- Supervision of interception of communications
- The heads of the agencies conducting operational-search activities are personally responsible for the lawfulness of all operational-search activities (section 22 of the OSAA).
- Overall supervision of operational-search activities is exercised by the President, the Parliament and the Government of the Russian Federation within the limits of their competence (section 20 of the OSAA).
- The Prosecutor General and competent lower-level prosecutors may also exercise supervision over operational-search activities. At the request of a competent prosecutor, the head of a State agency performing operational-search activities must produce operational-search materials, including personal files, information on the use of technical equipment, registration logs and internal instructions. Materials containing information about undercover agents or police informers may be disclosed to the prosecutor only with the agent’s or informer’s consent, except in cases of criminal proceedings against them. The head of a State agency may be held liable in accordance with the law for failure to comply with the prosecutor’s request. The prosecutor must ensure the protection of the data contained in the materials produced (section 21 of the OSAA).
- The Prosecutors’ Office Act (Federal law no. 2202-I of 17 January 1992) provides that the Prosecutor General is to be appointed or dismissed by the Federation Council (the upper house of the Parliament) on proposal by the President (section 12). Lower-level prosecutors are to be appointed by the Prosecutor General after consultation with the regional executive authorities (section 13). To be appointed as a prosecutor the person must be a Russian citizen and must have a Russian law degree (section 40.1).
- In addition to their prosecuting functions, prosecutors are responsible for supervising whether the administration of detention facilities, bailiffs’ activities, operational-search activities and criminal investigations are in compliance with the Russian Constitution and Russian laws (section 1). Prosecutors also coordinate the activities of all law-enforcement authorities in combatting crime (section 8).
- As regards supervision of operational-search activities, prosecutors may review whether measures taken in the course of operational-search activities are lawful and respectful of human rights (section 29). Prosecutors’ orders made in the context of such supervision must be complied with within the time-limit set. Failure to comply may result in liability in accordance with the law (section 6).
- Prosecutors may also examine complaints of breaches of the law and give a reasoned decision on each complaint. Such a decision does not prevent the complainant from bringing the same complaint before a court. If a prosecutor discovers a breach of the law, he or she must take measures to bring the responsible persons to liability (section 10).
- The Federal Security Service Act of 3 April 1995 (no. 40-FZ, hereafter «the FSB Act») provides that information about the security services’ undercover agents, as well as about the tactics, methods and means used by them is outside the scope of supervision by prosecutors (section 24).
- The procedures for prosecutors’ supervision of operational-search activities have been set out in Order no. 33, issued by the Prosecutor General’s Office on 15 February 2011.
- Order no. 33 provides that a prosecutor may carry out routine inspections of agencies carrying out operational-search activities, as well as ad hoc inspections following a complaint by an individual or receipt of information about potential violations. Operational-search activities performed by the FSB in the sphere of counterintelligence may be inspected only following an individual complaint (paragraph 5 of Order no. 33).
- During the inspection the prosecutor must verify compliance with the following requirements:
— observance of citizens’ constitutional rights, such as the right to respect for private and family life, home, correspondence, telephone, postal, telegraph and other communications;
— that the measures taken in the course of operational-search activities are lawful and justified, including those measures that have been authorised by a court (paragraphs 4 and 6 of Order no. 33).
- During the inspection the prosecutor must study the originals of the relevant operational-search materials, including personal files, information on the use of technical equipment, registration logs and internal instructions, and may request explanations from competent officials. The prosecutors must protect the sensitive data entrusted to them from unauthorised access or disclosure (paragraphs 9 and 12 of Order no. 33).
- If a prosecutor identifies a breach of the law, he or she must request the official responsible for it to remedy the breach. He or she must also take measures to stop and remedy violations of citizens’ rights and to bring those responsible to liability (paragraphs 9 and 10 of Order no. 33). A State official who refuses to comply with a prosecutor’s orders may be brought to liability in accordance with the law (paragraph 11).
- The prosecutors responsible for supervision of operational-search activities must submit six-monthly reports detailing the results of the inspections to the Prosecutor General’s Office (paragraph 15 of Order no. 33). A report form to be filled by prosecutors is attached to Order no. 33. The form indicates that it is confidential. It contains two sections, both in table format. The first section concerns inspections carried out during the reference period and contains information about the number of inspections, number of files inspected and number of breaches detected. The second section concerns citizens’ complaints and contains information about the number of complaints examined and granted.
