Background
Mobile operators are often subject to a range of laws and/or licence conditions that require them to support law enforcement and security activities in countries where they operate. These requirements vary from country to country and have an impact on the privacy of mobile customers.
Where they exist, such laws and licence conditions typically require operators to retain data about their customers’ mobile service use and disclose it, including their personal data, to law enforcement and national security agencies on lawful demand. They may also require operators to intercept customer communications upon lawful demand, or to notify competent authorities before implementing features like end-to-end encryption that may prevent lawful access.
Such laws provide a framework for the operation of law enforcement and security service surveillance and guide mobile operators in their mandatory liaison with these services. However, in some countries, there is a lack of clarity in the legal framework to regulate the disclosure of data or lawful interception of customer communications. This creates challenges for the industry in protecting the privacy of its customers’ information and their communications.
Legislation often lags behind technological developments. For example, obligations may apply only to established telecommunications operators but not to more recent market entrants, such as those providing internet-based services, including Voice over IP (VoIP), video or instant messaging
In response to public debate concerning the extent of government access to mobile subscriber data, a number of major telecommunications providers (such as AT&T, Deutsche Telekom, Orange, Rogers, SaskTel, Sprint, T-Mobile, TekSavvy, TeliaSonera, Telstra, Telus, Verizon, Vodafone and Wind Mobile), as well as internet companies (such as Apple, Amazon, Dropbox, Google, LinkedIn, Meta, Microsoft, Pinterest, Snapchat, Tumblr, Yahoo! and X), publish ‘transparency reports’ that provide statistics relating to government requests for disclosure of such data.
Debate
What is the correct legal framework to achieve a balance between a government’s obligation to ensure that its law enforcement and security agencies can protect citizens and the rights of those citizens to privacy?
Should all providers of communications services be subject to the same interception, retention and disclosure laws on a technology-neutral basis?
Would greater transparency about the number and nature of requests governments make assist the debate, improve government accountability and bolster consumer confidence?
Industry position
Governments should ensure they have a proportionate legal framework that clearly specifies the surveillance powers available to national law enforcement and security agencies.
Any interference with the right to privacy of telecommunications customers must be in accordance with the law.
The retention and disclosure of data and the interception of communications for law enforcement or security purposes should take place only under a clear legal framework and using the proper process and authorisation specified by that framework.
There should be a legal process available to telecommunications providers to challenge requests they believe to be outside the scope of relevant laws.
The framework should be transparent, proportionate, justified and compatible with human rights principles, including obligations under applicable international human rights conventions, such as the International Convention on Civil and Political Rights.
Given the expanding range of communications services, the legal framework should be technology-neutral.
Governments should provide appropriate limitations of liability or indemnify telecommunications providers against legal claims brought in respect of compliance with requests and obligations for the retention, disclosure and interception of communications and data.
The costs of complying with all laws covering the interception of communications and the retention and disclosure of data should be borne by governments. Such costs and the basis for their calculation should be agreed in advance.
The GSMA and its members are supportive of initiatives that seek to increase government transparency and publication of statistics related to requests for access to customer data.
Resources
Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework, Office of the High Commissioner for Human Rights, 2011
Judgment on the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’), UK High Court of Justice
A Question of Trust: Report of the Investigatory Powers Review (UK), David Anderson QC, June 2015
Office of the Privacy Commissioner of Canada website