Which entities will be subject to this data storage obligation?
The data storage obligation (Article 47 of the ECA) will apply to all electronic communications undertakings and to all types of electronic communications services. Therefore, it will cover not only telecommunications undertakings, but also undertakings that provide publicly available interpersonal communication services not using numbers. In this respect, the draft law defines interpersonal communication services as services that allow for the direct interpersonal and interactive exchange of information over a telecommunications network, or between a certain (finite) number of people. Therefore, all entities that offer services such as the use of e-mail (platforms such as Onet.pl, Gmail.com, or Wp.pl), messaging (e.g., Snapchat, Instagram, or LinkedIn), voice calls (e.g., FaceTime, or Telegram), instant messaging (e.g., WhatsApp, or Messenger), among others, will be subject to this obligation.
The scope and period of the data storage
The data storage obligation covers user data generated by, or processed through, the telecommunications network such as: data identifying the user initiating the communication and the user to whom the communication has been directed (i.e. the name, surname, and IP number), the date and time of the communication, its type, duration, and even, depending on the service provided by the electronic communications undertakings, information concerning the location address of the device from which the communication was initiated, and to which location address it was directed.
The aforementioned data will be required to be stored by the electronic communications undertakings for a period of 12 months and is to be made available to courts, prosecutors, and other authorised entities, according to the rules and in the manner specified in greater detail in the implementing regulations issued on the basis of the ECA.
Incompatibility with EU regulations?
The draft law, although, by design, aims to implement the solutions to electronic communications which have been specified in the Directive into the Polish system, nevertheless includes a broad catalogue of those undertakings which have been obliged to store data which, by no means, have been specified under the EU regulations. Therefore, the provision of Article 47 of the ECA, in its current wording, has been accused of being incompatible with EU regulations by the Charter of Fundamental Rights of the EU, among others, and with the existing case law of the Court of Justice of the European Union (e.g., CJEU judgment C-511/18 in the case of La Quadrature du Net and Others). In this respect, current jurisprudence allows for the possibility of imposing an obligation on providers of electronic communications services to store specific personal data only in exceptional situations, when:
- there is a serious threat to national security, such as a terrorist threat;
- the data storage is strictly necessary, limited in time, and the person whose data has been stored has been provided with adequate safeguards for the protection of his or her personal data; or,
- the data storage is not systemic, and is subject to effective supervision by a court or independent administrative authority.
The draft Act, however, foresees neither court supervision nor any supervision by an administrative body concerning the storage of data or its transfer, nor does it limit the scope of the individuals whose data is to be stored and transferred to the relevant authorities.
Given the above, while it seems possible that the draft law will be adopted in its current form, its compliance with EU regulations may be challenged in the future, either in the form of a preliminary question or upon the initiation of proceedings by the European Commission.
Authored by Ewa Kacperek and Martyna Sieczka.