JOHN CARLOS I
KING OF SPAIN
To all who present it and understand it.
Sabed: That the General Courts have approved and I come to sanction the following law.
The application of new technologies developed in the framework of the information society has led to the overcoming of traditional forms of communication, through an expansion of the content transmitted, which cover not only the voice, but also data in different media and formats. In turn, this extraordinary expansion in quantity and quality has been accompanied by a decrease in costs, making this type of communications within reach of any person and in any corner of the world.
The neutral nature of technological advances in electronic telephony and communications does not prevent their use from being derived towards the achievement of unwanted, if not criminal, ends.
It is precisely within the framework of the latter objective that Directive 2006 /24/EC of the European Parliament and of the Council of 15 March on the retention of data generated or processed in connection with the provision of services is covered by Directive 2006 /24/EC. for electronic communications for public access or for public communications networks, and amending Directive 2002/58/EC of the European Parliament and of the Council of 12 July, which is to be transposed into our legal order main objective of this Law.
The purpose of this Directive is to establish the obligation for telecommunications operators to retain certain data generated or processed by them, in order to enable them to have the authorised agents available to them. The members of the Police Corps authorized to do so are understood by agents authorized to do so in the framework of a criminal investigation by the commission of a crime, the personnel of the National Intelligence Center to carry out an investigation. On 6 May, the National Intelligence Center, and in the Organic Law 2/2002, of 6 May, the regulator of the prior judicial control of the National Intelligence Center, as well as the officials of the Deputy Directorate of Customs Surveillance, in the development of its powers as a policeman In accordance with Article 283 (1) of the Law on Criminal Procedure, the Court of Justice has jurisdiction. It is therefore that all of them can obtain the data relating to communications which, in connection with an investigation, could have been carried out by means of fixed or mobile telephony, as well as by the Internet. The establishment of these obligations, justified in order to protect public security, has been carried out in the search for a necessary balance with respect for the individual rights which may be affected, such as those relating to the privacy and privacy of communications.
In this sense, the Law is respectful of the pronouncements that, in relation to the right to the secret of communications, has been issued by the Constitutional Court, respect that, in particular, is articulated through two guarantees: firstly, that the data on which the conservation obligation is established are data exclusively linked to the communication, either by telephone or via the Internet, but in no case revealing the content of the In the second place, the transfer of such data affecting a communication or Specific communications will always require prior judicial authorisation.
With regard to the latter accuracy, it should be noted that the Directive expressly refers to the fact that the data retained must be available for the purposes of detection or investigation for serious offences, defined as the internal legislation of each Member State.
The Law has ten articles that are grouped into three chapters.
Chapter I ("General Provisions") is initiated by describing its object, which is basically limited to the determination of the obligation to keep the data listed in Article 3, which have been generated or treated in the the framework for a fixed or mobile telephone communication, or carried out by means of electronic communication of public access or through a public communications network. Likewise, it is necessary for the purposes which, exclusively, justify the obligation of conservation, and which are limited to the detection, investigation and prosecution of a crime contemplated in the Penal Code or the special penal laws, with the requirements and channels that the Law itself establishes.
This chapter also requires limitations on the type of data to be retained, which are necessary to identify the origin and destination of the communication, as well as the identity of the users or subscribers of both, but never data revealing the content of the communication. Similarly, the Law imposes the obligation of data retention to determine the time and duration of a given communication, its type, as well as data necessary to identify the communication equipment used and, in the case of use of a mobile equipment, the data necessary for its location.
In relation to the subjects who are required to keep the data, these will be the operators providing publicly available electronic communications services, or operating a public communications network. electronic in Spain.
The Law lists in Article 3, in a precise and detailed manner, the list of data that is subject to the obligation of conservation in the framework of communications by fixed telephony, mobile or Internet. This data, which is repeated, in no case will reveal the content of the communication, are the necessary to identify the origin and destination of the communication, its time, date and duration, the type of service used and the communication equipment of the users used. In application of the forecasts contained in Directive 2006 /24/EC of the European Parliament and of the Council of 15 March, so-called unsuccessful telephone calls are also included in the scope of the law. It also includes the obligation to preserve the elements that are sufficient to identify the moment of activation of the telephones that operate under the prepaid mode.
