The Supreme Court in the Republic of Cyprus has found that a law allowing indiscriminate phone data retention for police purposes violates EU rights to privacy, with experts describing the decision as a major upset in ongoing criminal cases built on private information.
(Click here for an update to the story)
Local media said the Supreme Court this week sided with a group of attorneys, whose clients challenged a 2007 data retention law aimed at facilitating the investigation of serious crimes.
The law requires telecommunications providers to retain phone records of all their subscribers or users for up to six months, with renewable periods in emergency situations as afforded by the Constitution. Although the Republic is technically still under a prolonged state of emergency, limitations or restrictions on fundamental rights and liberties are not known to be applied frequently.
The law also allows access to data without a warrant, where a formal letter and approval by the state’s Attorney General can force any telecommunications provider to produce the evidence immediately
But the plaintiffs said the specific law still went against applicable European law, Articles 15 and 17 of the Cyprus Constitution regarding private life and private correspondence, as well as European human rights.
“The general and indiscriminate retention of movement and location data and related data necessary for the identification of the user is inadmissible as being incompatible with European Law and European case law, regardless of protection assurances contained in the legislation concerning access to the data,” the lawyers argued.
But the defence, led by Deputy Attorney General Savvas Angelides, argued that national legislation was in line with provisions set by European courts that ensure derogations from basic rights on the basis of necessity, adding as long as those were not disproportionate “considering specific circumstances in the country regarding its size, population, and geographical distribution of crime.”
The deputy AG went on to argue that even if the data retention law was deemed to violate principles of legislation establishing mass surveillance of electronic communications, “the data which was accessed was retained by the providers anyway, therefore their retention was not illegal.”
Angelides, who said that organized crime was rampant throughout the nation, did not dispute the fact that phone records were being utilized by law enforcement to investigate offences and fight crime.
A number of high profile cases built on phone data are currently under investigation, including a thwarted alleged assassination plot against Israeli businessmen. The prime suspect’s phone records have led to the detention of four others after data showed communication between individuals, but police never clarified the nature of those links and whether the four secondary suspects were detained on suspicion of a serious crime.
While the full bench agreed that assurances within the law were adequate and there was no issue for police accessing records within those parameters, the 7 to 6 decision boiled down to the law being indiscriminate in allowing the retention of data in a “universal” manner against European laws on human rights.
Crime in small Cyprus does not justify retaining phone records on all citizens
The Supreme Court decision also called for additional legislation that would set specific criteria and thresholds that would justify data retention without breaching privacy.
“Just because Cyprus is small and there is crime throughout the country, this does not justify retaining phone records on all citizens,” the bench ruled.
Legal experts quickly weighed in following the decision, with many attorneys and media pundits pointing out several recent or ongoing cases could be affected by the decision.
Police have been criticized in the past for not accessing phone records in a number of cases of missing females, all foreign women and children, who were later found murdered on the island.
Law enforcement officials had dismissed some of the criticism, claiming investigators could not have had access to phone records in missing cases and arguing that parliament had rejected a bill that would have allowed unrestricted access.
But based on the penal code in the Republic of Cyprus, police officers could have obtained a court warrant for access to telecommunications data if they suspected a crime had been committed, including kidnapping.
The Cyprus police Association disagreed with that interpretation, arguing officers did not have the right to seek warrants in missing cases according to legislation at the time, adding only “serious crimes” could warrant a basis for requesting detailed records from phone companies.
The current data retention law stipulates that access to retained data can only be accomplished through a court warrant for suspected offences punishable for at least 5 years.
But the law also allows access to data without a warrant, where a formal letter and approval by the state’s Attorney General can force any telecommunications provider to produce the evidence immediately and without delay.