Data retention in Peru: A poor copy of a bad idea

Data surveillance equip

On July 27, 2015, Ollanta Humala, President of Peru, issued a decree granting the national police the power to access the geo-location data of any device in the country without a warrant, as well as requiring companies to store users’ communications metadata for three years. Now, the Peruvian congress has to decide whether it will ratify the policy.

UPDATE, 8/28/2015: Access has now joined 26 other digital rights organizations in a statement condemning government-mandated data retention in Peru [PDF].The statement is being shared with the global press and lawmakers in Peru to help inform them about the danger that such mandates pose for privacy.

Surveillance for the masses

A government-ordered data retention mandate is a practice whereby telecommunications providers are forced to store and retain users’ telecommunications data – both phone and internet information – indiscriminately, for a given amount of time. Among the many problems with this practice is that it constitutes a violation of the right to privacy.

Citing the need to fight crime, governments propose and enact data retention regulations that are much closer to mass surveillance regimes than they are to human rights-compliant law enforcement policies. This is happening despite the fact that the utility of data retention for criminal investigation remains in dispute, while its negative impact on human rights is well established.

Governments in Latin America are especially fond of data retention, despite the problems cited above. Colombia has the longest data retention policy currently in force in the region – companies are required to store user information for five years – and new bills keep coming that aim to implement this type of policy elsewhere. One example is the “Pyrawebs” data retention mandate in Paraguay, which was rejected after human rights advocates and digital rights organizations, including Access, led a campaign against it.

Now Peru has just implemented a data retention mandate through a presidential decree that also enables the police to access real-time geolocation information for devices without a warrant. This decree was enacted without public debate or consultation, using legislative powers that the Peruvian congress gave the president earlier this year.

The process behind the decree

The Peruvian constitution enables the congress to pass a law each year granting time-limited legislative powers to the president on issues addressed in the law. After that, the head of the executive branch is empowered to issue a series of decrees legislating in that area, subject to a review by congress that is supposed to happen approximately two weeks after the publication of each decree.

This is the mechanism that was used by the Peruvian presidency on July 27 to enact Decree 1182 [PDF], which establishes two policies that harm every user’s right to privacy. First, it gives the national police direct access to real-time location information for any device in the country, by ordering telecommunication companies to comply with their requests without a warrant. Second, it commands companies operating in all of Peru to store telecommunications metadata for three years.

Privacy is in danger from “minute zero” 

As of July 27, the Peruvian national police can send a request to any telecommunications company directly and obtain location data for any device in Peru. There is no need for a warrant, as long as the police notify a district attorney within 24 hours from the request. Then, the district attorney has 24 more hours to give notice of the police request to a judge, who in turn has 24 hours more to decide on the legality of the procedure.

In sum, the information is obtained by the police immediately but the judicial consideration can happen up to 72 hours later. Plenty of time, considering that any surveillance measure ordered without a previous warrant is incompatible with human rights standards. Warrantless surveillance harms privacy from minute zero.

The same logic applies to data retention: Even if a warrant is provided to gain access to telecommunications users records, government mandated collection and storage of aggregated communications data remains unnecessary and disproportionate in itself [PDF], and poses a risk for the security of private information.

Real-time location information: exceptions that are rules

Human rights standards mandate, among other conditions, that surveillance should be governed by the principle of necessity. That is to say that surveillance laws, powers, or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim. Governments try to honor this principle by applying surveillance mechanisms to the investigation of serious crimes such as terrorism and drug trafficking.

The Peruvian decree attempts to use a three-way test for limiting the  scope of its real-time location authority. Spoiler alert: It doesn’t limit a thing.

Under Decree 1182, the national police can access real-time location information about a suspect only when the suspected offense is flagrant, carries a penalty of at least four years of imprisonment, and requires access to communications information to be investigated. The problem is that there is a lot of flexibility in judicial consideration for flagrancy in Peru, leading up to 24 hours after the commission of a crime. As to the minimum penalty, four years is too short a time period; you could get that penalty for minor offenses, such as for plagiarism of a research paper. And as to the necessity of the information, any criminal investigation might need to rely on communications information at some point.

We arrive at a scenario where intrusive surveillance measures could be applied to the vast majority of possible offenses without prior control. This raises serious problems for due process, necessity, and proportionality that put the privacy of citizens at risk.

Copy-pasting bad ideas

Typically, you would assume that legislation dealing with basic human rights like privacy, and complex governmental obligations such as public security, would be thoroughly debated and substantiated before its implementation. But as we’ve shown in our discussion of the procedure that enabled the presidential decree, not much debate is going on. At least, there won’t be until the congress reviews the decree, which should happen in the next couple of weeks.

When it comes to substantiating the need for such exceptional surveillance measures, the president’s office also fell short. The “motivation appendix” that accompanies the decree only describes what data retention is, and copy-pastes complete paragraphs of foreign legislation and research in order to try to justify the measure.

In fact, as the Peruvian digital rights think tank Hiperderecho reported last week, the presidency copied whole paragraphs from the preamble of the Spanish Data Retention Law 25/2007 and the European Directive 2006/24/CE, which was invalidated last year by the European Court of Justice [PDF] over human rights concerns. All of this without quotation and altering words in the text to make it appear to be original.

There is also an interesting piece of text that was copied as well. In the part of the appendix where data retention is described, the presidency’s text copied complete paragraphs from a piece of research by colombian activist Juan Diego Castañeda for Fundacion Karisma that makes the case against data retention policies. And again, the text is copied without due attribution. You can view these copy-pasted documents here, here, and here. 

What happens next?

As Hiperderecho’s director Miguel Morachimo observed in one of his posts on the matter, plagiarism would qualify as one of the crimes authorizing location surveillance and data retention, according to the decree and internal Peruvian legislation. So, if Juan Diego were to file a complaint, the very tool created by the decree could be used against its authors – that is to say, the president’s office.

Apart from this last example of legal irony, it is worrying that the Peruvian presidency didn’t even try to justify adopting these kind of measures using data or statistics related to its own country. Data retention has serious implications for user privacy and personal data security, even if it’s practiced using metadata. And access to real-time location data is an exceptional surveillance measure that should not be used without previous judicial review.

In the next couple of weeks, the Peruvian lawmakers will have the chance to assess the legal and practical problems that we’ve covered in this post. At that time, the Peruvian congress will have to vote either to pass this decree into law as it is, pass it with modifications, or reject it entirely.

We call on the Peruvian congress to evaluate seriously the need for the measures taken by the decree. Surveillance measures like real-time monitoring are only possible in a scenario where standards of necessity and proportionality are met. These imply, among other conditions, that surveillance should be conducted only after a previously issued and well-founded court order.

As for the data retention mandate, that should be taken away from public security legislation. The same principles we cite above in our discussion of the decree advise against the exercise of mass surveillance, and for a particularized and balanced approach to telecommunications storage, when needed.

The debate will take place within the next week. We’ll keep you updated.