In Chapter II ("Conservation and transfer of data"), the limits for the transfer of data are set, the time limit for the transfer of data, which will be, as a general rule, twelve months after the date of the communication. established (although it may be reduced to six months or extend to two years, as permitted by Directive 2006 /24/EC), and the instruments to ensure the legitimate use of the retained data, the disposal and delivery of which may be to carry out the authorized agent and for the purposes laid down in the Law, with any use This is the case for the control mechanisms of the Organic Law 15/1999 of 13 December, the Protection of Personal Data and its development regulations. In addition, specific provisions are established regarding the general regulatory regime for the rights of access, rectification and cancellation of data contained in the aforementioned Organic Law 15/1999.
Chapter III, when referring to the sanctioning regime, refers, in respect of the breaches of the obligations of conservation and protection and security of the personal data, to the regulation contained in Law 32/2003, November 3, General Telecommunications. On the other hand, non-compliance with the obligation to make available to the authorised agents, in so far as applications will always be covered by a court order, would constitute the corresponding criminal offence.
The provisions contained in the final part include various contents. On the one hand, and for the purposes of being able to establish instruments for controlling employment for the purposes of criminal purposes of mobile telephone equipment acquired through prepaid mode, it is established as an obligation for operators to market that service, the keeping of a record with the identity of the buyers.
Finally, the Law incorporates in the final provisions a modification of Law 32/2003, of 3 November, General of Telecommunications, in order to adapt it to the content of this Law, a reference to its jurisdiction, a General enablement to the Government for its development and a six-month period for the operators to adapt to their content.
Article 1. Object of the Law.
1. The purpose of this Law is to regulate the obligation of operators to keep data generated or processed in the framework of the provision of electronic communications services or public communication networks, as well as the duty of transfer of such data to the authorised agents provided that they are required to do so through the corresponding judicial authorisation for the purposes of detection, investigation and prosecution of serious offences referred to in the Criminal Code or in the laws special penalties.
2. This Act shall apply to traffic and location data on natural and legal persons and related data necessary to identify the registered subscriber or user.
3. The content of electronic communications, including information consulted using an electronic communications network, is excluded from the scope of this Act.
Article 2. Required subjects.
They are addressees of the data retention obligations imposed on this Law by operators who provide publicly available electronic communications services or operate public communications networks, in the terms set out in Law 32/2003 of 3 November, General Telecommunications.
Article 3. Data subject to conservation.
1. The data to be retained by the operators specified in Article 2 of this Law are as follows:
a) Data needed to trace and identify the source of a communication:
1. With respect to fixed network telephony and mobile telephony:
i) Call phone number.
ii) Name and address of the subscriber or registered user.
2. With regard to Internet access, Internet e-mail and Internet telephony:
i) The assigned user identification.
ii) The user identification and telephone number assigned to any communication accessing the public telephone network.
iii) The name and address of the subscriber or registered user who has been assigned at the time of the communication an Internet Protocol (IP) address, a user ID or a telephone number.
b) Data required to identify the destination of a communication:
1. With respect to fixed network telephony and mobile telephony:
i) The number or numbers marked (the number or numbers of the target phone) and, in cases where other services are involved, such as the diversion or transfer of calls, the number or numbers to which the calls are transferred calls.
ii) The names and addresses of registered subscribers or users.
2. With respect to Internet e-mail and Internet telephony:
i) The user ID or phone number of the recipient or recipients of an Internet phone call.
ii) The names and addresses of registered subscribers or users and the user identification of the recipient of the communication.
c) Data required to determine the date, time, and duration of a communication:
1. With respect to fixed network telephony and mobile telephony: the date and time of the beginning and end of the call or, where applicable, the messaging service or the multimedia service.
2. With regard to Internet access, Internet e-mail and Internet telephony:
i) The date and time of connection and disconnection of the Internet access service registered, based on a given time zone, as well as the address of the Internet Protocol, either dynamic or static, assigned by the provider Internet access to a communication, and user or subscriber identification or registered user.
ii) The date and time of the connection and disconnection of the Internet e-mail service or Internet telephony service, based on a given time zone.
d) Data required to identify the type of communication.
1. With regard to fixed network telephony and mobile telephony: the telephone service used: type of call (voice transmission, voice mail, conference, data), supplementary services (including forwarding or transfer) calls) or messaging services or multimedia employees (including short message services, advanced multimedia services, and multimedia services).