- Access by individuals to data collected about them in the course of interception of communications
- Russian law does not provide that a person whose communications are intercepted must be notified at any point. However, a person who is in possession of the facts of the operational-search measures to which he or she was subjected and whose guilt has not been proved in accordance with the procedure prescribed by law, that is, he or she has not been charged or the charges have been dropped on the ground that the alleged offence was not committed or that one or more elements of a criminal offence were missing, is entitled to receive information about the data collected in the course of the operational-search activities, to the extent compatible with the requirements of operational confidentiality («конспирации») and excluding data which could enable State secrets to be disclosed (section 5(4-6) of the OSAA).
- In its decision of 14 July 1998 (cited in paragraph 40 above) the Constitutional Court noted that any person who was in possession of the facts of the operational-search measures to which he or she had been subjected was entitled to receive information about the data collected in the course of those activities, unless that data contained State secrets. Under section 12 of the OSAA, data collected in the course of operational-search activities — such as information about criminal offences and the persons involved in their commission — were a State secret. However, information about breaches of citizens’ rights or unlawful acts on the part of the authorities could not be classified as a State secret and should be disclosed. Section 12 could not therefore serve as a basis for refusing access to information affecting a person’s rights, provided that such information did not concern the aims of, or the grounds for, the operational-search activities. In view of the above, the fact that, pursuant to the contested Act, a person was not entitled to be granted access to the entirety of the data collected about him or her did not constitute a violation of that person’s constitutional rights.
- Judicial review
- General provisions on judicial review of interception of communications as established by the OSAA
- A person claiming that his or her rights have been or are being violated by a State official performing operational-search activities may complain to the official’s superior, a prosecutor or a court. If a citizen’s rights were violated in the course of operational-search activities by a State official, the official’s superior, a prosecutor or a court must take measures to remedy the violation and compensate the damage (section 5(3) and (9) of the OSAA).
- If a person was refused access to information about the data collected about him or her in the course of operational-search activities, he or she is entitled to know the reasons for the refusal of access and may appeal against the refusal to a court. The burden of proof is on the law-enforcement authorities to show that the refusal of access is justified. To ensure a full and thorough judicial examination, the law-enforcement agency responsible for the operational-search activities must produce, at the judge’s request, operational-search materials containing information about the data to which access was refused, with the exception of materials containing information about undercover agents or police informers. If the court finds that the refusal to grant access was unjustified, it may compel the law-enforcement agency to disclose the materials to the person concerned (section 5(4 to 6) of the OSAA).
- In its decision of 14 July 1998 (cited in paragraph 40 above) the Constitutional Court noted that a person who learned that he or she had been subjected to operational-search activities and believed that the actions of State officials had violated his or her rights was entitled, under section 5 of the OSAA, to challenge before a court the grounds for conducting such activities, as well as the specific actions performed by the competent authorities in the course of such activities, including in those cases where they had been authorised by a court.
- As regards procedural matters, the Constitutional Court held that in proceedings in which the grounds for the operational-search activities or the actions of the competent authorities conducting such activities were challenged, as well as proceedings against the refusal to give access to the data collected, the law-enforcement authorities were to submit to the judge, at his or her request, all relevant operational-search materials, except materials containing information about undercover agents or police informers.
- A person wishing to complain about interception of his or her communications may lodge a judicial review complaint under Article 125 of the CCrP; a judicial review complaint under Chapter 25 of the Code of Civil Procedure and the Judicial Review Act replaced, as from 15 September 2015, by the Code of Administrative Procedure; or a civil tort claim under Article 1069 of the Civil Code.
- A judicial review complaint under Article 125 of the CCrP
- The Plenary Supreme Court in its Ruling no. 1 of 10 February 2009 held that actions of officials or State agencies conducting operational-search activities at the request of an investigator could be challenged in accordance with the procedure prescribed by Article 125 of the CCrP (paragraph 4). The complaints lodged under that Article may be examined only while the criminal investigation is pending. If the case has already been transmitted to a court for trial, the judge declares the complaint inadmissible and explains to the complainant that he or she may raise the complaints before the relevant trial court (paragraph 9).
