The return of the Pyrawebs law

TEDIC
Blog Personal Data
graphic with text: the return of the pyrawebs law in Paraguay

Hace un año, en octubre de 2022, ingresó a la Cámara de Diputados el proyecto de ley: “Que dispone la obligatoriedad de la conservación de datos de tráfico para combatir la pornografía infantil y hechos punibles conexos”, presentado por el Diputado Rodrigo Blanco, con el número de expediente D-2269521.

En ese mismo mes, la Comisión de Niñez, Juventud y Desarrollo aprobó el proyecto de ley sin realizar modificaciones. Por otro lado, en junio de 2023, la Comisión de Ciencia y Tecnología emitió un dictamen con algunas modificaciones. Sin embargo, aún están pendientes de emitir dictamen las Comisiones de Asuntos Constitucionales, Legislación y Codificación, Justicia, Trabajo y Previsión Social. Actualmente, el proyecto de ley se encuentra en estado de postergación.

¿La conservación de datos de tráfico resuelve los hechos punibles?

Es crucial evitar caer en la falacia de que la propuesta legislativa en cuestión resolverá casos de crímenes como la pornografía infantil, el narcotráfico, el lavado de activos y el terrorismo. En los países de la región que ya han implementado normativas similares, no necesariamente se ha logrado una disminución o resolución de estos delitos exclusivamente a través de la retención de datos. Se debe considerar que la identificación de individuos involucrados en delitos o crímenes debe enfocarse hacia el futuro en lugar de revisar el pasado.

Abrir la puerta a la vigilancia masiva es inaceptable, ya que esta práctica es ilegal, desproporcionada y carece de justificación. La persecución de delitos debe llevarse a cabo únicamente cuando exista una sospecha fundamentada, se realice de manera individualizada y esté respaldada por un proceso legal. Esto es fundamental para no infringir principios esenciales como la presunción de inocencia, el derecho a la privacidad y la libertad de expresión, incluso en el entorno digital.

En otros países, por ejemplo, cuando se detecta la subida de una imagen de pornografía infantil a la web, se procede a identificar la dirección IP (usuario) asociada a dicha actividad. A partir de ese punto, y solo bajo una causa legal válida, se conservan los datos pertinentes relacionados con ese usuario con el propósito de supervisar su conducta. Esto se conoce como vigilancia específica y representa una alternativa efectiva para colaborar en la resolución de delitos, siempre que se respeten los principios de un debido proceso.

¿Qué dice la nueva ley Pyrawebs y qué riesgos identificamos?

El 1 de junio, se realizó una audiencia pública para discutir sobre esta ley. Nuestra directora, Maricarmen Sequera, participó activamente y compartió sus preocupaciones sobre la propuesta de ley, entre ellas:

1) Falta de garantías y resguardos legales de la información personal

Paraguay, junto a Bolivia, son los únicos países de América del Sur que no cuentan con una ley de protección integral de datos personales. Esta ley será la base para justificar el almacenamiento y tratamiento de cualquier dato personal. Necesitamos una ley de protección que brinde garantías y control de la información personal depositada en sistemas de almacenamiento digital, asegurando que personas inescrupulosas que vendan y distribuyan cualquier dato de carácter personal sean llevadas a la justicia. No podemos debatir un proyecto de Retención de Datos sin antes contar con una Ley de Protección de Datos Personales. La clave será contar con una agencia independiente para actuar en caso de abusos y riesgos por parte de las instituciones del Estado, sector privado, academia, etc.

2) Autoridad competente para la protección y monitoreo del tratamiento de datos

Será necesario crear un órgano independiente como ente rector y responsable del control del tratamiento de datos, para analizar la finalidad de los mismos y hacer revisiones preventivas de posibles errores o abusos que se den en los tratamientos de datos. Además, cualquier medida de restricción a la privacidad y el anonimato en Internet debe estar bajo control de un órgano autónomo y especializado, que tenga la capacidad para resguardar a los ciudadanos de cualquier amenaza a la integridad de sus comunicaciones. No vemos que eso esté resuelto en el proyecto que está a estudio del Congreso en Paraguay.

3) Autorización judicial y aplicación del test de necesidad, idoneidad y proporcionalidad de la medida en relación con el fin perseguido

Se reconoce que en la propuesta actual se buscó incluir las garantías judiciales. En la propuesta actual incluye la autorización judicial, será clave que la interceptación de las comunicaciones a través de las retenciones de datos de tráfico sea debidamente justificada y argumentada por parte de un juez. Que el juez aplique previamente el test de proporcionalidad y necesidad para evaluar si esta herramienta tecnológica de retención de datos de tráfico, que pone en riesgo los principios fundamentales, es de última ratio y única forma de identificar y resolver el litigio ante el poder judicial.