2. With respect to Internet e-mail and Internet telephony: the Internet service used.
e) Data needed to identify the communication team of the users or what the communication team is considered to be:
1. With respect to fixed network telephony: source and target phone numbers.
2. With respect to mobile telephony:
i) The source and target phone numbers.
ii) The international identity of the mobile subscriber (IMSI) of the calling party.
iii) The international identity of the mobile equipment (IMEI) of the calling party.
iv) The IMSI of the party receiving the call.
v) The IMEI of the party receiving the call.
vi) In case of anonymous payment services in advance, such as prepaid card services, date and time of first service activation and location label (cell identifier) from which the service has been activated.
3. With regard to Internet access, Internet e-mail and Internet telephony:
i) The source phone number in case of numbers marked access.
ii) The digital subscriber line (DSL) or other terminal point identifier of the communication author.
f) Data needed to identify the location of the mobile communication equipment:
1. The location label (cell identifier) at the beginning of the communication.
2. ° The data that allows the geographic location of the cell, by reference to the location label, to be fixed during the period in which the communications data is preserved.
2. No data revealing the content of the communication may be retained under this Law.
How to store and sell data
Article 4. Obligation to keep data.
1. The required persons shall take the necessary measures to ensure that the data specified in Article 3 of this Law is kept in accordance with the provisions of this Law, in so far as they are generated or processed by those in the framework of the law. of the provision of the communications services concerned.
In no case will the obligated subjects be able to take advantage of or use the generated records, outside of the authorization assumptions set out in Article 38 of Law 32/2003, of 3 November, General Telecommunications.
2. The aforementioned conservation obligation extends to the data relating to the unsuccessful calls, in so far as the data are generated or processed and preserved or recorded by the obliged subjects. The term 'unsuccessful' means the communication in the course of which a telephone call has been successfully made but without a reply, or where there has been an intervention by the operator or operators involved in the call. call.
3. Data relating to unconnected calls are excluded from the conservation obligations contained in this Act. A call shall be understood not to be connected to that communication in the course of which a telephone call has been unsuccessful, without the involvement of the operator or operators involved.
Article 5. Data retention period.
1. The data retention obligation imposed ceases at the 12-month period computed from the date on which the communication was produced. Regulation, after consultation with operators, may extend or reduce the retention period for certain data or a category of data up to a maximum of two years or a minimum of six months, taking into account the cost of the data. storage and storage of the data, as well as the interest of the data for the purposes of investigation, detection and prosecution of a serious crime, after consultation with the operators.
2. The provisions of the above paragraph are without prejudice to the provisions of Article 16.3 of the Organic Law 15/1999 of 13 December on the Protection of Personal Data, on the obligation to keep data blocked in the legal cancellation assumptions.
Article 6. General rules on the transfer of data.
1. The data retained in accordance with the provisions of this Law may only be transferred in accordance with the provisions of this Law for the purposes that are determined and subject to prior authorization.
2. The transfer of the information shall be made only to the authorised agents.
For these purposes, they will have the consideration of empowered agents:
(a) The members of the Security Forces and Corps, when they perform judicial police functions, in accordance with the provisions of Article 547 of the Organic Law 6/1985, of July 1, of the Judicial Branch.
b) The officials of the Adjunta Directorate of Customs Surveillance, in the development of their competences as judicial police, in accordance with article 283 (1) of the Law of Criminal Procedure.
c) The personnel of the National Intelligence Center in the course of security investigations on persons or entities, as provided for in Law 11/2002, of May 6, regulator of the National Intelligence Center, and in the Organic Law 2/2002, of May 6, regulating the prior judicial control of the National Intelligence Center.
Article 7. Procedure for ceding data.
1. Operators shall be obliged to give to the authorised agent the retained data referred to in Article 3 of this Law concerning communications identifying persons, without prejudice to the judicial decision referred to in paragraph 1. next.
2. The judicial decision shall determine, in accordance with the Law on Criminal Procedure and in accordance with the principles of necessity and proportionality, the retained data to be transferred to the authorised agents.
3. The time limit for the execution of the transfer order shall be that laid down in the judgment, taking into account the urgency of the assignment and the effects of the investigation concerned, as well as the nature and technical complexity of the operation.