- Article 125 of the CCrP provides for the judicial review of decisions and acts or failures to act by an investigator or a prosecutor which are capable of adversely affecting the constitutional rights or freedoms of the participants to criminal proceedings. The lodging of a complaint does not suspend the challenged decision or act, unless the investigator, the prosecutor, or the court decides otherwise. The court must examine the complaint within five days. The complainant, his counsel, the investigator and the prosecutor are entitled to attend the hearing. The complainant must substantiate his complaint (Article 125 §§ 1 — 4 of the CCrP).
- Participants in the hearing are entitled to study all the materials submitted to the court and to submit additional materials relevant to the complaint. Disclosure of criminal-case materials is permissible only if it is not contrary to the interests of the investigation and does not breach the rights of the participants in the criminal proceedings. The judge may request the parties to produce the materials which served as a basis for the contested decision or any other relevant materials (paragraph 12 of Ruling no. 1 of 10 February 2009 of the Plenary Supreme Court of the Russian Federation).
- Following the examination of the complaint, the court either declares the challenged decision, act or failure to act unlawful or unjustified and instructs the responsible official to rectify the indicated shortcoming, or dismisses the complaint (Article 125 § 5 of the CCrP). When instructing the official to rectify the indicated shortcoming, the court may not indicate any specific measures to be taken by the official or annul or order that the official annul the decision found to be unlawful or unjustified (paragraph 21 of Ruling no. 1 of 10 February 2009 of the Plenary Supreme Court of the Russian Federation).
- A judicial review complaint under Chapter 25 of the Code of Civil Procedure, the Judicial Review Act and the Code of Administrative Procedure
- Ruling no. 2 of 10 February 2009 of the Plenary Supreme Court of the Russian Federation provides that complaints about decisions and acts of officials or agencies performing operational-search activities that may not be challenged in criminal proceedings, as well as complaints about a refusal of access to information about the data collected in the course of operational-search activities, may be examined in accordance with the procedure established by Chapter 25 of the Code of Civil Procedure (paragraph 7).
- Chapter 25 of the Code of Civil Procedure (the CCP), in force until 15 September 2015, established the procedure for examining complaints against decisions and acts of officials violating citizens’ rights and freedoms, which was further detailed in the Judicial Review Act (Law no. 4866-1 of 27 April 1993 on Judicial review of decisions and acts violating citizens’ rights and freedoms). On 15 September 2015 Chapter 25 of the CCP and the Judicial Review Act were repealed and replaced by the Code of Administrative Procedure (Law no. 21-FZ of 8 March 2015, hereafter «the CAP») which entered into force on that date. The CAP confirmed in substance and expounded the provisions of Chapter 25 of the CCP and the Judicial Review Act.
- The CCP, the Judicial Review Act and the CAP all provide that a citizen may lodge a complaint before a court about an act or decision by any State or municipal authority or official if he considers that it has violated his rights and freedoms (Article 254 of the CCP and section 1 of the Judicial Review Act). The complaint may concern any decision, act or omission which has violated the citizen’s rights or freedoms, has impeded the exercise of rights or freedoms, or has imposed a duty or liability on him (Article 255 of the CCP, section 2 of the Judicial Review Act and Article 218 § 1 of the CAP).
- The complaint must be lodged with a court of general jurisdiction within three months of the date on which the complainant learnt of the breach of his rights. The time-limit may be extended for valid reasons (Article 254 of the CCP, sections 4 and 5 of the Judicial Review Act and Articles 218 § 5 and 219 §§ 1 and 7 of the CAP). The complaint must mention the identification number and the date of the contested decision or the date and place of commission of the contested act (Article 220 § 2 (3) of the CAP). The claimant must submit confirming documents or explain why he or she is unable to submit them (Article 220 §§ 2 (8) and 3 of the CAP). If the claimant does not meet the above requirements, the judge declares the complaint inadmissible (Article 222 § 3 of the CAP).
