How will the new Surveillance Act affect businesses?

The Act on Amendment to the Police Act and Some Other Acts took effect on 7 February 2016. It thoroughly changes the laws applicable to non-public surveillance activities and modifies the procedures for uniformed services obtaining access to information gathered by postal and telecommunications operators and electronic service providers. Since the changes have far reaching legal and business consequences, we want to draw your attention to the main effects they will have on your day-to-day activity and to indicate areas where organisational changes may be required.

Main changes in the Surveillance Act

We will discuss the main changes related to rights granted to the police but please note that corresponding provisions have been added to the acts governing the work of other uniformed forces, including the Border Guard Service, the Central Anti-Corruption Bureau, the Internal Security Agency and the Foreign Intelligence Agency. In addition, the same extended rights have been granted to tax intelligence and customs officers. Please find below a summary of the main changes introduced by the Act:

• the scope of the actions that may be taken during surveillance activities has been tightened up,
• a 12-month time limit for conducting non-public surveillance activities has been introduced,
• rules of procedure applicable to data obtained during surveillance activities, which contain or may contain information covered by attorney/client privilege, have been introduced,
• the possibility of the police obtaining data other than message contents as part of electronically supplied services has been introduced, and the police's existing power to obtain data other than contents of postal correspondence and telecommunications messages has been extended; this possibility/power is available when these actions are taken to prevent or disclose crimes, save human life or health, and support search or rescue operations,
• regional courts have been granted the general power to subsequently control the process of the police obtaining such data,
• the obligation for electronic service providers to ensure technical and organisational conditions for the police to carry out surveillance activities has been introduced, and this obligation has been maintained for telecommunications and postal operators.

Practical effects of the Surveillance Act

In our opinion, these changes should be viewed from the following two perspectives:

• Due to the extended powers of the uniformed forces and the non-open procedure for obtaining data, the online activities, telephone calls and postal correspondence of your employees may be subject to surveillance by the uniformed forces. This will not require
  court consent and will take place without the knowledge or consent of the data subject. In the course of such activities, it will be impossible to obtain the contents of communications sent (court consent is still required to install a wiretap) but it will be completely legal to determine the names of interlocutors/recipients of correspondence, their exact email addresses, the duration of a telephone call/message sending date, computer IPs, telephone numbers, business addresses, other location data of parties to a conversation/communication, etc. Thus, such data may potentially enable identification of whom your employees contact in their daily work, who your contractors are, where your employees travel on business, etc.
• The concept of electronic service provider, transferred to the Police Act, may in practice be interpreted very broadly by the uniformed services, and thus the obligation to provide data and ensure conditions for conducting surveillance activities may apply not only to businesses providing online services but potentially to any entity that is present on the web in any way, e.g. by maintaining its own website. Consequently, in extreme cases, it may happen that the services may ask to be provided with the logs of servers supporting the company’s electronic mail or website.

DZP recommendations regarding the implementation of the Surveillance Act

In the light of the foregoing, we recommend:

• implementing or verifying current procedures for access to IT resources, especially those related to the principles of using your company’s computer network and other resources available online,
• implementing detailed rules of procedure when the services ask to be provided with data related to electronically supplied services,
• training employees on the principles of appropriate communication, especially with public administration authority personnel.