CLFR - Montenegro

Monday, January 8, 2018 - 12:11

PROVISION OF REAL-TIME LAWFUL INTERCEPTION ASSISTANCE

CONSTITUTION OF MONTENEGRO 

(OFFICIAL GAZETTE OF MONTENEGRO NO.1/2007 AND 38/2013, USTAV CRNE GORE) (THE “CONSTITUTION”)

The Constitution guarantees confidentiality of letters, telephone conversations and other means of communication and provides that derogation from this right is allowed only on the basis of a court decision if necessary in criminal proceedings or for national security(Article 42).These rights may only be limited by the law, for the purpose provided by the Constitution and to the extent necessary to satisfy the constitutional purpose of the limitation in question in an open and free democratic society (Article 24).

ELECTRONIC COMMUNICATIONS ACT

(OFFICIAL GAZETTE OF THE REPUBLIC OF MONTENEGRO NOS. 40/2013 AND 56/2013, ZAKON O ELEKTRONSKIM KOMUNIKACIJAMA) (THE“ECA”)

The ECA prohibits interception of electronic communications unless it is necessary, adequate and proportionate in the interests of national security, defence, prevention of crime, investigation of a crime, revealing and prosecuting criminal offenders or combatting the unauthorised use of a system for electronic communications, as well as for finding or rescuing people and for the protection of lives and property (Article 172, paragraphs 2 and 4).

In relation to the powers available under Article 172, network operators and service providers are obliged to provide, upon the request of the competent government agency, and at their own expense, necessary technical and organizational conditions to enable interception of communications, and to inform the Agency for Electronic Communication (the “Agency“) about the interception. Network operators and service providers are obliged, in cooperation with the government agency on whose request the interception is performed, to make a permanent record of the fact that the communication was intercepted and to keep any data collected, and the fact that the data has been collected in such a way, a secret (Article 180).

The ECA does not impose an obligation on network operators and service providers to directly intercept individual customer communications, nor does it specify which government agencies are authorised to request interception. The ECA does not provide a maximum duration for an interception. Since such interception is allowed by the Constitution for the purpose of conducting criminal proceedings or for the protection of national security, however, only the competent criminal court (whose order is implemented by the police) and the Agency for National Security (the “ANS“) are authorised to require such interception under the conditions stipulated in the ECA and the legislation concerning their activities.  The maximum duration for each interception is regulated by the specific legislation applicable to the activities of criminal courts and the ANS.

CRIMINAL PROCEDURE CODE

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 57/2009, 49/2010 AND 47/2014, ZAKONIK O KRIVIČNOM POSTUPKU) (THE“CPC”)

Under the CPC, interception and surveillance of electronic communications are stated to be secret surveillance measures available both at the pre-investigation stage and the investigation stage of criminal proceedings.  Such measures may be ordered against a person suspected of committing or preparing certain categories of crimes, if evidence of that crime cannot be collected in any other way, or if gathering of evidence by other means would cause disproportional risk or jeopardize lives (Article 157). The relevant crimes for this purpose are those punishable with imprisonment of 10 years or more, organized crime, and certain crimes with elements of corruption, such as money laundering, cyber-crime and blackmail (Article 158).

Interception may also be ordered against a person who is under reasonable suspicion of transferring messages to and from a suspect related to one of these crimes, or whose phone or other means of communication are used by a suspect (Article 157). The order for such interception is issued by the competent criminal court, upon the written request of the State Prosecutor for a maximum period of four months, with the possibility of an extension of three months (Article 159). The court’s order must be accompanied with a separate order containing the phone number or email address of the suspect to be intercepted and the duration of the interception, which will be implemented by the police, to whom the network operator or service provider shall provide all necessary assistance (Articles 159 & 160).

Exceptionally, if written approval cannot be issued in time, and delay would be detrimental to the investigation, interception may commence based on the oral approval of the investigation judge, in which case written order for interception must be issued within 12 hours of obtaining oral approval (Article 159). Network operators and service providers are obliged to enable the interception of communications by authorised police (Article 159 and Article 160). If the State Prosecutor decides not to initiate criminal proceedings against the suspect, the collected materials must be delivered to the investigation judge for destruction (Article 160). Evidence collected by interception which was not ordered or performed in accordance with this procedure will be declared inadmissible and the competent court shall order their destruction (Article 161).