- The burden of proof as to the lawfulness of the contested decision, act or omission lies with the authority or official concerned. The complainant must, however, prove that his rights and freedoms were breached by the contested decision, act or omission (section 6 of the Judicial Review Act and Article 226 § 11 of the CAP).
- Under the CCP the complaint had to be examined within ten days (Article 257 of the CCP), while under the CAP it must be examined within two months (Article 226 § 1 of the CAP). If the court finds the complaint justified, it issues a decision annulling the contested decision or act and requiring the authority or official to remedy in full the breach of the citizen’s rights (Article 258 § 1 of the CCP, section 7 of the Judicial Review Act and Article 227 §§ 2 and 3 of the CAP). The court may determine the time-limit for remedying the violation and/or the specific steps which need to be taken to remedy the violation in full (paragraph 28 of Ruling no. 2 of 10 February 2009 of the Plenary Supreme Court of the Russian Federation and Article 227 § 3 of the CAP). The claimant may then claim compensation in respect of pecuniary and non-pecuniary damage in separate civil proceedings (section 7 of the Judicial Review Act).
- The court may reject the complaint if it finds that the challenged act or decision has been taken by a competent authority or official, is lawful and does not breach the citizen’s rights (Article 258 § 4 of the CCP and Articles 226 § 9 and 227 § 2 of the CAP).
- A party to the proceedings may lodge an appeal with a higher court (Article 336 of the CCP as in force until 1 January 2012, Article 320 of the CCP as in force after 1 January 2012, and Article 228 of the CAP). The appeal decision enters into force on the day of its delivery (Article 367 of the CCP as in force until 1 January 2012, Article 329 § 5 as in force after 1 January 2012, and Articles 186 and 227 § 5 of the CAP).
- The CCP provided that a judicial decision allowing a complaint and requiring the authority or official to remedy the breach of the citizen’s rights had to be dispatched to the head of the authority concerned, to the official concerned or to their superiors within three days of its entry into force (Article 258 § 2 of the CCP). The Judicial Review Act required that the judicial decision be dispatched within ten days of its entry into force (section 8). The CAP requires that the judicial decision be dispatched on the day of its entry into force (Article 227 § 7). The court and the complainant must be notified of the enforcement of the decision no later than one month after its receipt (Article 258 § 3 of the CCP, section 8 of the Judicial Review Act and Article 227 § 9 of the CAP).
- A tort claim under Article 1069 the Civil Code
- Damage caused to the person or property of a citizen shall be compensated in full by the tortfeasor. The tortfeasor is not liable for damage if he or she proves that the damage has been caused through no fault of his or her own (Article 1064 §§ 1 and 2 of the Civil Code).
- State and municipal bodies and officials shall be liable for damage caused to a citizen by their unlawful actions or omissions (Article 1069 of the Civil Code). Irrespective of any fault by State officials, the State or regional treasury is liable for damage sustained by a citizen on account of (i) unlawful criminal conviction or prosecution; (ii) unlawful application of a preventive measure, and (iii) unlawful administrative punishment (Article 1070 of the Civil Code).
- A court may impose on the tortfeasor an obligation to compensate non-pecuniary damage (physical or mental suffering). Compensation for non-pecuniary damage is unrelated to any award in respect of pecuniary damage (Articles 151 § 1 and 1099 of the Civil Code). The amount of compensation is determined by reference to the gravity of the tortfeasor’s fault and other significant circumstances. The court also takes into account the extent of physical or mental suffering in relation to the victim’s individual characteristics (Article 151 § 2 and Article 1101 of the Civil Code).
- Irrespective of the tortfeasor’s fault, non-pecuniary damage shall be compensated for if the damage was caused (i) by a hazardous device; (ii) in the event of unlawful conviction or prosecution or unlawful application of a preventive measure or unlawful administrative punishment, and (iii) through dissemination of information which was damaging to honour, dignity or reputation (Article 1100 of the Civil Code).
- In civil proceedings a party who alleges something must prove that allegation, unless provided otherwise by Federal Law (Article 56 § 1 of the CCP).
- A complaint to the Constitutional Court
- The Constitutional Court Act (Law no. 1-FKZ of 21 July 1994) provides that the Constitutional Court’s opinion as to whether the interpretation of a legislative provision adopted by judicial and other law-enforcement practice is compatible with the Constitution, when that opinion is expressed in a judgment, must be followed by the courts and law-enforcement authorities from the date of that judgment’s delivery (section 79 (5)).
