PROVISION OF REAL-TIME LAWFUL INTERCEPTION ASSISTANCE
Service providers and operators of public electronic communication networks may be required to intercept communications in the following scenarios:
CRIMINAL PROCEDURE ACT
a. A judge may, either ex officio or following an initiative by the judicial police or Public Prosecutor, issue an interception order if the criminal investigation for which a court authorisation is requested is carried out in relation to the prosecution of:
– one of the criminal offences referred to in Article 579.1 of the Criminal Procedure Act and approved by the Royal Decree of 14 September 1882 that was later modified by the Act 13/2015 of 5 October to strengthen procedural safeguards and regulate the technological investigation measures which entered into force in December 2015 (the Criminal Procedure Act); or
– other criminal offences perpetrated through an IT-based instrument or any other information or communications technology or communications service.
Requests for a court authorisation must contain the legal requirements set out by Article 588 bis b in relation to Article 588 ter d of the Criminal Procedure Act.
b. The Criminal Procedure Act states (according to Article 588 ter d3) that in cases of urgency, when the investigations are carried out in the context of the prosecution of criminal offences related to the activities of armed gangs or terrorist elements, the interception of communications may be ordered by the Minister of Home Affairs (Ministro del Interior), or by the Secretary of State for Homeland Security. In such cases, the measure has to be communicated within 24 hours. A reasoned opinion must be made in writing to the relevant judge, who will revoke or con rm it, also with a reasoned opinion, within 72 hours of when the measure was ordered.
c. Article 588 ter e of the Criminal Procedure Act obliges all providers of telecommunication services, providers of access to a telecommunications network or information society services to assist and collaborate with the judge, the Public Prosecutor or the agents of the judicial police to ensure compliance with the interception orders, while maintaining secrecy about the measures required. Failure to do this may lead to an offence of disobedience.
ACT 2/2002 OF MAY 6 ON PRIOR JUDICIAL CONTROL APPLICABLE TO THE NATIONAL INTELLIGENCE CENTER
d. According to Act 2/2002 of 6 May on prior judicial control as applied to the National Intelligence Centre, the National Intelligence Centre (CNI) may ask the operator to intercept communications in cases where the Secretary of State- Director of the CNI has obtained an authorisation from a competent judge of the Supreme Court, in accordance with the specific requirements under such law.
e. In cases of justified urgency (based on the authorisation request submitted by the Secretary of State-Director of the CNI), the competent judge may con rm or deny the requested authorisation with a reasoned opinion issued within 24 hours (rather than the usual 72 hours).
THE UNIVERSAL SERVICE REGULATION
Articles 83 to 101 of the Regulation on the conditions for the provision of electronic communication services, the universal service and the protection of users, approved by Royal Decree 424/2005 of 15 April and modified by Royal Decree 726/2011 of 20 May (the Universal Service Regulation), determine the procedure and the measures to be adopted by service providers and operators of public electronic communication networks to intercept communications in cases where they are obliged to do so by law. The Universal Service Regulation establishes, among other things, the general requirements of the procedure, access requirements, the information to be delivered to the authorised agent (judicial police or CNI agent) and other operational requirements (previous information, locations, authorised personnel, confidentiality, real-time access, interception interfaces, etc).
A court order or an authorisation must be issued by the relevant judge before the interception takes place, except in case (b) outlined above.
In addition, Order ITC/110/2009 of 28 January on the general framework applicable to the specifications to be followed for the legal interception of communications (General Framework Order) establishes the relevant technical requirements and interfaces to be implemented by service providers and operators of public electronic communication networks to carry out the interception of a communication.
GENERAL TELECOMMUNICATIONS ACT 32/2003
Article 39 of the General Telecommunications Act 9/2014 of 9 May (LGTel) sets out the operator’s duty to intercept communications when required to do so by the relevant authorities through the appropriate interfaces and technical resources, that should be ready for this purpose. This Act, the Universal Service Regulation and the General Framework Order together provide a detailed description of the obligations of operators in terms of measures, procedures, interfaces and technical requirements to be put in place in order to comply with their interception duties.
