Access to Telephone Data: Safeguards Applying to Incoming Calls - 3 November 2005 
[doc. web n. 1299003]
[ doc. web n. 1189488]
Access to Telephone Data: Safeguards Applying to Incoming Calls - Provision dated 3 November 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having regard to the international and Community legislation concerning protection of personal data (Directives 95/46/EC and 2002/58/EC);
Having regard to the Personal Data Protection Code (legislative decree no. 196/2003);
Having regard to Book V, Title VI-bis ("Investigations by Defence Counsel") of the Criminal Procedure Code as introduced by Section 11 of Act no. 397 of 7 December 2000;
Having regard to the records on file;
Having regard to the consideration made by the Secretary General pursuant to Section 15 of the Garante´s Rules of Procedure (no. 1/2000);
Acting on the report submitted by Mr. Giuseppe Fortunato;
Some reports and claims submitted to the Garante have highlighted implementing issues in outlining the extent to which providers of publicly available electronic communications services may comply with requests for accessing personal data related to incoming phone calls (Section 8(2), letter f), of the DP Code).
The Garante notes hereby that it is necessary to draw the said providers´ attention to the above issues and lay down some guidelines by having regard to the peculiar sensitivity of the issues in question.
1. Personal Data and Precautions to Be Taken in Connection with the Exercise of Rights
The data related to incoming telephone traffic are personal data.
This information has sensitive implications to the relevant data subjects. The personal data concerning incoming phone calls may actually relate not only to the subscribers (or holders of prepaid phone cards: see Section 4(2), letter f), of the DP Code), but also to other entities such as calling and/or called natural persons other than the subscribers – e.g. family members, friends, members of a community, employees.
The sensitiveness of those implications produces effects also on the exercise of data subjects´ rights. This exercise is actually subject to specific precautions, which mirror other safeguards set out in the law with regard to a different issue – i.e. unsolicited phone calls (Section 127 of the DP Code).
As a rule, it is not permitted to apply to the provider of electronic communications services in order to submit any of the requests envisaged in Section 7 of the DP Code with regard to the processing of telephone data. In particular, it is not permitted to get access to the data identifying incoming phone calls.
However, on an exceptional basis, a request to exercise data subjects´ rights may be lodged and complied with if proof is given that the provider´s reply is necessary because otherwise "this may be actually and concretely prejudicial to performance of the investigations by defence counsel as per Act no. 397 of 7 December 2000" (Section 8(2), letter f), of the DP Code).
This precondition must be fulfilled in order to exercise any of those rights in respect of any data related to incoming telephone traffic – whereby telephone traffic data means "any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof" (Section 4(2), letter h), of the DP Code).
This provision will address, more specifically, the appropriate conduct to be followed by a provider in case a data access request is lodged.
2. Safeguards Applying to Access Rights
In principle, the right to access personal data related to incoming phone calls is not provided for and may only be exercised in connection with specific evidentiary requirements in the criminal sector.
Since this is an exception to the general rule whereby access is not allowed, the provision in question (Section 8(2), letter f)) must be applied and construed restrictively. Therefore, a request lodged with a provider is only legitimated if it is grounded on the intention of using the data exclusively within the framework of a criminal proceeding – which is not the case, for instance, in a civil litigation and/or non-contentious proceedings.
The requesting party must also prove that the access is necessary by making available suitable evidence to the provider to the effect that failure to access the data would result into an actual, concrete detriment to the performance of investigations by defence counsel (Act no. 397 of 7 December 2000).
The detrimental effect to be proven by the requesting party must not be simply possible or potential, indeed it must be a real and specific one.
A provider may not comply with a request that only shows that knowledge of incoming telephone traffic data – which may have been already acquired by the judicial authority in the context of a criminal proceeding – might be helpful and/or instrumental in view of ensuring the rights of defence.
The provider must also obtain a statement, to be undersigned directly by the requesting data subject (and/or the counsel empowered to carry out investigations), whereby the data subject certifies, under his own responsibility, that the information provided is true and undertakes not to use the data for purposes and/or in ways that are not permitted.
3. Controls to Be Carried out by the Provider
The service provider must consider the access request and establish whether the preconditions for granting access are fulfilled.
When establishing if an access request is in line with legal requirements, the service provider must verify, in the first place, the requesting data subject´s identity and title.
The said verification should be carried out with the utmost care in all cases.
