The president of the Data Protection Authority criticizes law enforcement access to telecommunications data
The president of the Polish Personal Data Protection Office (UODO) has once again raised concerns that Poland’s model of granting law enforcement agencies access to telecommunications data may violate standards stemming from the EU Charter of Fundamental Rights and has requested that the legislation be amended. In today’s issue of Rzeczpospolita, associate Jarosław Straś explains why the current regulations remain controversial and what EU case law says on the matter. Read the article in Polish here!
Disputed provisions remain unchanged
The Electronic Communications Law, adopted in 2024, did not substantially alter the rules governing law enforcement access by bodies such as the Police, Border Guard or CBA to citizens’ telecommunications data. The issue is sensitive, as it requires balancing two fundamental values: national security and citizens’ privacy.
Telecom operators are obliged to provide law enforcement agencies with access to a wide range of subscriber data at their own expense and to store this data for 12 months (so-called data retention). Initially, this period was as long as 24 months, justified by Poland’s location on the eastern border of the EU and the heightened terrorism risk.
CJEU rulings draw clear limits
The Court of Justice of the European Union (CJEU) has repeatedly questioned data retention rules. In 2014 it annulled the EU Data Retention Directive as an excessive interference with fundamental rights. In subsequent rulings (including Tele2 in 2016 and La Quadrature du Net in 2020), the Court stressed that Member States cannot impose a general and indiscriminate obligation to retain all communications data. At the same time, the Court acknowledged that in cases of serious national security threats, temporary and proportionate derogations from confidentiality may be justified.
The “blind lawsuit” proposal rejected
The problem affects not only state agencies but also private individuals. Those whose personal rights are violated online often cannot identify the perpetrator to file a civil claim. A proposed solution was the so-called “blind lawsuit” mechanism, which would allow courts to request operators to disclose a potential defendant’s data. Unfortunately, the draft amendment to the Civil Procedure Code did not gain sufficient support and is likely to be rejected by Parliament.
Supervision and penalties
Telecom operators that fail to comply with data-sharing obligations face fines of up to 3% of annual turnover, imposed by the President of the Office of Electronic Communications (UKE).
Are Polish regulations on law enforcement access to telecommunications data compliant with EU law? What obligations do telecom operators face regarding data retention? And what exactly has the CJEU ruled in these matters?
These and other questions are addressed in Jarosław Straś’s article published in Rzeczpospolita.