In addition, there are further Orders which aim to regulate particular technologies, such as:
i. Order ITC/313/2010 of 12 February implementing and adapting the technical specification ETSI TS 101 671 on Lawful Interception (LI) and on the handover interface for the LI of telecommunications traf c; and
ii. Order ITC/682/2010 of 9 March implementing and adapting the technical specification ETSI TS 133 108 (3GPP TS 33.108) on the Universal Mobile Telecommunications System (UMTS), as well as 3G security and the handover interface for LI.
These laws do not appear to grant government and law enforcement agencies the legal powers to allow direct access into a communication service provider’s networks without the operational or technical control or cooperation of the communications service provider.
DISCLOSURE OF TRAFFIC DATA
DATA RETENTION ACT 2007
Act 25/2007 of 18 October on data retention related to electronic communications and public communication networks (Data Retention Act) regulates:
i. the operator’s obligation to retain traffic and localisation data, as well as other necessary data to identify the user (traf c data) generated or processed in the provision of electronic communication services or public communication networks; and
ii. the duty to transfer such traf c data to the relevant agents whenever they are required to do so, through the relevant court order or judicial authorisation. In addition to the judicial police and CNI agents, the Data Retention Act explicitly includes the staff members of the Office of Customs Surveillance as authorised agents in this regard.
The Data Retention Act, among other things, regulates the traf c data to be retained, the obligation to store traffic data, the period of time during which such traffic data must be stored or retained by the operator, the procedure and security measures involved in the transfer of the traffic data to the relevant agents, and the sanctions to be imposed on operators that do not comply with such obligations.
The content of the communications is explicitly excluded from the scope of this Act.
In accordance with Articles 6 and 7 of the Data Retention Act, operators have the obligation to disclose the retained data to the authorised agents (see above), following the instructions contained in a court order issued by the relevant judge and according to the provisions of the Criminal Procedure Act and the principles of necessity and proportionality.
ACT 13/25 THAT MODIFIES THE CRIMINAL PROCEDURE ACT
On December 2015, Act 13/2015 of 5 October which modified the Criminal Procedure Act entered into force stating that electronic traf c or associated data retained by service providers may only be disclosed for inclusion in the process by a court order. When such information contained in a service provider’s automated archives is deemed indispensable for the ongoing investigation, the appropriate authorisation must be requested from the competent judge.
In addition to this, either the Public Prosecutor or the judicial police may require any legal person to retain and protect certain data or information in a computerised storage system until the appropriate court order authorising its disclosure is obtained. The maximum timeframe for this retention cannot be more than 180 days.
Moreover, Articles 588 ter k, 588 ter l and 588 ter m set out the conditions for accessing non-traf c data without a court order, provided this is necessary for the purposes of identifying users, terminals and connected devices, and as long as the applicable requirements are met. In this sense:
i. Article 588 ter k concerning ‘Identi cation through IP number’ states that whenever the agents of the judicial police have access to an IP address used to commission a crime, they may ask the competent judge to prompt the subjects under the assistance and collaboration duties of Article 588 ter e, to disclose the data allowing them to identify and localise the terminal or connected device and also identify the suspect;
ii. according to Article 588 ter l, in the context of a criminal investigation, the agents of the judicial police may use technical tools to gain access to identification codes or technical tags belonging to a communication device or any of its components (eg IMSI or IMEI numbers), provided that the subscriber’s number could not be obtained and it is deemed indispensable for the purposes of the investigation; and
iii. under Article 588 ter m, whenever the Public Prosecutor or the judicial police, in the exercise of their functions, need to know the ownership of a telephone number or of any other means of communication, or conversely, require the telephone number or the identifying data of any means of communication, they may address the provider directly and such provider will be obliged to provide that information.
NATIONAL SECURITY AND EMERGENCY POWERS
According to Article 4.6 of the General Telecommunications Act (LGTel), the government may, exceptionally and temporarily, enable the General Administration to take over direct management of certain services or exploit certain electronic communications networks in order to ensure public safety and national defence.
Moreover, on the basis of a breach of public service obligations (under the Title III General Telecommunications Act), the government, following a mandatory report from the telecoms regulatory authority (CNMC), may also, exceptionally and temporarily, enable the General Administration to take over the direct management of the services or exploit corresponding networks. Regarding the latter, it may also, under the same conditions, intervene in the provision of electronic communications services.
