We spoke with TEDIC in Paraguay, an organization that is helping to spearhead the fight against the "Pyrawebs" data retention bill. When we asked what concerned them the most about this law, they didn’t just give us one or two reasons, they gave us 12!
Laws have a tendency to be contagious. We spoke with TEDIC in Paraguay, an organization that is helping to spearhead the fight against the “Pyrawebs” data retention bill. When we asked what concerned them the most about this law, they didn’t just give us one or two reasons, they gave us 12!
Here is why Paraguay’s Senate should reject the #Pyrawebs bill … and why you should hope it gets turned down before it has a chance to spread.
1. The mandatory retention of data affects millions of innocent users who are not suspected of any crimes (a violation of the presumption of innocence). It also jeopardizes online anonymity, which is essential for investigators, journalists, social movements, Human Rights NGOs, and for anyone dedicated to political expression.
2. Mandatory data retention is an unreasonable measure. The basic principle of proportionality must be kept in mind when creating laws that affect communication and human rights. Surveillance must be strictly limited in scope and only allotted the time necessary to achieve all legitimate objectives, ensuring that anything that does not have to do with the investigation remains confidential. Furthermore, surveillance measures must not be specific or individualized. They must be directed at those being investigated, on the basis of reasonable suspicion of committing a criminal offense. Contrary to the above, this bill sets out random surveillance measures that are neither reasonable nor necessary in a democratic society; and they lack proportionality.
3. Mandatory data retention creates enormous potential for misuse, and must be rejected, as it is a serious infraction of the rights to personal data protection and fundamental freedoms. This bill supports the mass surveillance of all individuals, which must not be tolerated in a country where freedom and democracy are valued.
4. It also affects doctor-patient and lawyer-client confidentiality, as well as that of journalists and their sources, among other forms of communication within the strictly private sphere.
5. In comparison with other bills, this one does not seem to limit data access to those cases where data is retained for serious crime investigations; rather it permits the use of data for any kind of offence, such as peer-to-peer downloads, defamation or any other type of minor offence.
6. One question relates to who is the source of authority for access (although authorization from the judge responsible for confidentiality is also necessary). In the bill, it is unclear if a certain level of suspicion or justification, which the confidentiality judge must evaluate, must be met in order to access the data.
7. Unfortunately, the bill also does not adequately delimit the data that will be retained. It merely gives a restricted list of examples, outlining the IP address, the origin and destination of the examples, date and time of connection, and where appropriate, date and time of disconnection. The bill should establish a comprehensive list including the circumstances in which surveillance measures can be ordered in a criminal investigation. It should also provide sufficient details regarding information that is exempt from judicial review, due to the fact that it is not directly linked to an object of criminal investigation.
8. The bill does not allow for the proposed system to distinguish between situations in which this surveillance would be justified, and those in which it would not, therefore enabling misuse and illegitimate invasions of privacy through state monitoring.
9. It is mass surveillance. This surveillance has not been subject to prior judicial authorization; and the surveillance proposed is mandatory in nature and massive in reach. It is under the management of private Internet service provider and data transmission companies. By foregoing prior judicial authorization and supervision, surveillance measures present a major issue for human rights protection, and compromise the international responsibility of the State and validity of criminal investigations to be brought forward.
10. In Section 8 of the bill, the obligation to preserve and protect any intercepted user data is the responsibility of private Internet service provider and data transmission companies. This means that the State of Paraguay would not be responsible for protecting anyone who was affected by the interception of data. The bill does not put forward a mechanism for periodical judicial review or independent democratic oversight concerning the management of these databases, which are managed by private companies. The bill should consider mechanisms for review, safekeeping and preservation of data that has been collected as a result of legitimate surveillance. These mechanisms must be under the management and responsibility of the State.
11. Sections 9 and 10 of the bill establish sanctions for Internet service provider companies that fail to comply with the obligation to retain information. For this purpose, the corresponding administrative body (the National Telecommunications Commission) is authorized to establish regulations and apply administrative sanctions in accordance with Law No. 642 of Telecommunications. Nevertheless, the necessary assurance of protection against misuse or violations of communication confidentiality is not provided to users, in accordance with the human rights obligations of the State. Individuals who may be affected by the illegal use of their personal data or violation of privacy would have no legal defence, which conflicts with the obligations of the Republic of Paraguay.
12. In addition to the previous point, this proposed law does not contain provisions for the effective legal protection of personal data, nor for reversing damage caused by the improper use or violation of confidentiality of private communication. In particular, no judicial assurance is provided, which allows evidence that has been obtained in violation of the minimum standards of protection to be overridden. A communications surveillance law should have these safeguards, in accordance with human rights standards (Section 36 of the Constitution of Paraguay). The bill should establish the guarantee of effective legal protection of personal data, which allows individuals who have been affected by the misuses of surveillance to have their due rights restored and adequately repaired.