W7y8w3

etained data. The draft prescribed that accessingretained data is “possible for the purpose of conductinginvestigations, crime detection and criminalproceedings, in accordance with the law regulatingcriminal proceedings, as well as for the purpose ofprotecting national and public security of the Republicof Serbia, according to the law which governsthe operation of security services of the Republicof Serbia and the operation of the authorities incharge of internal affairs.” Other laws containedproblematic provisions that gave the secret servicesaccess to retained data even without a court orderin exceptional cases.After the adoption of the Law on Electronic Communications,both independent institutions (theCIPIPD and the PC) launched separate proceedingsbefore the Constitutional Court. The result was thatcontroversial provisions from the Law on ElectronicCommunications, the Law on the Military SecurityAgency and Military Intelligence Agency, as well asthe Law on Criminal Proceedings, were repealed.The decision of the Constitutional Court meant thataccess to retained data is possible only on the basisof a court order. For example, before the decision ofthe Constitutional Court, the Law on Criminal Proceedingsprescribed that the police are authorisedto obtain telephonic listing data and data regardingthe usage of a base station, as well as data on locationof a communication, simply upon the order ofthe Public Prosecutor. After the Constitutional Courtdecision, the provision was changed in a way thatobtaining this data is possible only upon the orderof an authorised court (a court dealing with the initialproceedings of a case).However, without provisions prescribing themanner and conditions of access on the technicallevel, and with existing technical links to telecommunicationsoperators, there was still a high risk ofunauthorised access. Unfortunately, data releasedby the CIPIPD showed that unauthorised access iscommon practice among the secret services andother state bodies. Over 270,000 unauthoriseddata requests for just one operator showed thatconstitutional safeguards and even legal provisionsare not respected. The only basis for directaccess is RATEL’s technical conditions, whichcould not be in force, because they are bylawsadopted according to the Law on Telecommunicationsthat ceased to exist. Somehow it is stillapplicable because new technical conditions havenot been adopted. It is obvious that such a regulatorycul-de-sac creates a situation in which stateauthorities can access and use the retained datawithout any control.After its findings concerning telecommunicationsoperators, on 4 November 2013 the CIPIPDbegan to investigate internet operators. The supervisionis still ongoing, but there is a high level ofcertainty that similar or even worse results will berevealed regarding the protection of privacy.ConclusionsThe findings of the CIPIPD showed that there is ahuge gap between constitutional safeguards andpractice. Unauthorised access by state bodies impliesthat there is no appropriate balance betweenthe legitimate interests of protection of privacy onone side, and investigating crimes and protectionof security on the other. The privacy of communication,among other human rights, can be restricted.However, there are standards that should be fulfilled.Any restriction has to be prescribed by thelaw and must be necessary to protect vital interestsof society (e.g. national security). There also has tobe proportionality in the imposed restriction andthe goal which the restriction intends to achieve,and any restrictions should be the least intrusiveon the free exercise of human rights (principle ofproportionality). Unfortunately, these conditionsare not fulfilled at the moment, and it is clear thatsomething has to be changed.The current state of affairs is not satisfactory,because there is wide scope for interfering withtelecom users, regardless of the type of communicationstechnology they use. As long as statebodies have opportunities to access large amountsof data without any restrictions, such as data aboutthe location of telecommunications devices, anddata regarding the destination, or duration of communications,users will be in constant fear that their“everyday” life is monitored by government. Theprotection of state security is undoubtedly in theinterests of every society, but the manner of protectionmust be in line with human rights standards.This implies the oversight and involvement of asmany stakeholders as possible, from state bodiesto independent institutions and NGOs dealing withhuman rights.Action stepsIn order to improve the privacy of communications,the legal framework should be completely in linewith constitutional safeguards. That means thatlaws which regulate access to retained data shouldbe changed in a manner which provides clear andunambiguous rules about who is authorised to accessthe data, what their obligations are, and whatsafeguards exist when it comes to the misuse ofdata. Second, civil society, state authorities and independentbodies have to initiate a public debateon all aspects of the work of secret services and otherstate bodies, including their access to retaineddata. Finally, state bodies which are authorised toaccess retained data have to adapt so that theirwork conforms to the principles of transparency,civil control and accountability. Only through suchan approach is it possible to achieve mutual understandingbetween various stakeholders, and onlythen will it be possible to achieve the appropriatebalance between privacy and security.218 / Global Information Society Watch serbia / 219