, public and traffic safety, and civil protection) of the LGTel states that the government may, exceptionally and temporarily, order the General Administration to assume direct management of certain electronic communications networks or services, in the interests of public safety or national defence.
Oversight of the Use of Powers (Censorship-related)
ACT 4/1981 OF JUNE 1 ON THE STATE OF ALARM, EMERGENCY AND SIEGE
There is no judicial oversight of the specific emergency powers provided for when a state of alarm or siege is declared. The intervention determined according to Article 18 of the LSAES (state of emergency) must be notified immediately through a reasoned report to the competent judge.
GENERAL TELECOMMUNICATIONS ACT
There is no judicial oversight of the government’s or CNMC’s use of the powers provided for by the General Communications Act.
In all cases, the enforcement of the collaboration measure issued to the relevant intermediation services provider requires prior authorisation by a competent judge in accordance with the procedure established under Article 122 bis LJCA.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. Under the first paragraph of Article 39 of the General Telecommunications Act 9/2014 of 9 May (LGTel), operators that exploit public electronic communication networks or make electronic communication services available to the public must guarantee the secrecy of such communications as set out in Articles 18.3 and 55.2 of the Constitution, and must adopt the necessary technical measures to do so. The second paragraph of Article 39 states that those operators are under an obligation to perform the interceptions authorised in accordance with the applicable Spanish laws and regulations.
Under Article 39.11 of the LGTel, where communications are subject to legal interception, compression, encryption, digitisation or other types of coding procedures, operators must deliver the communications free of the effects produced by such procedures, provided that they are reversible. Moreover, the intercepted communications must be provided to a quality no less than the one obtained by its recipient.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Article 588 ter e of the Criminal Procedure Act, approved by Royal Decree of 14 September 1882 and later modified by Act 13/2015 of 5 October, for the strengthening of procedural safeguards and regulation of the technological investigation measures, which entered into force in December 2015 (SCPA), relates to:
i. all telecommunications services providers;
ii. telecommunications network access providers;
iii. information society service providers (ISSPs); and
iv. any other person who in any way contributes by facilitating communications through a telephone or any other computerised, logical or virtual device or system.
It obliges them to assist and collaborate with the criminal judge, the Public Prosecutor or the agents of the judicial police to enable the fulfilment of legal interception orders, while maintaining secrecy in relation to the measures required by the authorities. Failure to fulfil these duties may lead to an offence of disobedience.
Also, according to the exceptional regulations provided by the Act 4/1981 of 1 June on the states of alarm, emergency and siege (LSAES), during a state of emergency (which may be requested because of a serious alteration of essential public services), the government may intercept any type of communications provided that this is necessary to clarify alleged criminal offences or to maintain public order under Article 18 of the LSAES. The authorisation of the Congress in favour of a declaration of a state of emergency by the government must include the suspension of Article 18.3 of the Constitution, related to the secrecy of communication, in order for Article 18 of the LSAES to be applicable.
In addition, according to page 9 of the Resolución modificación título habilitante 18032002, relating to the telecommunications licence for the 1.800 MHz band, the licence owner must agree to:
i. whenever set out by the applicable laws, comply with the decisions issued by the authorities for the purposes of public interest, public safety and national security; and
ii. implement the necessary measures in order to be able to do this.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
As pointed out in the answer to Question 1 above, Article 43 of the LGTel enables the General Administration or a public body to request the encryption algorithms and procedures from, inter alia, any entity that includes an encryption mechanism within the services it provides.
However, the impact of this provision is rather low, due to the following considerations:
a. First of all, this provision was meant to lead to further development through complementary rules and regulations. Such development is still pending. For example, no additional specifications or definitions of the ‘administrative or public body’ entitled to request the algorithms have been produced yet. The effectiveness of this provision is doubtful, to say the least.
The situation may change if the government approves further developments. However, note that the first General Telecommunications Act of 1998 and the second General Telecommunications Act of 2003 contained similar provisions to the one discussed above. Neither such provisions have been developed through complementary regulations, and consequently, as far as we know, they were never applied. It is likely that no further development will occur any time soon.
b. The prerogative described above would only cover the algorithms and procedures used to encrypt the content and encryption devices for their control. It appears that there is no direct obligation to disclose information contained by a specific communication.
Notwithstanding this, the operator would still have to provide the judge, the Public Prosecutor or the agents of the judicial police with the necessary – albeit in this case, limited – assistance and collaboration to enable the fulfilment of legal interception orders, as stated in Article 588 ter e of the SCPA.
As the enablement of end-to-end encryption would compromise the telecommunications operator’s ability to comply with its existing legal obligations in the area of law enforcement assistance, it is questionable whether this would raise issues with the government or the regulator. There is no legal precedent in this regard.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
To Vodafone’s knowledge, there are no such examples of ‘old law’ being used in order to demand access to data protected through encryption.