4) Cumplimiento del debido proceso sobre los metadatos y cuáles metadatos

Los metadatos que se recopilarán según la propuesta de ley son la identificación del protocolo de Internet. Sin embargo, no se especifica de manera detallada cuáles son las informaciones sujetas a retención. Es crucial que la propuesta de ley incluya una descripción precisa para evitar ambigüedades en la interpretación legal. Qué es etiqueta de localización? ¿Se considera la geolocalización del dispositivo? Acerca de la dirección del protocolo de Internet (IP): Esto se refiere a las direcciones IP que se utilizan para identificar dispositivos en la red, tanto el origen como el destino de los datos. Por lo general, se registran tanto la dirección IP de origen como la dirección IP de destino. En el 2015 habíamos realizado un video para explicar los riesgos que tiene esto:

A year ago, in October 2022, a bill was introduced in the Chamber of Deputies: “Which provides for the mandatory conservation of traffic data to combat child pornography and related punishable acts”, presented by Deputy Rodrigo Blanco, with file number D-2269521.

In the same month, the Childhood, Youth and Development Commission approved the bill without amendments. On the other hand, in June 2023, the Committee on Science and Technology issued an opinion with some modifications. However, the Constitutional Affairs, Legislation and Codification, Justice, Labour, and Social Welfare Committees have yet to issue an opinion. Currently, the bill is in postponement status.

Does the retention of traffic data resolve punishable offences?

It is crucial to avoid falling into the fallacy that the legislative proposal in question will resolve cases of crimes such as child pornography, drug trafficking, money laundering and terrorism. In the countries of the region that have already implemented similar regulations, a reduction or resolution of these crimes has not necessarily been achieved exclusively through data retention. The identification of individuals involved in crimes should focus on the future instead of reviewing the past.

Opening the door to mass surveillance is unacceptable, as this practice is illegal, disproportionate and unjustified. The prosecution of crimes should only be carried out when there is a well-founded suspicion, is conducted on a case-by-case basis and is supported by due process. This is essential in order not to infringe essential principles such as the presumption of innocence, the right to privacy and freedom of expression, including in the digital environment.

In other countries, for example, when an image of child pornography is detected as being uploaded to the web, the IP address (user) associated with the activity is identified. From that point on, and only under a valid legal cause, relevant data related to that user is retained for the purpose of monitoring his or her behaviour. This is known as targeted surveillance and represents an effective alternative to assist in solving crimes, provided that the principles of due process are respected.

What does the new Pyrawebs law say, and what risks do we identify?

On June 1, a public hearing was held to discuss this law. Our director, Maricarmen Sequera, actively participated and shared her concerns about the proposed law, including:

1) Lack of guarantees and legal safeguards for personal information

Paraguay and Bolivia is the only country in South America that does not have a comprehensive personal data protection law. This law will be the basis for justifying the storage and processing of any personal data. We need a protection law that guarantees and controls personal information deposited in digital storage systems, ensuring that unscrupulous people who sell and distribute personal data will be brought to justice. We cannot debate a Data Retention project without first having a Personal Data Protection Law. The key will be to have an independent agency to act in case of abuses and risks by State institutions, the private sector, academia, etc.

2) Competent authority for data protection and monitoring of data processing

It will be necessary to create an independent body as the governing body responsible for the control of data processing to analyse the purpose of the data and make preventive reviews of possible errors or abuses that may occur in data processing. In addition, any measure restricting privacy and anonymity on the Internet must be under the control of an autonomous and specialised body, which has the capacity to protect citizens from any threat to the integrity of their communications. We do not see that this is resolved in the project under consideration by the Paraguayan Congress.

3) Judicial authorisation and application of the test of necessity, suitability and proportionality of the measure in relation to the purpose pursued.

It is recognised that the current proposal sought to include judicial guarantees. The current proposal includes judicial authorisation; it will be essential that the interception of communications through the retention of traffic data be duly justified and argued by a judge. The judge must first apply the test of proportionality and necessity to assess whether this technological tool of traffic data retention, which jeopardises fundamental principles, is the last resort and the only way to identify and resolve the dispute before the judiciary.

4) Compliance with due process on metadata and which metadata

The metadata to be collected under the proposed law is the Internet protocol identification. However, it is not specified in detail what information is subject to retention. It is crucial that the proposed law includes a precise description to avoid ambiguities in legal interpretation. What is location tagging? Is the geolocation of the device considered? About the Internet Protocol (IP) address: This refers to IP addresses that are used to identify devices on the network, both the source and destination of data. Typically, both the source IP address and the destination IP address are recorded. In 2015, we made a video to explain the risks of this:

For example, information such as the phone number receiving a call, the duration of the call, the geographic location of the device, as well as its unique identifiers such as IMEI and IMSI in mobile or fixed devices, and IP addresses in the context of the Internet are data called “Metadata” of a communication. That is information about the communication data rather than the actual content of the communication. An illustrative example of this distinction would be to consider metadata equivalent to the outer details of an envelope containing a letter, while the letter’s content would be what is inside. However, classifying data this way could lead to the mistaken conclusion that metadata or subscriber identification data deserves less protection than the communications themselves. Conversely, the aggregation of this data is more revealing than the content of the communications themselves. As Edward Snowden pointed out, metadata enables a thorough tracking and accurate recording of all the private activities in our lives, providing a detailed view of our relationships, political affiliations and day-to-day activities.

