The implementation of the European Code of Electronic Communications (the Code) into Polish law will create a new legal environment for operators of interpersonal communication services regarding the scanning of content or traffic data. In fact, under certain circumstances, such actions may be criminally penalised under Polish law.
In particular, such actions may lead to criminal liability if they were committed within the Polish territory or even if committed abroad, if they were directed against the interests of Poland or a Polish person. The new regulations will require providers to comprehensively verify their scanning policies in order both to comply with the respective requirements and not to fall under the risk of criminal and other liability under the relevant laws.
IMPLEMENTATION OF THE EUROPEAN CODE OF ELECTRONIC COMMUNICATIONS IN POLAND
The Code replaced four previous directives that regulated the telecommunications market. It contains not only provisions for the telecommunications and media sectors, but it also covers technologically neutral interpersonal communication services such as Viber, WeChat, Skype and WhatsApp.
The Code should be implemented by 21 December 2020 by introducing the new Electronic Communications Law (ECL) in Poland. However, the implementation will most likely be postponed until June 2021. The draft ECL comprehensively regulates, among other things, the performance of electronic communications services, the principles of telecommunications data processing and the protection of electronic communications privacy.
ELECTRONIC COMMUNICATIONS PRIVACY
The regulations concerning the privacy of electronic communications in the ECL constitute the implementation of the so called ePrivacy Directive. Under the ECL, the obligations of providers of interpersonal communication services using numbers will be similar to those of "traditional" telecommunications operators. Providers that do not use actual numbers will only be subject to certain tasks and obligations, such as ensuring network security or providing information to the authorities.
The operators (including interpersonal communication service providers that do not use numbers) are obliged to ensure the security of the confidentiality of electronic communications (both confidentiality of the communication and related traffic data). The privacy of electronic communication includes, amongst other things, user data, the content of individual messages as well as transmission and location data.
As a rule, it is prohibited to process the content or data covered by the privacy of electronic communications by persons other than the sender and recipient of the message, unless it:
- will be the subject of the service or it will be necessary to perform it;
- will be done with the consent of the sender or recipient;
- is necessary to perform these activities in order to record the messages and related transmission data for the purpose of providing evidence of a commercial transaction or communication purposes in commercial activity;
- will be necessary for other reasons provided by law.
The provider of electronic communication services is obliged to inform the user with whom it concludes an agreement on the provision of electronic communication services, as well as other users, about the scope and purpose of the processing of transmission data and other data concerning them, as well as about the possibility of influencing the scope of such processing.
VIOLATION OF THE PRIVACY OF ELECTRONIC COMMUNICATIONS AS A CRIMINAL OFFENCE
Listening, tapping, storing or other kinds of interception or surveillance of communications and the related traffic data by persons (both natural and legal) other than users, without the consent of the users concerned or without a legal ground, is prohibited in Poland, if it was committed within the territory of Poland or even if committed abroad, if it was directed against the interests of Poland or a Polish person. Such a violation may be subject to imprisonment of up to 2 years.
It is enough to obtain power over an information carrier or even to copy it without reading its content in order for criminal liability to apply. Additionally, creating software which may be used or actually using it to illegally obtain information (e.g. automatic scanning), is also subject to penalty.
If the processed data also contains personal data, then such an action might also be penalised under the Personal Data Protection Act and may be subject to imprisonment of up to 3 years.
However, if the criminal act was committed abroad then under the so called "rule of double penalisation" the above actions will – as a rule - constitute a criminal offence in Poland only, if such act is penalised under the local laws of the place where the act was committed.