Confidentiality of Communications

According to article 19 παρ. 1 of the Greek Constitution, the confidentiality of communications is absolutely inviolable except for national security reasons and for the criminal investigation, detection and prosecution of serious crimes.

The main law governing the confidentiality of communications is the Act no. 2225/1994 (GG 121/A/20-07-1994). This Act stipulates the conditions and the judicial procedure, under which the lawful interception of the content of communications and the access to communications data for the reasons stated by the Constitution is legitimate. The legal framework on the confidentiality of communications further consists of the Act no. 3115/2003 (GG 47/A/27-02-2003) and the Presidential Decree no. 40/2005 (GG 59/B/07-03-2005), by virtue of which the independent administrative authority on the protection of the confidentiality of communications (CCA) is established and its operation and powers are defined. The same Act also stipulates the administrative fines and the criminal sanctions that may be imposed in cases of breach of the legal framework protecting the confidentiality of communications. More specific legal provisions regarding the lawful interception and access to communications data procedures are included in the Presidential Decree no. 47/2005 (GG 64/A/10-03-2005).

Particularly relevant to electronic communications is the Act no. 3674/2008 (GG 136/A/10-07-2008), which states the obligations of network operators and electronic communication service providers in terms of network security, decryption, system supervision and collaboration with the CCA. Other provisions relevant to confidentiality of communications concern the criminalisation of the various acts of unlawful interception and further use of unlawfully acquired communications data (see articles 370 – 370Δ of the Criminal Code) and the prohibition of using such unlawfully acquired evidence in the criminal procedure (see article 177 of the Code of Criminal Procedure).

The Greek Authority for the Protection of the Confidentiality of Communications (CCA)

According to the article 19 παρ. 2 of the Greek Constitution, the confidentiality of communications in the jurisdiction of the Greek state is guaranteed by an independent authority. In accordance to the provision of the Constitution mentioned above, the Act no. 3115/2003 and the Presidential Decree no. 40/2005 establish the Authority for the Protection of the Confidentiality of Communications (CCA) and regulate its operation and powers.

The Greek CCA is the independent authority responsible for ensuring the confidentiality of free correspondence and communications and the lawful observance of the relevant legal framework. The CCA supervises the lawful interception and access to communications data procedure, which takes place between, on the one hand, electronic communication network operators and service providers and, on the other hand, the law enforcement authorities. It is also the authority competent to regulate and ensure the security of communications in the publicly available electronic communications networks and services. Finally, the CCA is responsible to monitor the lawful observance of the Data Retention Act no. 3917/2011 by electronic communication network operators and service providers. For this reason electronic communication network operators are obliged to send a regular quarterly report to the CCA, listing all the judicial orders for reasons of lawful interception and access to communication data received by the latter (see article 7 of the Act no. 3674/2008).

Under these powers the CCA has issued certain Regulations for ensuring confidentiality and security of the following electronic communications and information society services:

  • Opinion no. 1/2005 on the procedure of lawful interception and access to communication data in relation to the internet.
  • Regulations no. 2322/2006 and 234/2009 on the tracking of offensive calls (GG 1853/B/21-12-2006, 2359/B/20-11-2009).
  • Recommendation no. 52/2009 on ensuring the confidentiality of communications by electronic communication service providers in the operation of lawful interception.
  • Regulation no. 165/2011 on the protection of the confidentiality of electronic communications (GG 2715/B/17-11-2011).

In cases of violation of the relevant legal framework the CCA has, inter alia, the powers to order the suspension or revocation of the operation of the undertaking under investigation and imposeƒ fines of up to 5.000.000 €.

For the investigation of possible violations of the relevant legal framework the CCA has the powers, inter alia, to (article 6 of Act no. 3115/2003) :

  • Conduct inspections at the premises, equipments, archives, databases and documents of law enforcement agencies and electronic communication network operators / information society service providers.
  • Confiscate any means used for violating the confidentiality of communications and security.