THE AGENCY FOR NATIONAL SECURITY ACT

(OFFICIAL GAZETTE OF MONTENEGRO, NOS. 28/2005, 86/2009, 73-2010 AND 20/2011, ZAKON O AGENCIJI ZA NACIONALNU BEZBJEDNOST) (THE “ANSA”)

ANSA authorises the ANS to collect data by secret interception and surveillance of electronic communications if other investigation measures would not provide an adequate result, or if it would cause disproportionate risk or threaten lives or health (Article 9 and 13).

When there is a reasonable suspicion of a threat to national security, an interception may be ordered by a decision of the President of the Supreme Court of Montenegro, or in his/her absence the designated judge of that court (Article 14).

Such interception is ordered for a period of three months, and for serious reasons may be extended in additional three month periods, but its overall duration must not exceed 24 months (Article 15). Article 15 also provides that network operators and service providers are obliged to enable and guarantee conditions necessary for such interception.

DISCLOSURE OF COMMUNICATIONS DATA

ELECTRONIC COMMUNICATIONS ACT

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 40/2013 AND 56/2013, ZAKON O ELEKTRONSKIM KOMUNIKACIJAMA) (THE “ECA”)

Network operators and service providers are obliged to retain certain data on traffic and location, as well as data relevant for identification and registration of their customers.  Such data may only be retained for the purposes of national security, defence, prevention of crime, investigation, revealing and prosecuting criminal offenders or the unauthorised use of a system for electronic communications.  It may also be used to find or rescue people and for the protection of lives and property (Article 181 ECA).

Network operators and service providers must also provide, at their own expense, necessary technical and organizational conditions which would enable competent government agencies to take over such data (Article 181).  This would oblige a network operator or service provider to decrypt encrypted data when required to do so by court order.

The period of retention must not be shorter than six months nor longer than two years from the moment the communication occurred (Article 181, paragraph 5).Government agencies may request access to the metadata retained by network operators and service providers. Network operators and service providers are obliged to keep annual records and statistics on data which have been delivered to government agencies and records on requests for delivery of retained metadata which could not be executed (Article 181, paragraph 6).

According to Article 182, network operators and service providers are obliged to retain data on:

  • tracing and identifying the source and destination of a communication;
  • identifying the location of the parties to the communication;
  • determining date, time and duration of a communication;
  • identifying the type of communication;
  • identifying users’ terminal equipment; and
  • identifying the location of the users’ mobile terminal equipment.

Under the provisions of Article 181, paragraph 3, network operators and service providers must not retain the content of customer communications. However, since Article 180, paragraph 2 allows interception of electronic communications on the basis of a court decision, if such court decision contains an order for the retention of the content of electronic communications, network operators and service providers would be obliged to act upon it.

Article 183, paragraph 1, obliges network operators and service providers to ensure that the quality and level of protection of retained metadata is the same as the quality and level of protection of the data circulating on the network.  In addition, operators should undertake adequate technical and organizational measures to prevent unlawful or accidental destruction, loss or modification of retained metadata, unauthorised storage, processing, access or disclosure of the retained metadata.  Access to the retained metadata should only be granted to those persons authorised by the network operator or service provider.  Any metadata not accessed at the end of a prescribed period of retention must be destroyed.

CRIMINAL PROCEDURE CODE

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 57/2009, 49/2010, 47/2014 , ZAKONIK O KRIVIČNOM POSTUPKU) (THE “CPC”)

Under the CPC, if there is a reasonable suspicion that a prosecutable offence has been committed, the police may, by their own volition, or at the request of the State Prosecutor, inform the Public Prosecutor of all necessary actions required to collect information which would be useful for criminal prosecution, including requesting network operators and service providers to disclose the metadata of a particular communication (Article 257). However, in its decision U-I 34/2011 of July 23, 2014 the Constitutional Court of Montenegro declared unconstitutional the part of Article 257 that allowed the police to request metadata from network operators and service providers without a court decision. Network operators and service providers are, therefore, obliged to disclose retained metadata only on the basis of a court decision.