Even greater care will be required in checking that the data at issue relate to the requesting party if the request is lodged by a non-subscriber, or by the holder of a pre-paid mobile phone card. This also applies to consideration of the time span for which telephone traffic data have been requested, if the request comes either from a new subscriber or from a new user that only avails himself of pre-paid phone cards.
The requesting data subject is responsible for making available to the provider all the information required in order to prove that the data relate to him/her and allow the request to be granted. It is necessary to describe specifically and in concrete, also concisely, the factual circumstances underlying the request, which must be supported by specific documents.
Although it is not indispensable for the requesting party to also specify the registration number of a criminal proceeding, partly because the investigations by defence counsel may be started lawfully in advance and/or in view of the possible institution of such a proceeding (see Section 391-nonies of the Criminal Procedure Code), the provider must be enabled to verify that the request is adequately grounded as for the existence of an actual, concrete detriment to ongoing investigations by defence counsel.
The provider may not make compliance conditional upon the submission of an authorisation by judicial authorities – which is not required, see Section 132(3) of the DP Code – nor may they dismiss all access requests without first carrying out the required checks and controls.
If the relevant preconditions are fulfilled, the access right may be exercised in respect of all personal data regardless of the mechanisms for their retention, i.e. including the data retained under a legal obligation (Section 132(3) of the DP Code).
Traffic data related to telephone communications other than phone calls may also be requested except for the respective contents – in particular as regards SMS and MMS text messaging, see Section 4(2), letters a) and b) of the DP Code.
Replies, including negative replies, must be provided to the requesting data subjects without delay and anyhow by fifteen days following receipt of the relevant request as per the law.
Where it proves especially complex to carry out the activities required in order to comply in full with the access request, or where any other justified reasons apply, it is necessary to notify the data subject thereof by the said fifteen-day term and the reply must be provided within thirty days as from the aforementioned receipt (Section 146(3) of the DP Code).
Where a data subject receives no reply or believes the reply not to be appropriate, he/she may apply either to judicial authorities or to the Garante as per the law in order to exercise his/her access rights (Section 145 et seq. of the DP Code).
As it is necessary under the law to restrict access to the data that, if not disclosed, might result into the aforementioned detriment, when granting the request the provider must only take account of the following data related to incoming communications – bar exceptional cases for which ad-hoc evidence and grounds must be made available: calling party´s number; date, starting time and type of the communication; call duration.
The data disclosed in connection with access requests may not be used by the requesting party in non-criminal contexts. Any use of the data for purposes other than those specified results into the data in question being irretrievably barred from use (Section 11(2) of the DP Code).
4. Security of the Data and Information Provided by the Requesting Data Subject
Providers must take ad-hoc measures in processing the data and information supplied by the requesting data subjects so as to ensure that the said data and information are disclosed and kept according to mechanisms that are equivalent to those set out under the law in respect of the processing of traffic data (Section 123(5) of the DP Code).
BASED ON THE ABOVE PREMISES, THE GARANTE
In pursuance of Section 154(1), letter c), of the DP Code, hereby orders the providers of publicly available electronic communications services, when acting as controllers of the processing of personal data, to take the necessary and appropriate measures under the terms set out in the premises in order to ensure that the processing of personal data related to requests for exercising data subjects´ rights in respect of incoming telephone communications is brought into line with the legislation in force.
In particular, the Garante orders the providers to:
- First establish identity and title of the requesting data subject;
- Carry out, on the basis of the information provided by the requesting party, controls in order to establish that the request is adequately grounded as for the existence of an actual, concrete detriment to ongoing investigations by defence counsel and subsequently proceed with communicating the data related to incoming telephone traffic exclusively if this is the case;
- Obtain a declaration to be undersigned in person by the requesting data subject and/or by the counsel entrusted with carrying out the relevant investigations, in which the declarant certifies, under his/her own responsibility, that the information provided is true and undertakes not to use the data for purposes and in ways that are not permitted;
- Handle the requests lodged by data subjects without delay, anyway by the deadline set out in the law under Section 146(2) and (3) of the DP Code;
- Process the data and information provided by the requesting data subjects by taking ad-hoc measures aimed at ensuring that they are disclosed and kept according to mechanisms that are equivalent to those set out under the law in respect of the processing of traffic data (Section 123(5) of the DP Code).
Done in Rome, this 3rd day of November 2005
THE SECRETARY GENERAL