- Obligations of communications service providers
- Obligation to protect personal data and privacy of communications
- The Communications Act provides that communications service providers must ensure privacy of communications. Information about the communications transmitted by means of telecommunications networks or mail services, and the contents of those communications may be disclosed only to the sender and the addressee or their authorised representatives, except in cases specified in federal laws (section 63(2) and (4) of the Communications Act).
- Information about subscribers and the services provided to them is confidential. Information about subscribers includes their family names, first names, patronymics and nicknames for natural persons; company names and family names, first names and patronymics of company directors and employees for legal persons; subscribers’ addresses, numbers and other information permitting identification of the subscriber or his terminal equipment; data from payment databases, including information about the subscribers’ communications, traffic and payments. Information about subscribers may not be disclosed to third persons without the subscriber’s consent, except in cases specified in federal laws (section 53 of the Communications Act).
- Obligation to co-operate with law-enforcement authorities
- The Communications Act imposes an obligation on communications service providers to furnish to the law-enforcement agencies, in cases specified in federal laws, information about subscribers and services received by them and any other information they require in order to achieve their aims and objectives (section 64(1) of the Communications Act).
- On 31 March 2008 the Moscow City Council discussed a proposal to introduce an amendment to section 64(1) of the Communications Act requiring law-enforcement agencies to show judicial authorisation to communications service providers when requesting information about subscribers. The representatives of the FSB and the Ministry of the Interior informed those present that judicial decisions authorising interceptions were classified documents and could not therefore be shown to communications service providers. The proposal to introduce the amendment was later rejected.
- Communications service providers must ensure that their networks and equipment comply with the technical requirements developed by the Ministry of Communications in cooperation with law-enforcement agencies. Communications service providers must also ensure that the methods and tactics employed by law-enforcement agencies remain confidential (section 64(2) of the Communications Act).
- In cases specified in federal laws communications service providers must suspend provision of service to a subscriber upon receipt of a reasoned written order by the head of a law-enforcement agency conducting operational-search activities or protecting national security (section 64(3) of the Communications Act).
- The FSB Act requires communications service providers to install equipment permitting the FSB to carry out operational-search activities (section 15).
- Technical requirements for equipment to be installed by communications service providers
- The main characteristics of the system of technical facilities enabling operational-search activities to be carried out («Система технических средств для обеспечения функций оперативно-разыскных мероприятий» («СОРМ»), hereafter referred to as «the SORM») are outlined in a number of orders and regulations issued by the Ministry of Communications.
(a) Order no. 70
- Order no. 70 on the technical requirements for the system of technical facilities enabling the conduct of operational-search activities using telecommunications networks, issued by the Ministry of Communications on 20 April 1999, stipulates that equipment installed by communications service providers must meet certain technical requirements, which are described in the addendums to the Order. The Order, with the addendums, has been published in the Ministry of Communications’ official magazine SvyazInform, distributed through subscription. It can also be accessed through a privately-maintained internet legal database, which reproduced it from the publication in SvyazInform.
- Addendums nos. 1 and 3 describe the technical requirements for the SORM on mobile telephone networks. They specify that interception of communications is performed by law-enforcement agencies from a remote-control terminal connected to the interception equipment installed by the mobile network operators. The equipment must be capable, inter alia, of (a) creating databases of interception subjects, to be managed from the remote-control terminal; (b) intercepting communications and transmitting the data thereby obtained to the remote-control terminal; (c) protecting the data from unauthorised access, including by the employees of the mobile network operator; (d) providing access to subscriber address databases (paragraphs 1.1 and 1.6 of Addendum no. 1).
- More precisely, the equipment must ensure (a) interception of all the incoming and outgoing calls of the interception subject; (b) access to information about his or her whereabouts; (c) maintenance of interception capability where an ongoing connection is transferred between the networks of different mobile network operators; (d) maintenance of interception capability in cases involving supplementary services, such as call forwarding, call transfer or conference calls, with the possibility of registering the number or numbers to which the call is routed; (e) collection of communications data concerning all types of connections, including fax, short messaging (SMS) or other; (f) access to information about the services provided to the interception subject (paragraph 2.1.2 of Addendum no. 1).