Access to Communications Data & Lawful Interception

The main law executing the constitutional provisions mentioned above is the Greek Act no. 2225/1994 (GG 121/A/20-07-1994). This Act contains the list of serious crimes, the investigation, detection and prosecution of which permits the access to communications data or real – time lawful interception of communications by the competent authorities (see article 4 of the Act no. 2225/1994). Furthermore, it describes the legitimate procedure that these authorities have to follow in order to access communications data or lawfully intercept communications (see article 4 of the Act no. 2225/1994). The detailed list of data, which have to be provided under the procedure for each type of electronic communication (fixed/mobile telephony, international roaming, calling cards, internet, LAN networks, decrypted data etc), is included in articles 3 – 5 of the Presidential Decree no. 47/2005. This list includes both the content and the external data (traffic, location etc) of communications.

Entities obligated under the law to give access to electronic communications data or grant real – time lawful interception of communications are the undertakings falling under the definition of publicly available electronic communication network/service providers (see the Presidential Decree no. 47/2005). Such obligations should not burden information society service providers. Nevertheless, the possibility that law enforcement authorities act in contradiction to the law and request for access to internet communications data or for the lawful interception of internet communications by internet hosting providers should not be totally excluded. Up to now, no such requests are publicly known to have occurred.

For national security reasons the legitimate procedure of access to electronic communications data or real – time lawful interception of communications is as follows (see articles 3 and 5 of the Act no. 2225/1994, see also the Presidential Decree no. 47/2005) :

  • A competent public authority (i.e. the investigator / judge or the public prosecutor or the law enforcement agency) files the application to access electronic communications data or lawfully intercept to the Public Prosecutor of the Court of Appeals.
  • Within twenty four (24) hours the Public Prosecutor of the Court of Appeals issues the relevant judicial order . The order consists at least of the content listed in article 5 παρ. 1 of the Act no. 2225/1994.
  • The judicial order is sent to the electronic communication network/service provider. In practice, each judicial order is sent to all active electronic communication network/service providers.
  • The provider having the relevant data or communications under its control executes the order by sending the communications data to the competent authorities within seven (7) days.
  • If the order concerns real – time lawful interception the provider grants access to the communications under interception within three (3) hours.

For the criminal investigation, detection and prosecution of serious crimes the legitimate procedure of access to electronic communications data or real – time lawful interception of communications is as follows (see articles 3 and 5 of the Act no. 2225/1994, see also the Presidential Decree no. 47/2005) :

  • A competent public authority (i.e. the investigating Judge or the Public Prosecutor or the law enforcement agency) files the application to access electronic communications data or lawfully intercept to the Judicial Council.
  • In extremely urgent cases the application may be filed to the Public Prosecutor conducting the criminal investigation. In these cases the order of the Public Prosecutor will have to be approved within three (3) days by the Judicial Council, otherwise it becomes invalid.
  • Within twenty four (24) hours the Judicial Council or the Public Prosecutor issues the relevant judicial order . The order consists at least of the content listed in articles 4 παρ. 2, 3 and 5 παρ. 2 of the Act no. 2225/1994.
  • The judicial order is sent to the electronic communication network/service provider. In practice, each judicial order is sent to all active electronic communication network/service providers.
  • The provider having the relevant data or communications under its control executes the order by sending the communications data to the competent authorities within seven (7) days.
  • If the order concerns real – time lawful interception the provider grants access to the communications under interception within three (3) hours.

Unless the order is issued for reasons of national security, the duration for accessing the electronic communications data or lawfully intercepting communications may not be more than two (2) months. The duration may be prolonged for consecutive periods of two (2) months up to a total period of ten (10) months under the same legitimate procedure described above (see article 5 παρ. 6 of the Act no. 2225/1994).

The CCA is responsible for the supervision and the legitimacy of the procedure and has the powers to collect information about the lawfulness of its execution. In case there are reasons that render the order or the whole procedure illegal, the electronic communication network/service provider is prohibited from proceeding to the execution of the order, otherwise the latter shall be held liable for the violation of the law.