According to the exceptional regulations provided by Act 4/1981 of 1 June on the states of alarm, emergency and siege (LSAES):
• during a state of alarm (in the case of essential goods running out in the whole of Spain or in a certain region – Article 4.d), the government may issue necessary orders (Article 11.e) or decide to intervene in those services or mobilise its personnel (Article 12.2) in order to ensure the functioning of the affected services;
• during a state of emergency (which may be requested because of a serious alteration of essential public services or for other reasons), the government may intercept any kind of communications provided this is necessary to clarify alleged criminal offences or to maintain public order (Article 18); and
• during a state of siege, the government directing military and defence policies will assume all exceptional prerogatives (Article 33.1).
The declaration of a State of Alarm will be conducted by Decree agreed by the Cabinet.
Once the government has obtained an authorisation from the Congress, it shall declare a State of Emergency, by Decree agreed by the Cabinet. The authorisation must include the suspension of article 18.3 of the Spanish Constitution, related to the secrecy of communication, in order for Article 18 LSAES to be applicable.
The government proposes the declaration of State of Siege before the Congress.
In addition, Article 8.2 of Act 34/2002 of 11 July on information society services and electronic commerce (LSSI) states that in order for the competent authorities to identify an alleged infringer, they may ask information society service providers (ISSPs) (which may include telecommunications operators) to disclose data which would permit such identification. This request must be based on a previous judicial authorisation, in accordance with Article 122 bis of the Law 29/1998 of 13 July governing Administrative Jurisdiction (LJCA).
Article 122 bis of the LJCA refers to the necessary requirements that must be met in order to obtain judicial authorisation: an initial request by the competent authorities, that must include the pertinent reasons for the request and also the relevant documents. The court, within 24 hours from the request and once the Public Prosecutor has been heard, may issue the requested authorisation, provided that it will not affect Article 18 paragraphs 1 and 3 of the Constitution.
OVERSIGHT OF THE USE OF POWERS
In line with the Criminal Procedure Act, the relevant court order will determine the extension and scope of the disclosure to be carried out. The relevant judge has a duty of supervision to ensure compliance with such a court order.
The competent judge must be notified immediately and in reasoned writing of the intervention determined from Article 18 of the LSAES.
CENSORSHIP RELATED POWERS
SHUT-DOWN OF NETWORK AND SERVICES
ACT 4/1981 OF 1 JUNE ON THE STATES OF ALARM, EMERGENCY AND SIEGE
Under Act 4/1981 of 1 June on the states of alarm, emergency and siege, certain constitutional rights are suspended and an exceptional legal regime is provided for those situations when Spain experiences one of these states. The most relevant to the shut- down of Vodafone’s network and/or services are the powers which the government obtains when a state of alarm or siege is declared.
A state of alarm occurs when there is shortage of essential goods or services in either the whole of Spain or a certain region of it (for example, as a result of a general strike); it can only be declared by decree of the government that must report this state to the Congress (Parliament). Without this authorisation, the government cannot extend the initial period of 15 days. Under Article 11 of the LSAES, during a state of alarm, the government may intervene to remedy the shortage. It is feasible, therefore, that should a major issue arise in respect of Spain’s communications, the government might intervene in relation to Vodafone’s network. It is most likely that such an intervention would be used to improve or restore the affected network or communication service. However, it is possible that such an intervention could extend to closing the network or shutting the service down.
A state of siege occurs when the government is concerned with military and defensive policies related to protecting the national security. The government must submit its proposal before Parliament in order to declare a state of siege. During a state of siege, the government may assume all exceptional prerogatives which come with it – including the ability to order a shut-down of Vodafone’s network or services.