- There are two types of interception: «total interception» and «statistical monitoring». Total interception is the real-time interception of communications data and of the contents of all communications to or by the interception subject. Statistical monitoring is real-time monitoring of communications data only, with no interception of the content of communications. Communications data include the telephone number called, the start and end times of the connection, supplementary services used, location of the interception subject and his or her connection status (paragraphs 2.2 and 2.4 of Addendum no. 1).
- The equipment installed must be capable of launching the interception of communications within thirty seconds of receiving a command from the remote-control terminal (paragraph 2.5 of Addendum no. 1).
- Information about interception subjects or about the transmittal of any data to the remote-control terminal cannot be logged or recorded (paragraph 5.4 of Addendum no. 1).
- The remote-control terminal receives a password from the mobile network operator giving it full access to the SORM. The remote-control terminal then changes the password so that unauthorized persons cannot gain access to the SORM. From the remote-control terminal, the SORM can be commanded, among others, to start interception in respect of a subscriber, interrupt or discontinue the interception, intercept a subscriber’s ongoing communication, and submit specified information about a subscriber (paragraph 3.1.2 of Addendum no. 3).
- The remote-control centre receives the following automatic notifications about the interception subjects: short messages (SMS) sent or received by the interception subject, including their contents; a number being dialled; a connection being established; a connection being interrupted; use of supplementary services; a change in the subject’s connection status or location (paragraphs 3.1.4 of Addendum no. 3).
(b) Order no. 130
- Order no. 130 on the installation procedures for technical facilities enabling the conduct of operational-search activities, issued by the Ministry of Communications on 25 July 2000, stipulated that communications service providers had to install equipment which met the technical requirements laid down in Order no. 70. The installation procedure and schedule had to be approved by the FSB (paragraph 1.4).
- Communications service providers had to take measures to protect information regarding the methods and tactics employed in operational-search activities (paragraph 2.4)
- Communications service providers had to ensure that any interception of communications or access to communications data was granted only pursuant to a court order and in accordance with the procedure established by the OSAA (paragraph 2.5).
- Communications service providers did not have to be informed about interceptions in respect of their subscribers. Nor did they have to be provided with judicial orders authorising interceptions (paragraph 2.6).
- Interceptions were carried out by the staff and technical facilities of the FSB and the agencies of the Ministry of the Interior (paragraph 2.7).
- Paragraphs 1.4 and 2.6 of Order no. 130 were challenged by a Mr N. before the Supreme Court. Mr N. argued that the reference to Order no. 70 contained in paragraph 1.4 was unlawful, as Order no. 70 had not been published and was invalid. As to paragraph 2.6, it was incompatible with the Communications Act, which provided that communications service providers had an obligation to ensure the privacy of communications. On 25 September 2000 the Supreme Court found that the reference to Order no. 70 in paragraph 1.4 was lawful, as Order no. 70 was technical in nature and was therefore not subject to publication in a generally accessible official publication. It had therefore been published only in a specialised magazine. As to paragraph 2.6, the Supreme Court considered that it could be interpreted as requiring communications service providers to grant law-enforcement agencies access to information about subscribers without judicial authorisation. Such a requirement was, however, incompatible with the Communications Act. The Supreme Court therefore found that paragraph 2.6 was unlawful and inapplicable.
- On 25 October 2000 the Ministry of Communications amended Order no. 130 by repealing paragraph 2.6.
- In reply to a request for information by the NGO «Civilian Control», the Ministry of Communications stated, in a letter dated 20 August 2006, that the repealing of paragraph 2.6 of Order no. 130 did not mean that communications service providers had to be informed about operational-search measures in respect of a subscriber or be provided with a copy of the relevant decision granting judicial authorisation for such surveillance.
- Order no. 130 was repealed on 16 January 2008 (see paragraph 134 below).
(c) Order no. 538
- Order no. 538 on cooperation between communications service providers and law enforcement agencies, issued by the Government on 27 August 2005, provides that communications service providers must be diligent in updating databases containing information about subscribers and the services provided to them. That information must be stored for three years. Law-enforcement agencies must have remote access to the databases at all times (paragraph 12).