POLICE ACT

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 44/2012, 36/2013 AND 1/2015, ZAKON O UNUTRAŠNJIM POSLOVIMA) (THE “PA”)

Under the PA, the police are authorized to collect personal and other data to the extent necessary for performance of their activities aimed at prevention and suppression of crimes and protection of public order (Article 37 of PA). State bodies, local authorities and legal entities are obliged to enable inspection and to deliver, at the request of the police, data from their records.

The request made by the police to collect the data must contain the folllowing:

  • the legal grounds for the collection of the data;
  • the details of the requested data;
  • the purpose for which the data are requested;
  • sufficient information necessary for determining the identity of a person to whom the requested data are related; and
  • a warning that it is a criminal offence to reveal to any third party the content of the request or which data is provided under it.

The police may also electronically inspect the records kept by legal entities if the entity has the technical arrangements to allow electronic inspection.

However, if the data requested is:

  • for the purpose of commencing or continuing a criminal investigation, the police are not obliged to state in the written request why the criminal investigation is starting or continuing; and
  • based on a court`s order or state prosecutor`s order, the police do not have to explain why the data is being requested (Article 39 of PA).

THE AGENCY FOR NATIONAL SECURITY ACT

(OFFICIAL GAZETTE OF MONTENEGRO, NOS. 28/2005, 86/2009, 73/2010 AND 20/2011, ZAKON O AGENCIJI ZA NACIONALNU BEZBJEDNOST) (THE “ANSA”)

On the written request of the ANS, network operators and service providers are required to enable access to data contained in their records and to keep all such requests a secret (Article 8). On the basis of a court decision, the ANS is authorised to collect data by secret interception and surveillance of electronic communications if other investigation measures would not provide an adequate result, or if it would cause a disproportionate risk or threaten  people’s lives or health (Article 9 and 13).

ANSA does not contain a definition of surveillance and therefore it is not clear whether collection of metadata from network operators and service providers falls within Article 8 or Article 9. However, decision U-I 34/2011 of July 23, 2014 of the Constitutional Court of Montenegro states that the collection of metadata for the purpose of conducting criminal proceedings is allowed only on the basis of a court order.

Furthermore, the Agency for Personal Data Protection (the “Agency for PDP“), which monitors data protection and is authorised to issue opinions concerning the interpretation of laws related to data protection, rendered two opinions concerning the obligation of network operators and service providers to disclose metadata to government agencies (opinion no. 993/2014 of February 11, 2014 and opinion no. 5342/2014 of July 23, 2014).

These opinions, are not binding, but indicate the position of the Agency for PDP, namely that network operators and service providers are obliged to disclose the retained metadata to the police and the ANS only on the basis of a court order, if data are required for the purpose of national security, defence, prevention of crime, investigation, revealing and prosecuting of criminal offenders or unauthorised use of a system for electronic communications. However, the Agency for PDP holds that in cases of police activity related to finding or rescuing people which are not conducted for the purpose of criminal investigation or prosecution, network operators and service providers may, even without a court order, disclose the retained metadata to the police.

NATIONAL SECURITY AND EMERGENCY POWERS

DEFENCE ACT

(OFFICIAL GAZETTE OF MONTENEGRO, NOS. 47/2007, 86/2009, 88/2009, 25/2010, 40/2011 AND 14/2012), ZAKON O ODBRANI) (“DA”)

In a “state of emergency”, defined as natural disasters, technology or environmental disasters, epidemics, danger to the public security or threat to the constitutional order (Article 5, paragraph 1, subparagraph 6) or “state of war”, defined as the state of imminent war, danger or military attack on the territory of Montenegro (Article 5, paragraph 1, subparagraph 7), legal entities in the field of postal-telegraph-telephone traffic and other carriers of telecommunications systems must prioritise  the delivery of services as specified by the Ministry of Defence (Article 21, paragraph 1).

ELECTRONIC COMMUNICATIONS ACT

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 40/2013 AND 56/2013, ZAKON O ELEKTRONSKIM KOMUNIKACIJAMA) (THE “ECA”)

The ECA obliges network operators and service providers to prepare an action plan for protection of the integrity of electronic communications networks and their usage in a state of emergency or war and to submit it to the Ministry of Information Society and Telecommunications, the Agency for Electronic Communications, and other competent state bodies in charge of defence and security (Article 61, paragraphs 1 and 3).