By virtue of its Opinions 9/2009, 12/2009, 9/2011, the Public Prosecutor at the Supreme Court has stated that the protective provisions of the law regarding the confidentiality of communications do not cover traffic and location data of internet communications, such as IP addresses. Since then, public prosecutors and law enforcement agencies have constantly been filing at ISPs and information society service providers several requests for internet users’ data without following the legitimate procedures for lawful interception. In at least two cases legal representatives (a CEO and a security officer) of undertakings, which denied to fulfill such requests for reasons of legitimacy, were criminally prosecuted for the criminal offence of disobedience. The independent authority for the protection of the confidentiality of communications (CCA) has issued a directly opposite opinion on the matter (see CCA Opinion no. 1/2005) and has sent official letters to the political leadership, but has not intervened to terminate such practices from law enforcement agencies. This dead – lock between competent public authorities has led into a major issue of legal uncertainty and regulatory risk for internet intermediaries, since the latter are compelled to choose between the possibility of being criminally prosecuted or being imposed with sanctions by the CCA on the basis that they have violated the law on the confidentiality of communications.

Article 9 of the Act no. 3115/2003 states that the cost for the implementation of lawful interception systems by electronic communication network/service providers will be shared between the former and the State. On the contrary, articles 6 παρ. 2 and 7 παρ. 4 of the Presidential Decree no. 47/2005 state the opposite. By virtue of its Decision no. 4170/2011 the Conseil d’ Etat has annulled the aforementioned provisions of the Decree as of lesser mandatory power compared to those of the Act. Nevertheless, up to now no cost of any provider for the installation of the relevant equipment and the implementation of the lawful interception procedure has been reimbursed by the State.

In cases of violation of the legal framework on the confidentiality of communications, the electronic communication network/service provider may face the following legal consequences :

  • Administrative sanctions : The suspension or revocation of the operation of the undertaking and/or the imposition ofƒ fines of up to 5.000.000 € by the CCA.
  • Civil liability : Compensation for damages to the subject of the communications, not less than 10.000 €, following a relevant court decision.
  • Criminal Sactions : Depending on the act committed such sanctions may rise up to the following (a) imprisonment of up to ten (10) years and a fine up to 200.000 € for the legal representative of the provider (e.g. CEO, member of the board, security officer etc.) and (b) imprisonment up to ten (10) and twenty (20) years and a fine up to 350.000 € in cases of danger for the democracy or national security.

Integrity & Security of Networks and Services

The regulation of the security and integrity of electronic communications networks and services in Greece is characterised by over – regulation and overlapping competences between supervisory authorities. The reason for this is the negative precedent of several unlawful interferences having taken place in the country, primarily for political reasons, which has raised public awareness and has forced political parties to expediently take institutional measures.

The relevant regulatory framework consists of article 37 of the Electronic Communications Act (ECA), articles 4 and 12 of the Act no. 3471/2006 on the protection of personal data in electronic communications, the Act no. 3674/2008 on the reinforcement of the confidentiality of telephony communications, the Ministerial Decision no. 7560/153/2012 (GG 305/B/14-02-2012) on the obligations for safeguarding the integrity of public electronic communication networks on a fixed location and the regulations of the CCA. The authority responsible for the supervision and lawful application of the regulatory framework mentioned above is the CCA, having even the powers to conduct ad hoc investigations in the premises of the supervised undertakings (see article 37 παρ. 3, 8 and 9 of the ECA). Nevertheless, in its role the CCA shares many powers with the NTPC and the DPA (indicatively see article 37 παρ. 4 – 8 of the ECA).

Under the law, electronic communications network/service providers ought to take appropriate technical and organisational measures, so as to appropriately manage the risks posed to security of networks and services. Taking into account the state of the art, these measures shall ensure a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on users and interconnected networks (see article 37 παρ. 1 of the ECA). Furthermore, network/service providers are obliged to take all appropriate steps to guarantee the integrity of their networks, and thus ensure the continuity in the supply of their services provided over those networks (see article 37 παρ. 2 of the ECA). In addition, providers shall have to notify the NTPC of any breach of security or loss of integrity that has had a significant impact on the operation of their networks or services (see article 37 παρ. 2 of the ECA).

