February 7, 2016 was the effective date for the Act of January 15, 2016 on Amendments to the Police Act and Certain Other Acts (Journal of Laws of 2016, item 147), generally known as the “Blanket Surveillance Act”. It introduced essential amendments to the operation of the uniformed services1, including operational surveillance procedures, and the services’ ability to collate data from telecom, postal and e-service operators.
As you are very likely to use the services of any of the above companies, or may actually be classified as one of them, please take some time to read the most important amendments.
Most important amendments
- The uniformed services will now be able to obtain data2 which is not part of a postal message or telecom transmission and data other than the content of an e-service, and their use of this operating technique will only be checked post factum by regional courts.
- Telecom companies, postal operators and e-service providers will be required to provide the data referred above free of charge, including by means of a fixed connection.
- New rules for handing data containing or likely to contain client-attorney privileged content, with the proviso that officers will be able to read all the content obtained with the use of their operating techniques before the court approves the use of this information in the investigation.
- Operational surveillance may take up to 18 months.
- Vast scope of data which may be secretly accessed by the uniformed services considerably impairs everyone’s ability to protect private or confidential information, including legally privileged secrets. The amendments provide that the uniformed services will now have a right to obtain and record, e.g.:< >< >Correspondence, including emails3: this category may include correspondence sent by means of computer applications (e.g. mobile) and certain internet portal functionalities (chat);Data stored on IT systems4 – IT and telecom systems exchange and relay data between users; it is possible that the uniformed services may be authorized to secretly use malware installed on the users’ devices to systematically obtain and record data stored in these systems;Data regarding the use of e-services5 – this notion encompasses the contracting party’s full name, PESEL number, residential address, e-mail address, IP computer number, as well as information on the starting and ending time of each e-service and their scope (called “meta-data”), which raises concerns from users worried that their use of portals, websites and cloud services will be monitored.
- Considering the broad extent of data which may be procured by the uniformed services under the amended regulations, it cannot be excluded that the services will intercept your intellectual property or confidential business or legal secrets.
Consequently, we suggest considering the following measures:
- Introducing a risk assessment system to evaluate the risk connected with the processing of certain business information, and implementing or scrutinizing your current information security policies, IT procedures, and revisiting contracts with IT solution providers.
- Increasing the level of security of confidential information by using adequate IT data protection technologies (including data or email message encoding software).
- When in doubt – limiting or even entirely giving up electronic communication in certain types of matters (i.e. some communications with your lawyers), storing certain categories of documents outside of places where they may be accessed electronically.
The IT solutions put in place by our law firm ensure adequate protection of data stored on our servers. That said, not all our clients are likely to be able to ensure similar levels of protection of their data. For this reason, we cannot rule out that in order to ensure the proper protection of client-attorney privileges, in some cases we will recommend forms of communication other than email to our clients.