- Databases must contain the following information about subscribers: (a) first name, patronymic and family name, home address and passport number for natural persons; (b) company name, address and list of persons having access to the terminal equipment with their names, patronymics and family names, home addresses and passport numbers for legal persons; (c) information about connections, traffic and payments (paragraph 14).
(d) Order no. 6
- Order no. 6 on requirements for telecommunications networks concerning the conduct of operational-search activities, Part I, issued by the Ministry of Communications on 16 January 2008, replaced Order no. 130.
- It retained the requirement that communications service providers had to ensure transmittal to the relevant law-enforcement agency’s remote-control terminal of information about (a) subscribers’ numbers and identification codes; and (b) the contents of their communications. The information must be transmitted in real time following a request from the remote-control terminal. Communications service providers must also ensure that the subscriber’s location is identified (paragraphs 2, 3 and 5).
- The remote-control terminal must have access to databases containing information about subscribers, including their numbers and identification codes (paragraphs 7 and 8).
- Communications service providers must ensure that the interception subject remains unaware of the interception of his communications. Information about ongoing or past interceptions must be protected from unauthorised access by the employees of the communications service providers (paragraph 9).
(e) Order no. 73
- Order no. 73 on requirements for telecommunications networks concerning the conduct of operational-search activities, Part II, issued by the Ministry of Communications on 27 May 2010, elaborates on certain requirements contained in Order no. 6. In particular, it provides that the equipment installed by communications service providers must ensure that agencies performing operational-search activities have access to all data transmitted through the telecommunications networks and are capable of selecting data and transmitting the selected data to its control terminal (paragraph 2).
III. Relevant international and European instruments
- United Nations
- Resolution no. 68/167, on The Right to Privacy in the Digital Age, adopted by the General Assembly on 18 December 2013, reads as follows:
«The General Assembly,
- Calls upon all States:
(c) To review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;
(d) To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data…»
- Council of Europe
- The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (CETS No. 108, hereafter «Convention no. 108») sets out standards for data protection in the sphere of automatic processing of personal data in the public and private sectors. It reads:
«Article 8 — Additional safeguards for the data subject
Any person shall be enabled:
- to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
- to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;
- to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this convention;
- to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.
Article 9 — Exceptions and restrictions
- No exception to the provisions of Articles 5, 6 and 8 of this convention shall be allowed except within the limits defined in this article.
- Derogation from the provisions of Articles 5, 6 and 8 of this convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:
- protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;
- protecting the data subject or the rights and freedoms of others…
Article 10 — Sanctions and remedies
Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.»
- Convention no. 108 was ratified by Russia on 15 May 2013 and entered into force in respect of Russia on 1 September 2013. The instrument of ratification deposited by the Russian Federation on 15 May 2013 contains the following declaration:
«The Russian Federation declares that in accordance with subparagraph «a» of paragraph 2 of Article 3 of the Convention, it will not apply the Convention to personal data:
(b) falling under State secrecy in accordance with the legislation of the Russian Federation on State secrecy.
The Russian Federation declares that in accordance with subparagraph «c» of paragraph 2 of Article 3 of the Convention, it will apply the Convention to personal data which is not processed automatically, if the application of the Convention corresponds to the nature of the actions performed with the personal data without using automatic means.
The Russian Federation declares that in accordance with subparagraph «a» of paragraph 2 of Article 9 of the Convention, it retains the right to limit the right of the data subject to access personal data on himself for the purposes of protecting State security and public order.»
- The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows of 8 November 2001 (CETS No. 181), signed but not ratified by Russia, provides as follows:
«Article 1 — Supervisory authorities
- Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the measures in its domestic law giving effect to the principles stated in Chapters II and III of the Convention and in this Protocol.
- a. To this end, the said authorities shall have, in particular, powers of investigation and intervention, as well as the power to engage in legal proceedings or bring to the attention of the competent judicial authorities violations of provisions of domestic law giving effect to the principles mentioned in paragraph 1 of Article 1 of this Protocol.
- Each supervisory authority shall hear claims lodged by any person concerning the protection of his/her rights and fundamental freedoms with regard to the processing of personal data within its competence.