If no other deadline is set, the transfer shall be effected within seventy-two hours counted from 8:00 hours on the working day following that in which the subject is ordered.
Article 8. Data protection and security.
1. The obliged subjects shall identify the personnel specially authorized to access the data covered by this Law, adopt technical and organizational measures to prevent their manipulation or use for purposes other than those covered by the law. their accidental or unlawful destruction and accidental loss, as well as their storage, treatment, disclosure or unauthorised access, subject to the provisions of the Organic Law 15/1999 of 13 December, and in their legislation of development.
2. The obligations relating to the measures to ensure the quality of the data and the confidentiality and security in the processing of data shall be those laid down in Organic Law 15/1999 of 13 December and its implementing legislation.
3. The level of protection of the stored data shall be determined in accordance with the provisions of the Organic Law 15/1999 of 13 December and in its implementing legislation.
4. The Spanish Data Protection Agency is the public authority responsible for ensuring compliance with the provisions of the Organic Law 15/1999 of 13 December, and of the implementing regulations applicable to the data referred to in the This Act.
Article 9. Exceptions to access and cancellation rights.
1. The data transfer shall not be communicated by the data controller in accordance with this Law.
2. The data controller shall refuse the exercise of the right of cancellation in the terms and conditions laid down in Organic Law 15/1999 of 13 December.
Violations and penalties
Article 10. Regime applicable to non-compliance with obligations under this Law.
Failure to comply with the obligations provided for in this Law will be sanctioned in accordance with the provisions of Law 32/2003 of 3 November, without prejudice to the criminal liability that may result from the failure to comply with the law. the obligation to transfer data to the authorised agents.
Single additional disposition. Telephony services via prepaid cards.
1. Operators of mobile telephony services that market services with activation system through the mode of prepaid cards, must carry a book-record in which the identity of the customers who acquire a card smart with that payment mode.
Operators shall inform customers, prior to the sale, of the existence and content of the registration, of their availability in the terms expressed in the following number and of the rights referred to in Article 38.6 of Law 32/2003.
The identification shall be carried out by means of the personality, which shall be recorded in the book-record the name, surname and nationality of the buyer, as well as the number corresponding to the document identification used and the nature or denomination of the document. In the case of legal persons, the identification shall be carried out by providing the tax identification card, and shall be entered in the book-register the social name and the tax identification code.
2. From the activation of the prepaid card and until the maintenance obligation referred to in Article 5 of this Law ceases, the operators shall yield the identifying data provided for in the previous paragraph, when for the compliance of their The following are required by the authorized agents, the members of the State Security Forces and Corps and the Police Corps of the Autonomous Communities with competence for the protection of persons and property and for the maintenance of public security, personnel of the National Intelligence Center in the course of security investigations on persons or entities, as well as the officials of the Customs Surveillance Authority.
3. The identification data shall be subject to the provisions of this Law, with respect to systems that guarantee their conservation, non-manipulation or illicit access, destruction, cancellation and identification of the authorized person.
4. The operators shall give the identifying data provided for in paragraph 1 of this provision to the authorised agents, to the members of the State Security Forces and Bodies and to the Police Corps of the Autonomous Communities with competence for the protection of persons and property and for the maintenance of public security, or to the staff of the National Intelligence Center, as well as to the officials of the Customs Surveillance Office, when they are required by them for the purpose of investigation, detection and prosecution of a crime contemplated in the Criminal code or special criminal laws.
5. Without prejudice to the sanctioning regime established by the Organic Law 15/1999 of 13 December on the Protection of Personal Data, the following provisions constitute an infringement of the provisions of this provision:
a) These are very serious violations of both the non-compliance with the conduct of the reported book-record, and the refusal to transfer and deliver the data to the persons and in the cases provided for in this provision.
(b) It is serious infringements of the incomplete conduct of the book-registration, as well as the unjustified delay, in more than seventy-two hours, in the transfer and delivery of the data to the persons and in the cases provided for in the disposition.
6. The infringements provided for in the preceding paragraph will apply to the sanctioning regime established by Law 32/2003 of 3 November, corresponding to the jurisdiction of the Secretary of State for Telecommunications and for the Information Society.
The procedure for sanctioning the aforementioned infractions will be initiated by agreement of the Secretary of State of Telecommunications and the Information Society, and the Ministry of the Interior may urge that initiation.