Network operators and service providers are obliged to make available their electronic communications networks to the competent state bodies (Article 61, paragraph 4) and to provide prioritised communication between certain terminal points which are defined by the government. For the purpose of enabling such prioritised communication, the government may order a network operator or service provider to temporarily disable its other network connections or to undertake other measures, if it deems it necessary (Article 62).

CONSTITUTION OF MONTENEGRO

(OFFICIAL GAZETTE OF MONTENEGRO NO.1/2007 AND 78/2013, USTAV CRNE GORE) (THE “CONSTITUTION”)

In a state of emergency or a state of war the Constitution allows the introduction of measures which derogate from the overarching principle of confidentiality of letters, telephone conversations and other means of communication and protection of personal data (Article 25).Consequently, in such instances government agencies may request access to customer communications data and/or their networks held by network operators and service providers, without following the usual procedure of presenting a court decision authorising interception or access to retained data. According to Article 132 and 133, a state of war or emergency is proclaimed by the Parliament, or by the Council for the Security and Defence if the Parliament is not in position to convene.

CENSORSHIP RELATED POWERS

ENFORCEMENT AND SECURITY ACT

(OFFICIAL GAZETTE OF MONTENEGRO, NO. 36/2011 AND 28/2014, ZAKON O IZVRŠENJU I OBEZBEĐENJU) (“ESA”)

Although there is no specific provision which explicitly regulates censorship or the blocking of IP addresses, network operators and service providers would be obliged to censor customer communications pursuant to the ESA, if such an order were given by a competent court in the form of an interim measure on the basis of some other law or in the form of a final court decision.

OVERSIGHT OF THE USE OF THESE POWERS

JUDICIAL OVERSIGHT

Since the CPC and ANSA provide that interception of electronic communications is allowed on the basis of a court order, each interception is overseen by the competent criminal court which ordered the interception and which monitors its enforcement (Article 180, paragraph 2 ECA; Article 159, paragraphs 1 and 5 and Article 160 CPC; Articles 14 and 15 ANSA).

ELECTRONIC COMMUNICATIONS ACT

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 40/2013 AND 56/2013, ZAKON O ELEKTRONSKIM KOMUNIKACIJAMA) (THE “ECA”)

Although the ECA does not explicitly mention oversight of the interception procedure, it contains provisions concerning the general oversight of network operators and service providers operations conferred to the Agency for Electronic Communications (the “Agency“) and to the Administrative state body for inspection tasks (Articles 184 and185). According to Article 189, paragraph 1, subparagraph 6, the Agency monitors the security of an operator’s or a service provider’s electronic communications network and services and their compliance with the provisions relating to the confidentiality of communications. The Agency is authorised to order network operators and service providers to undertake, within a reasonable deadline, measures necessary for adjusting their activities in line with the statutory requirements to keep communications confidential (Article 189, paragraph 3).

Article 180, paragraph 1, obliges network operators and service providers to inform the Agency about their technical and organizational capabilities which enable interception of electronic communications. The Agency monitors the work of network operators and service providers and is authorised to request a network operator or service provider to correct any irregularity in its technical and organizational settings (Articles 188 and 189).

According to Article 183, paragraph 2, control over the measures taken by network operators and service providers for the purpose of ensuring security of retained metadata is performed by the Agency for Personal Data Protection (the “Agency for PDP“).  The Agency for PDP is authorised to request information from both network operators and service providers and government agencies performing the interception in relation to the collection and protection of personal data of customers.  If data is not processed in accordance with the law, the Agency for PDP may order one of the following measures: the rectification of irregularities within a specified period of time; a temporary ban on any data processing carried out contrary to the provisions of the law; and the deletion of personal data collected without proper legal grounds (Article 71 Personal Data Protection Act (Official Gazette of Montenegro nos. 79/2008, 70/2009, & 44/2012, Zakon o zaštiti podataka o ličnosti)).