- The supervisory authorities shall exercise their functions in complete independence.
- Decisions of the supervisory authorities, which give rise to complaints, may be appealed against through the courts…»
- A Recommendation by the Committee of Ministers, regulating the use of personal data in the police sector, adopted on 17 September 1987 (No. R (87) 15), reads as follows:
«1.1. Each member state should have an independent supervisory authority outside the police sector which should be responsible for ensuring respect for the principles contained in this recommendation…
2.1. The collection of personal data for police purposes should be limited to such as is necessary for the prevention of a real danger or the suppression of a specific criminal offence. Any exception to this provision should be the subject of specific national legislation.
2.2. Where data concerning an individual have been collected and stored without his knowledge, and unless the data are deleted, he should be informed, where practicable, that information is held about him as soon as the object of the police activities is no longer likely to be prejudiced…
3.1. As far as possible, the storage of personal data for police purposes should be limited to accurate data and to such data as are necessary to allow police bodies to perform their lawful tasks within the framework of national law and their obligations arising from international law…
5.2.i. Communication of data to other public bodies should only be permissible if, in a particular case:
- there exists a clear legal obligation or authorisation, or with the authorisation of the supervisory authority, or if
- these data are indispensable to the recipient to enable him to fulfil his own lawful task and provided that the aim of the collection or processing to be carried out by the recipient is not incompatible with the original processing, and the legal obligations of the communicating body are not contrary to this.
5.2.ii. Furthermore, communication to other public bodies is exceptionally permissible if, in a particular case:
- the communication is undoubtedly in the interest of the data subject and either the data subject has consented or circumstances are such as to allow a clear presumption of such consent, or if
- the communication is necessary so as to prevent a serious and imminent danger.
5.3.i. The communication of data to private parties should only be permissible if, in a particular case, there exists a clear legal obligation or authorisation, or with the authorisation of the supervisory authority…
6.4. Exercise of the rights [of the data subject] of access, rectification and erasure should only be restricted insofar as a restriction is indispensable for the performance of a legal task of the police or is necessary for the protection of the data subject or the rights and freedoms of others…
6.5. A refusal or a restriction of those rights should be reasoned in writing. It should only be possible to refuse to communicate the reasons insofar as this is indispensable for the performance of a legal task of the police or is necessary for the protection of the rights and freedoms of others.
6.6. Where access is refused, the data subject should be able to appeal to the supervisory authority or to another independent body which shall satisfy itself that the refusal is well founded.
7.1. Measures should be taken so that personal data kept for police purposes are deleted if they are no longer necessary for the purposes for which they were stored.
For this purpose, consideration shall in particular be given to the following criteria: the need to retain data in the light of the conclusion of an inquiry into a particular case; a final judicial decision, in particular an acquittal; rehabilitation; spent convictions; amnesties; the age of the data subject, particular categories of data.
7.2. Rules aimed at fixing storage periods for the different categories of personal data as well as regular checks on their quality should be established in agreement with the supervisory authority or in accordance with domestic law.
- The responsible body should take all the necessary measures to ensure the appropriate physical and logical security of the data and prevent unauthorised access, communication or alteration. The different characteristics and contents of files should, for this purpose, be taken into account.»
- A Recommendation by the Committee of Ministers on the protection of personal data in the area of telecommunication services, with particular reference to telephone services, adopted on 7 February 1995 (No. R (95) 4), reads in so far as relevant as follows:
«2.4. Interference by public authorities with the content of a communication, including the use of listening or tapping devices or other means of surveillance or interception of communications, must be carried out only when this is provided for by law and constitutes a necessary measure in a democratic society in the interests of:
- protecting state security, public safety, the monetary interests of the state or the suppression of criminal offences;
- protecting the data subject or the rights and freedoms of others.
2.5. In the case of interference by public authorities with the content of a communication, domestic law should regulate:
- the exercise of the data subject’s rights of access and rectification;
- in what circumstances the responsible public authorities are entitled to refuse to provide information to the person concerned, or delay providing it;
- storage or destruction of such data.
If a network operator or service provider is instructed by a public authority to effect an interference, the data so collected should be communicated only to the body designated in the authorisation for that interference…»