In any case, the Ministry of the Interior must be required to report a mandatory and decisive report for the resolution of the sanctioning procedure.
7. The obligation to register in the book-registration of the identifying data of buyers who acquire smart cards, as well as the other obligations contained in this additional provision, will begin to be required from of the entry into force of this Law.
8. However, with regard to the cards acquired prior to the entry into force of this Law, the mobile operators who place these services on the market will have a period of two years, to be counted from that entry in (a) to comply with the registration obligations referred to in paragraph 1 of this additional provision.
After the two-year period, the operators will be obliged to cancel or deactivate those prepaid cards in respect of which the registration obligations referred to in paragraph 1 have not been complied with. of this additional provision, without prejudice to the compensation which, where appropriate, corresponds to the holder of the compensation for the outstanding balance of consumption.
Single transient arrangement. The validity of the telecommunications interception regime.
The rules laid down in Chapter III of Title III of Law 32/2003 of 3 November shall continue in force as long as they do not object to the provisions of this Law.
Single repeal provision. Regulatory repeal.
1. Articles 12, 38.2 (c) and (d) and 38.3 (a) of Law 34/2002, of 11 July, of Services of the Information Society and Electronic Commerce are hereby repealed.
2. Similarly, any provisions of equal or lower rank shall be contrary to the provisions of this Law.
Final disposition first. Amendment of Law 32/2003 of 3 November, General Telecommunications.
Law 32/2003 of 3 November, General Telecommunications, is amended as follows:
One. Article 33 is worded as follows:
" Article 33. Secret of communications.
1. Operators operating public electronic communications networks or providing publicly available electronic communications services shall ensure the secrecy of communications in accordance with Articles 18.3 and 55.2 of the Constitution, and must take the necessary technical measures.
2. The operators are obliged to carry out the intercepts that are authorized in accordance with the provisions of article 579 of the Law on Criminal Procedure, in the Organic Law 2/2002, of 6 May, Regulatory of the Judicial Control of the National Intelligence Center and other standards with a range of organic law. They shall also adopt at their expense the measures provided for in this Article and in the relevant regulations.
3. The interception referred to in the preceding paragraph shall be provided for any communication which has as its origin or destination the network termination point or the specific terminal to be determined on the basis of the legal interception order, even if it is intended for storage or processing of the information; the interception may also be carried out on a known terminal and with temporary location data for communications from public premises. Where there is no fixed connection between the subject of the interception and the terminal used, it may be determined dynamically when the subject of the interception activates it for communication by means of an identification code. personnel.
4. Access shall be provided for all types of electronic communications, in particular for their penetration and coverage, for which they are carried out in any form of telephony and data transmission services, video, audio, message exchange, file or facsimile transmission communications.
The facilitated access will serve both the supervision and the transmission to the reception centers of the intercepts of the intercepted electronic communication and the information regarding the interception, and will allow get the signal with which the communication is performed.
5. The obliged subjects must provide the authorized agent, except that due to the characteristics of the service they are not at their disposal and without prejudice to other data that can be established by royal decree, the data indicated in the order of legal interception, from among those listed below:
a) Identity or identities of the subject object of the interception measure.
Identity is defined: a technical label that can represent the origin or destination of any electronic communications traffic, in general identified by an electronic communications identity number physical (such as a telephone number) or a logical or virtual electronic communications identity code (such as a personal number) that the subscriber can assign to a physical access on a case-by-case basis.
b) Identity or identities of the other parties involved in electronic communication.
c) Basic services used.
d) Additional services used.
e) Address of the communication.
f) The response indication.
g) Cause of completion.
h) Temporary marks.
i) Location information.
j) Information exchanged through the control or signaling channel.
6. In addition to the information relating to the interception provided for in the preceding paragraph, the required subjects must provide the authorised agent, unless the characteristics of the service are at their disposal and without prejudice to other information. which may be established by means of a royal decree, of any party involved in the communication which are the clients of the subject, the following data:
a) Identification of the natural or legal person.
b) The address at which the provider makes the notifications.
And, even if not paid, if the service in question allows you to have any of the following:
c) The number of service holders (both the directory number and all electronic communications IDs of the subscriber).
d) The terminal identification number.
e) The account number assigned by the Internet service provider.
f) Email address.