POLICE ACT

(OFFICIAL GAZETTE OF MONTENEGRO NOS. 44/2012, 36/2013 AND 1/2015, ZAKON O UNUTRAŠNJIM POSLOVIMA) (THE “PA”)

According to Articles 114, 115 and 119 PA, police activities are generally supervised by a special department of the Ministry of Police for Internal Control, which monitors the legality of police work, especially with regards to respect and protection of human rights in the performance of police tasks and applying police powers, and delivers its reports to the Minister of Police and the government at least once per year.

Police activities are also generally monitored by the Council for Civil Control, a special body comprised of members of the Bar Association, Doctors Association, Lawyers Association, University of Montenegro and nongovernmental human rights organizations, which evaluates police work and provides recommendations for improvement of their activities to the Minister of Police (Article 112 & 113).

THE AGENCY FOR NATIONAL SECURITY ACT

(OFFICIAL GAZETTE OF MONTENEGRO, NOS. 28/2005, 86/2009 AND 20/2011, ZAKON O AGENCIJI ZA NACIONALNU BEZBJEDNOST) (THE “ANSA”)

The work of the ANS is monitored by the Chief Inspector appointed by the Government (the role of which is outlined above) (Article 40). Political supervision over the work of the police and the ANS is conferred to parliament (Article 110 and 111 PA and Article 43 ANSA).

LAW ON CONSTITUTIONAL COURT OF MONTENEGRO (OFFICIAL GAZETTE OF MONTENEGRO, NO.64/2008, 46/2013 AND 51/2013 ZAKON O USTAVNOM SUDU CRNE GORE)

Network operators and service providers may also file a constitutional appeal against an individual decision of a government agency which violates the constitutional guarantees, when other legal remedies, such as complaints or appeal procedures with the relevant agency or court, have been exhausted or are not prescribed or where the right to their judicial protection has been excluded by law (Articles 48 and 49).

CONSTITUTION OF MONTENEGRO

(OFFICIAL GAZETTE OF MONTENEGRO NO.1/2007 AND 38/2013, USTAV CRNE GORE) (THE “CONSTITUTION”)

According to Articles 132 and 133, all measures which would provide for derogation from confidentiality of letters, telephone conversations and other means of communication and protection of personal data, which would be adopted by the Council for the Security and Defence, must be ratified by the Parliament when in a position to convene.

Furthermore, the Constitutional Court of Montenegro, which is authorised to assess constitutionality and legality of laws and other general acts, may find that a measure of derogation introduced during a state of war or a state of emergency is unconstitutional (Article 149).

PUBLICATION OF LAWS AND AGGREGATE DATA RELATING TO LAWFUL INTERCEPT AND COMMUNICATION

There is no law prohibiting the publication of any of the laws mentioned in this report or any description of the powers set out in those laws.

ELECTRONIC COMMUNICATIONS ACT

(OFFICIAL GAZETTE OF THE REPUBLIC OF MONTENEGRO NOS. 40/2013 AND 56/2013, ZAKON O ELEKTRONSKIM KOMUNIKACIJAMA) (THE“ECA”) AND

Under article 30, paragraph 1 of the ECA, network operators and service providers must deliver to the Agency for Electronic Communications all available data concerning the development of the electronic communications network or the services provided, with the exception of data relating to intercepted communications and disclosure of metadata.  Furthermore, article 180, paragraph 3 of the ECA requires network operators and service providers to make a permanent record of all interceptions in collaboration with the government agency that requested the interception. These records must be kept secret.

This indicates that the records of interception activities and requests for provision of metadata by the police and other government agencies (except for the Agency of National Security, see paragraph 33.2 below) may not be published by network operators or service providers.  However, there is no law to prevent the publication of aggregate data (i.e. the number) relating to these requests.

THE AGENCY FOR NATIONAL SECURITY ACT

(OFFICIAL GAZETTE OF MONTENEGRO, NOS. 28/2005, 86/2009 AND 20/2011, ZAKON O AGENCIJI ZA NACIONALNU BEZBJEDNOST) (THE “ANSA”)

Article 8 of the ANSA provides that network operators and service providers must keep secret all details relating to all requests received by the Agency of National Security.  Aggregate data relating to these requests, therefore, may not be published.

Law stated as at 20 January 2015.

This information was originally published in the Legal Overview to the Telenor Group report on Authority Requests for Access to Electronic Communication in May of 2015.