In addition, providers bear the obligations of articles 4 and 12 of the Act no. 3471/2006, which are described in detail in chapter 5.3.1.2 above.

Providers of fixed/mobile telephony networks and services have the additional obligations stipulated under the Act no. 3674/2008, which consist of the following :

  • Each provider shall adopt and follow a special security policy with a certain minimum required content, which will be approved by the CCA.
  • Each provider shall appoint a security and confidentiality of communications officer and inform the CCA, the DPA and the NTPC accordingly.
  • Providers shall keep audit of all management activities regarding the software of their digital switching centers.
  • In case that a breach of the confidentiality of communications takes place, the responsible security officer shall expeditiously give notice to its CEO, to the Public Prosecutor’s Office, to the CCA and to the subsribers inflicted by the breach.

The minimum required content of the security policy is defined under the CCA Regulation no. 165/2011 on the protection of the confidentiality of electronic communications (GG 2715/B/17-11-2011).

According to the Ministerial Decision no. 7560/153/2012 fixed telephony network/service providers shall, as a minimum, be required to have in place and apply the following policies : (i) Business Impact Analysis, (ii) Risk Assessment, (iii) Business Continuity Plans and (iv) Disaster Recovery Plans. Accordingly, such providers shall be constantly informed on the condition of their networks, shall ensure their resistance, the reliability and fault – tolerant function of their equipment, shall avoid single points of failure in their networks and shall have specially trained personnel to correspond to these obligations.

In cases of violation of the regulatory framework described above, the electronic communication network/service provider may face sanctions and fines that have been already analysed above.

Tracking of Offensive Calls

The tracking of offensive calls is regulated by article 8 of the Act no. 3471/2006 and the CCA Regulation no. 2322/2006, as amended by Regulation no. 234/2009 (GG 1853/B/21-12-2006 and 2359/B/20-11-2009 correspondingly).

Offensive is a fixed/mobile telephone call, which contains threats of violence or other illegal acts or omissions, insult, sexual or other, blackmail or causes nuisance, such as silent repeated calls (see article 2 of the Regulation).

Every fixed/mobile telephony subscriber has the right to apply to its provider for the tracking of offensive calls to his/her telephone number (see article 4 of the Regulation). Within two (2) days from the application the provider is obliged to track the calls to the applicant’s number for a maximum period of fifteen (15) days (see article 5 παρ. 1 of the Regulation). After expiry of the fifteen (15) days period the provider gives to the applicant a catalogue of the tracked incoming calls that were made to his/her number (see article 5 παρ. 2 of the Regulation). The catalogue includes the calling number along with the date, time and duration of the call.

In case that a criminal investigation is conducted, the investigating Judge or Public Prosecutor may issue a special order for the tracking of offensive calls (see article 8 παρ. 7 of the Act no. 3471/2006, Regulation no. 234/2009, Public Prosecutor’s at the Supreme Court Opinion no. 1418/04-04-2012). The period of the tracking under such an order may extend up to one (1) month and shall refer to past incoming calls.

In case that fixed/mobile telephony service providers fail to comply with the procedure mentioned above, they may face charges for the criminal offences of disobedience and of harbouring a felon (see accordingly articles 169 and 231 of the Criminal Code, see also the Public Prosecutor’s at the Supreme Court Opinion no. 6/2012).

Links

Greek Authority for the Protection of the Confidentiality of Communications (CCA).
Act no. 2225/1994 for the Protection of the Confidentiality of Communications (GG 121/A/20-07-1994).
Act no. 3115/2003 on the Authority for the Protection of the Confidentiality of Communications.
Act no. 3471/2006 on the protection of personal data in electronic communications (GG 133/A/28-06-2006).
Act no. 3674/2008 (GG 136/A/10-07-2008).
Presidential Decree no. 47/2005 (GG 64/A/10-03-2005).
CCA Regulation no. 165/2011 on the protection of the confidentiality of electronic communications (GG 2715/B/17-11-2011).

Antonios Broumas
E-mail info@lawandtech.eu

Leave a Reply