#pyrawebs bill

Regional organizations defending Human Rights on the Internet manifest their concern about mandatory data retention bill in Paraguay

We the signatories, regional civil society groups and human rights organizations, want to express our concerns about the Paraguayan bill S-146438. [1]

At the moment, the Paraguayan government is considering radical changes in national surveillance and intelligence laws. We agree that the authorities should have the necessary tools to protect their citizens. Nevertheless, the #pyrawebs bill goes beyond what is necessary and proportionate in a democratic society, by mandating indiscriminate data retention about citizens communications.

The bill, in its current form, aims for the preservation of all paraguayans communications data for 12 months. This applies even when there is no suspicion of a crime. This controversial bill forces all internet and telecommunications service providers operating in Paraguay to globally collect and preserve IP addresses, geolocation data, origin and destination of communications, and other identification indicators.

Although the collected records would only be accessible by prosecutors under a court order, there are no clear guarantees about the security protections intended for sensitive private information. Databases like these present a big security challenge against malicious attacks and unauthorized access.

There are also documented cases about illegal database selling that raises doubts about the convenience of their creation. That is the case with phone directories, credit information and other types of sensitive data [2].

Mandatory data retention is invasive and damages the rights to privacy, free association and freedom of expression. The #pyrawebs bill orders mass surveillance against innocent citizens, an action that can not be tolerated under values of freedom and democracy. In addition to that, massive collection jeopardizes the confidentiality of communications between patients and doctors, journalists and their sources, lawyers and their clients and other types of sensitive communications.

This bill would also allow copyright holders, both national and international, to identify purported infringers using court orders.

On the other hand, there is a high probability that internet service providers charge their customers with the increased costs of implementing massive communications storage. It has been proposed that the government should cover for those expenses, making the implementation of the law unfair and inconvenient.[3].

Massive data retention has been declared unconstitutional under several jurisdictions. That is the case of Argentina’s Supreme Court in the case “Halabi c/PEN” (Fallos: 332:111). The Court of Justice of the European Union also invalidated a law of the kind on april 8 2014, stating that data retention constitutes a “ broad and particularly serious interference of the fundamental rights to privacy and data protection” [4].

There is a ruling from the Inter American Court of Human Rights that relates to this issue as well. In Escher & Others vs. Brasil [5], the Court stated that privacy protections must apply to both content and metadata, making a clear point about the risks both imply for individual rights. Accordingly, any surveillance legislation that affects user privacy should meet human rights standards of legality, suitability, necessity and proportionality[6].

The Supreme Court of Mexico has ruled that mere data collection interferes with privacy [7]:

“The infringement of the right to privacy is carried out in the very moment of listening, recording, storing, reading or registering communications without the speakers consent”

Sadly, data retention is already mandated by law in Paraguay’s e-commerce law number 4868/2013 [8]. This piece of legislation orders the storage of traffic metadata for 6 months, which shows that the National Secretary of Intelligence and other government offices already have enough powers to analyze communications belonging to “persons of interest”. Anyways, blanket data retention still shows to be arbitrary, regardless the amount of storage time.

For all of the above, we call on Paraguay’s National Attorney’s Office and the Ministry of Internal Affairs to abandon the disproportionate existing blanket data retention programme under the e-commerce law. We also call on the Paraguayan National Congress to dismiss “#pyrawebs” bill S-146438 for going against Paraguayan National Constitution on its article 36 [9] and international human rights principles of necessity, proportionality and democratic accountability.

Signatories:

– TEDIC (Paraguay)

– Access (International)

– Electronic Frontier Foundation (International)

– Hiperderecho (Perú)

– Derechos Digitales (Chile)

– Asociación por los Derechos Civiles (Argentina)

– Fundación Vía Libre (Argentina)

– Fundación Karisma (Colombia)

– Ipandetec (Panama)

– Public Knowledge

– Association for Progressive Communications- (International)

– Movimiento Mega (Brazil)

– Artigo 19 (Brasil)

– Red en Defensa de los Derechos Digitales (México)

– Usuarios de Internet (Ecuador)

References:

[1] http://silpy.congreso.gov.py/formulario/VerDetalleTramitacion.pmf?q=VerDetalleTramitacion%2F102821

[2] http://www.abc.com.py/nacionales/venden-datos-de-personas-al-mejor-postor-329544.html

[3] The implementation costs, only for Tigo’s company 80.000 users, would be of around 5 million US dollars.

[4] http://curia.europa.eu/juris/document/document.jsf?doclang=EN&text=&pageIndex=1&part=1&mode=req&docid=150642&occ=first&dir=&cid=572131

[5]Https://web.archive.org/web/20140527113509/http://www.corteidh.or.cr/docs/casos/articulos/seriec_200_esp1.pdf

[6] https://es.necessaryandproportionate.org/text

[7] Suprema Corte de Justicia de la Nación de México. Contradicción de Tesis 194/2012. Sentencia del 10 de Octubre de 2012.

[8] http://digesto.senado.gov.py/index.php?pagina=ley_resultado&id=8092

[9] http://www.constitution.org/cons/paraguay.htm