5) Internet configuration limitations in Paraguay

The fundamental purpose of this bill is to address the issue of “identification” of possible perpetrators of a crime. In other words, it seeks to establish who the suspects are who are committing a crime based on the digital footprints they leave when connecting to the Internet. In this context, the responsibility for carrying out such identification falls on Internet Service Providers (ISPs), whether they are organisations or companies. It is important to point out that the identification problem originates from the peculiar configuration of the Internet in Paraguay. When a customer contracts Internet services, some ISPs choose not to assign a “public IP” to the customer to increase their business profitability. Instead, they provide the user with a “private IP” that is masked along with the addresses of approximately 200 other people behind a “public IP”. This means that, unlike in most countries, Paraguay does not guarantee that each service has a unique “public IP”.

6) Limiting the use of traffic data retention only for certain punishable offences

It is imperative to restrict the application of traffic data retention exclusively to certain crimes. If the purpose of the law is to effectively combat crimes such as child pornography and related offences, it should be limited to that scope and not extended to other types of infractions and crimes. Extending this measure to any offence or crime, given the limitations of our judicial system, could open the door for any individual to file charges for the sole purpose of gaining access to all information and online activity of another. For example, in cases of libel and slander, this extension could make it possible for anyone to file a complaint to access the information and then withdraw or dismiss it.

The current proposal, as amended in Congress, talks about “other computer crimes”, which is extended to cases of improper access to a device, improper access to data, interception, preparation for improper access to data, alteration of data, improper access to computer systems, sabotage of computer systems, alteration of relevant data, forgery of credit and debit cards and fraud through computer systems. Does it not seem disproportionate to open the possibility of accessing a person’s digital life to solve this type of legal case?

7) Privacy and international responses (UN and EU)

A telling example is the statement by former UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, who in 2013 highlighted that metadata analysis can be highly revealing and invasive, especially when this data is combined and aggregated. He further noted the following, “National laws requiring data retention are intrusive and costly, and undermine the rights to privacy and free expression. By forcing communication service providers to generate extensive databases containing information about who is communicating by telephone or over the Internet, the duration of such communications, and the location of users, and to maintain this information, often for long periods, mandatory data retention laws significantly expand the scope of state surveillance and thus the scope of human rights violations. These communication databases become vulnerable to theft, fraud, and accidental disclosure.” In fact, the Court of Justice of the European Union annulled an EU directive that had been in force since 2006 and that obliged telephone companies and other electronic communications companies to retain citizens’ personal data for security purposes. In its ruling, the Court of Justice argued that the directive constituted a significant interference with fundamental rights, such as the right to respect private life and the protection of personal data. It also noted that the retention and subsequent use of such data without prior information to subscribers or registered users could give rise to the perception that their private lives were under constant surveillance.

Final considerations

For us at TEDIC, it is critical to recognise that data retention is a measure that limits and impacts the rights to privacy and freedom of expression. Traffic data retention is a measure that involves the collection and storage of information such as phone numbers, call duration, locations and IP addresses. Despite its use in the fight against crime, this practice raises significant concerns about invasion of privacy and restriction of freedom of expression. Former UN Special Rapporteur on Freedom of Expression, Frank La Rue, has warned about the intrusiveness and risks of data retention laws, which can lead to excessive surveillance and human rights violations. In addition, the Court of Justice of the European Union considered that a data retention directive was a serious intrusion on fundamental rights, including respect for privacy and personal data protection. In this context, it is essential that the National Congress thoroughly analyse any proposal to regulate data retention, ensuring that it complies with the standards of legality, imperative purpose, necessity, suitability, and proportionality of the measure in relation to the purpose pursued, judicial authorisation and due process. Concerns persist around the ambiguous concepts surrounding the retention of traffic data, the types of metadata to be recorded, the requirements of due process, and the need to obtain informed judicial authorisation before proceeding with retention. It is essential to rethink data retention in a forward-looking manner, based on the existence of a crime, to ensure full compliance with due process and targeted surveillance. This approach contrasts with the massive data retention, which threatens our rights to privacy and freedom of expression. Beyond these aspects, priority should be given to the enactment of a comprehensive legislative proposal for the protection of personal data, which ensures an appropriate balance between individual security and privacy. The regulation of data retention should be carefully considered, taking into account its implications on fundamental rights, and should not be carried out at the expense of privacy and freedom of expression of individuals.