GENERAL TELECOMMUNICATIONS ACT 9/2014 OF 9 MAY
Articles 79 (sanctions) and 82 (interim measures in the framework of sanctioning proceedings) of the LGTel establish that the government or the telecoms regulatory authority, CNMC, may suspend (as an interim measure) or withdraw a network provider’s right to provide electronic communications networks, services and/or utilities. They may only do so in the case of serious and repeated breaches by the network provider relating to service provision, network exploitation or the granting of usage rights, or specific conditions that the regulator has imposed on that operator, when previous measures to request the cease of the breach have been unsuccessful. The government and CNMC, therefore, have the power to shut down Vodafone’s network or certain parts of
Vodafone’s services, but only if they deem Vodafone to have seriously or repeatedly breached its obligations as a network provider.
In addition, Article 28.1 of the LGTel, together with its complementary regulations (Articles 17 and 53 of the Royal Decree 424/2005), states that the government may, for reasons of national defence, public security or civil protection, impose other public service obligations that differ from the Universal Service Regulation.
BLOCKING OF URLS & IP ADDRESSES
ACT 34/2002 OF 11 JULY ON INFORMATION SOCIETY SERVICES AND ELECTRONIC COMMERCE
Under Article 11.1, where a competent authority has found certain content to infringe the principles set out in Article 8.1, a court may order a network provider (such as Vodafone) to suspend access on its network to such content. In practice, Vodafone would do this by blocking the URL or IP addresses which link to the content being hosted. The principles set out in Article 8.1 include:
a. safeguarding public order, security and national defence;
b. protecting public health and consumers; c. respecting fundamental rights (dignity, non-discrimination);
d. child protection; and
e. safeguarding intellectual property rights.
COPYRIGHT ACT 1/1996
In connection with the Act above, the Copyright Act, approved by Royal Decree 1/1996 of 12 April and modi ed by Act 21/2014 of 4 November, developed the safeguarding of intellectual property rights over the internet by broadening the liability of intermediary service providers and increasing penalties for copyright infringement.
In particular, Section Two of the Copyright Commission represents the body in charge of the notice of takedown procedure against alleged copyright infringing activities by information society service providers (ISSPs) (eg blogs, websites) and ISSPs providing the description and location of presumably infringing works displayed on the website by means of an active contribution (not merely technical intermediation). Especially relevant is the fact that whenever ISSPs refuse to collaborate with the requests of the Copyright Commission over the removal of infringing content, intermediary service providers (such as Vodafone) may be required to suspend the services offered to such ISSPs.
To request a suspension of the service or the blocking of access to infringing resources, the Copyright Commission must be granted prior authorisation by a judge. In addition, in cases of serious infringements or where the social impact of the infringement is high, the ISSP may be required to cease its activities for a maximum of one year. To ensure the effectiveness of this measure, the intermediary service providers may be requested (provided that the authorisation of a judge is obtained) to suspend the service provided to such ISSP. In both scenarios, and under the amended Copyright Act, the lack of cooperation with the Copyright Commission (ie not suspending the service) is regarded as a very serious infringement under the LSSI.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
ACT 4/1981 OF 1 JUNE ON THE STATE OF ALARM, EMERGENCY AND SIEGE
See ‘Shut-down of network and services’ above.
GENERAL TELECOMMUNICATIONS ACT
In principle, the LGTel allows the government, in a state of emergency or siege, to manage the telecommunications service as a ‘temporal’ public service. In particular, Article 4.6 (telecommunications services for national defence, public and traf c safety, and civil protection) of the LGTel states that the government may, exceptionally and temporarily, order the General Administration to assume direct management of certain electronic communications networks or services, in the interests of public safety or national defence.
OVERSIGHT OF THE USE OF POWERS
ACT 4/1981 OF JUNE 1 ON THE STATE OF ALARM, EMERGENCY AND SIEGE
There is no judicial oversight of the specific emergency powers provided for when a state of alarm or siege is declared. The intervention determined according to Article 18 of the LSAES (state of emergency) must be notified immediately through a reasoned report to the competent judge.
GENERAL TELECOMMUNICATIONS ACT
There is no judicial oversight of the government’s or CNMC’s use of the powers provided for by the General Communications Act.
In all cases, the enforcement of the collaboration measure issued to the relevant intermediation services provider requires prior authorisation by a competent judge in accordance with the procedure established under Article 122 bis LJCA.
This information was originally published in the Legal Annexe to the Vodafone Group Law Enforcement Disclosure Report in June of 2014, which was updated in May of 2017.