Are we back to 1984?

The recent debacle on how the Police obtained certain data logs from local telecommunication companies on the alleged grounds of the attempted corruption and hindering of witness by a Police officer in front of the Police Board as well as the fabrication of false evidence raises various questions as to what powers are available to the Police in order to obtain log data.

The powers of the Police to directly obtain data held by telecommunication companies is specifically provided for under Regulation 19 of the Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 440.01) which  transposes the EU Data Retention Directive (Directive 2006/24/EC). This Regulation provides the parameters within which the Police can apply the generic provisions of Article 355AD(4) of the Criminal Code which stipulates that any person who is considered by the police to be in possession of any information relevant to any investigation has a legal obligation to comply with a request from the police to attend at a police station to give as required any such information.

The major scope of the Data Retention Directive is for the harmonisation of the obligations of providers of electronic communications services with respect to the retention of certain data in order to ensure that such data is made available under express conditions for the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.

Article 4 of the Data Retention Directive provides that “Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law.” It also stipulates that “the procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in

accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international

law, and in particular the ECHR as interpreted by the European Court of Human Rights.”

The Data Retention Directive therefore leaves it in the hands of the Member State in question to establish the procedures and the conditions to be fulfilled so that data held by service providers is made available to the police in situations where a “serious crime” is committed.

The Data Retention Directive does not define what a “serious crime” is. It is national legislation that must provide this definition and the transposition carried out by Member States varies. Some countries opted to define “serious crime” in relation to the nature of the offence whilst others, such as Malta, defined “serious crime” in relation to the minimum applicable punishment.

In fact, Regulation 17 of SL.440.01 defines “serious crime” as “any crime which is punishable by a term of imprisonment of not less than one year and for the purposes of these regulations includes crimes mentioned in Articles 35(1)(d) and 35A of the Electronic Communications (Regulation) Act”. Therefore, the powers of the Police to request data from the telecommunication providers can only be exercised during the investigation, detection and prosecution of a crime which carries a term of imprisonment of not less than one year. Any crime which carries a term of less than one year is excluded from the definition of “serious crime” as contained in our national laws and consequently there is no corresponding obligation on the service providers to provide such data to the Police in the event that the crime being investigated, detected or prosecuted is not “serious”.

Regulation 19 of Sl440.01 also provides that the data request made by the Police must be “made in writing and shall be clear and specific”.

In their statement issued on the 28^th August  the Police make it clear that their investigations were based on alleged crimes committed under Articles 102,110 and 111 of the Criminal Code and underlined the stark distinction that exists between the independent inquiry of the Police Board and any investigations which the Police were obliged to do according to law. One has to seriously question however whether (i) the referred Articles are applicable in the case of an attempted corruption of a witness in front of the Police Board and (ii) whether such crimes could be considered as “serious” as per the definition contained in SL440.01.

Article 102 of the Criminal Code speaks about the subordination of a witness “in any civil or criminal proceedings”. It is therefore questionable whether an inquiry in front of the Police Board can be termed to be a civil or criminal proceeding. The Police Board might be considered as a competent authority but surely, considering an inquiry in front of the Police Board as a civil or criminal proceeding is something not found in the word of the law. This has also to be seen in light of the provisions of Article 60 of the Police Act (Chapter 164 of the Laws of Malta) which provides that “for the purposes of articles 100 and 101 of the Criminal Code, the Police Board shall be deemed “a competent authority”. A competent authority is different from criminal proceedings. Questioning the applicability of Article 110 and 111 of the Criminal Code in the case under discussion is also very relevant especially when, notwithstanding that Article 111 specifically refers not only to civil and criminal proceedings but also to “competent authority”, the Police Board cannot be considered as such competent authority in light of Article 60 of the Police Act.

Even if one, for the sake of argument, had to assume that Articles 102, 110 and 111 of the Criminal Code where indeed applicable, one has to verify if such crimes can be termed as “serious” under SL.440.1. Even with the application of Article 141 of the Criminal Code, which increases the degree of punishment applicable by one degree in cases where the crime is committed by a public officer, Articles 102, 110,111 can carry punishments of imprisonment of less than one year. The minimum punishment applicable under these Articles does not surpass the minimum threshold that our national laws have set for the applicability of Regulation 19 of SL.440.01.

Data retention laws try to achieve the most difficult yet crucial balance possible. The powers available to the Police to process our personal data are not absolute. They have to respect the principle of privacy as enshrined in our constitution and applicable legislation including the data processing principles such as the purpose principle.

In any case, I might not even bother any longer to keep a copy of Orwell’s ‘1984’ or Huxley’s ‘Brave New World’ next to my bed. I might just keep a copy of our daily papers instead.

- Originally published as an opinion piece in the Times of Malta on the 3rd September 2013