7. Together with the data provided for in the above paragraphs, the required subjects shall provide, except that the characteristics of the service are not at their disposal, information on the geographical location of the terminal or network termination point. origin of the call, and the origin of the call destination. In the case of mobile services, a position as accurate as possible of the communication point and, in any case, identification, location and type of the base station concerned shall be provided.
8. Prior to the execution of the order of legal interception, the required subjects must provide the authorized agent with information on the services and characteristics of the telecommunications system used by the subjects covered by the the measure of the interception and, if they do so, the corresponding names of the subscribers with their national identity card numbers, residence card or passport, in the case of natural persons, or denomination and code of tax identification in the case of legal persons.
9. The required subjects shall have at all times prepared one or more interfaces through which the intercepted electronic communications and the information relating to the interception shall be transmitted to the reception centres of the intercepts. The characteristics of these interfaces and the format for the transmission of the intercepted communications to these centres shall be subject to the technical specifications which are laid down by the Ministry of Industry, Tourism and Trade.
10. In the case where the subject is required to apply to communications subject to legal interception any compression, encryption, digitisation or other coding procedure, they must deliver those without any effects. of such procedures, provided they are reversible.
Intercepted communications must be provided to the receiving center of the intercepts with a quality that is not less than the one obtained by the recipient of the communication. "
Two. The last paragraph of Article 38 (5) is amended as follows:
" As set out in points (a) and (d) of paragraph 3 of this Article is without prejudice to the obligations laid down in the Data Conservation Act relating to Electronic Communications and Public Networks Communications. "
Three. In Article 53, the paragraphs (o) and (z) are amended as follows:
" (o) The deliberate failure by operators to comply with the obligations in the field of legal interception of communications imposed under Article 33 of this Law and the deliberate failure to comply with the obligations. obligations for the retention of the data set out in the Data Conservation Act relating to Electronic Communications and Public Communications Networks. "
" z) The serious or repeated infringement of the rights provided for in Article 38.3, except as provided for in paragraph (h), the infringement of which shall be governed by the sanctioning regime provided for in Law 34/2002 of 11 July the information society and electronic commerce, and the serious or repeated non-compliance with the obligations for the protection and security of the data stored in accordance with Article 8 of the Law on the conservation of data relating to the electronic communications and public communications networks. "
Four. In Article 54, paragraphs (n) and (r) are amended as follows:
(n) Failure by operators to comply with the obligations in respect of the legal interception of communications imposed under Article 33 of this Law and the failure to comply with the obligations of the conservation of the data set out in the Law on the Conservation of Electronic Communications Data and Public Communications Networks, except that they should be considered as a very serious infringement, in accordance with the provisions of the article above. "
r) The infringement of the rights provided for in Article 38.3, except as provided for in paragraph (h), the infringement of which shall be governed by the sanctioning regime provided for in Law 34/2002 of 11 July, and the failure to comply with the the protection and security obligations of the data set out in Article 8 of the Law on the retention of data relating to electronic communications and public communications networks, unless they are to be regarded as a very serious infringement; severe. "
Final disposition second. State competition.
This Law is dictated by the provisions of Article 149.1.29. of the Constitution, which attributes exclusive competence to the State in matters of public security, and of Article 149.1.21. exclusive in the field of telecommunications.
Final disposition third. Regulatory development.
The Government is empowered to dictate how many provisions are necessary for the development and implementation of the provisions of this Law.
Final disposition fourth. Data delivery format.
1. The assignment to the authorized agents of the data whose conservation is obligatory shall be carried out in electronic form, in the form determined by the Joint Order of the Ministers of Interior, Defense and Economic and Finance, to be approved in the three-month period from the entry into force of this Law.
2. The persons bound by Article 2 of this Law shall have a period of six months from the date of entry into force of the law in order to configure, at their expense, their equipment and to be technically in a position to comply with the obligations of the data preservation and disposal.
Final disposition fifth. Entry into force.
This Law will enter into force on the twentieth day of its publication in the "Official State Gazette".
I command all Spaniards, individuals and authorities to keep and keep this law.
Madrid, 18 October 2007.
JOHN CARLOS R.
The President of the Government,
JOSE LUIS RODRIGUEZ ZAPATERO