D11.6: Survey on Mobile Identity

The legal framework for LBS in Europe LEGAL FRAMEWORK FOR PROCESSING LOCATION DATA BY PUBLIC AUTHORITIES

Legal framework for processing location data by public authorities

This section describes situations in which public authorities have access to location data. Besides, it gives a description of the Dutch view on data retention.  

1. 1. 1. Access to location data by law enforcement

There are several investigation powers in the Dutch Code of Criminal Procedure (Wetboek van Strafvordering, hereinafter: DCCP) that law-enforcement agencies can use to access location data.

Requesting location data that are traffic data 

The most specific provisions relate to location data that are also telecommunications traffic data. These can be requested of telecom providers, and have to be provided by these in real-time, on the basis of: 

1. Art. 126n DCCP: the public prosecutor can order the production of traffic data in cases of fairly serious crimes (carrying a maximum punishment of four years or more); 

2. Art. 126u DCCP: the public prosecutor can order the production of traffic data in cases of fairly serious organised crime, even if not yet committed;

3. Art. 126zh DCCP: the public prosecutor can order the production of traffic data in cases of ‘indications’ of a terrorist crime, i.e., without probable cause (in Dutch: redelijke verdenking);

4. Art. 126hh DCCP: the public prosecutor can, with approval of the investigating judge, order the production of (parts of) databases, including databases of traffic data, in cases of an exploratory investigation (verkennend onderzoek) with the aim of preparing an investigation into serious, organised terrorist crime; he can also combine these data with other databases for data-mining.

The traffic-data in all of these powers include cell-ID data, i.e., the location of the cell of origin and the cell of destination of a call (if these are processed by the telecom provider). They exclude, however, location data generated by mobile phones in standby mode. The location data of phone calls (including sms messages etc.) can be requested, however, for each time the user uses his mobile phone, even if this means that ‘heavy users’ can thus be virtually tracked throughout their movements.

It is important to note that these powers traditionally could only be used with respect to public telecommunication providers. However, since September 2006, when the Computer Crime II Act entered into force, the powers also can be executed against private telecom providers. The addressees are now defined as providers of communication services, i.e., ‘a natural person or legal person who in the course of profession or business offers to users of his service the possibility of communicating with a computer, or who processes or stores data on behalf of such a service or the users of that service’ (art. 126la DCCP). This power to request locational traffic data on the basis of art. 126n DCCP is being used more and more in practice; it is generally accepted in case-law that call-related location data are part of traffic data.

For the purposes of this study, two interesting cases are worth mentioning from jurisprudence. The first is the ‘Deventer murder case’, in which someone was convicted partly on the basis of the location of the call he made very shortly before the murder took place. The call was processed by a base station in Deventer, and the court concluded that the suspect therefore must have been in or near to Deventer at that time, rejecting his contention that he was driving on a highway at a considerable distance when he made the call, and that due to special ‘atmospheric circumstances’ the call must have been received at the distant Deventer base station.

In the second case, the public prosecutor was barred from prosecution (the furthest-reaching sanction by a court) because the prosecution had failed to request traffic data from telecom providers, despite repeated requests by the suspect’s attorney to do so. She argued that the locational traffic data of the suspect’s mobile phone would confirm his alibi, and she had warned the prosecution that traffic data would only be stored by telecom providers for at most 6 months. When the prosecution finally requested the traffic data, they had already been deleted. Therefore, the court argued that the public prosecutor had grossly neglected the interests of the defense. This case shows that data retention of location data may also be usable as disculpatory evidence.

Requesting location data that are not traffic data 

For location data that are not traffic data, e.g., the location data of mobile phones in standby mode (provided the telecom provider stores these), the public prosecutor can also order the production to telecom providers, on the basis of art. 126ng DCCP (fairly serious crime), 126ug DCCP (planned serious organised crime) or 126zo DCCP (indications of terrorist crime). If others than telecom providers store such location data, the prosecutor can use the general production order, art. 126nd DCCP (fairly serious crime), 126ud (planned serious organised crime), and 126zl DCCP (indications of terrorist crime).  

These data should not be sensitive data, e.g., relating to religion, health or sexual life; if there is reason to assume that ordered location data would reveal sensitive locations, e.g., visits to a church, venereal-disease clinic, or gay cruising area, the public prosecutor needs the approval of the investigating judge and should use the more stringent provisions for ordering sensitive data (artt. 126nf, 126uf, 126zn DCCP).  

Search and seizure 

Instead of ordering the production of data, law enforcement can also search and seize such data. The main relevant provision here is art. 125i DCCP, which allows law-enforcement authorities to search places with the aim of copying data. Depending on the sensitivity of the place, a higher authority is needed; e.g., only an investigating judge can search a dwelling (art. 125i jo 110 DCCP), whereas all investigation officers can search vehicles (art. 125i jo 96b DCPP). Lower authorities can execute search and ‘seizure’ (or copying of data) for more serious crimes, but the investigation judge can search and ‘seize’ in all crime cases.

1. 1. 1. Access to location data by national-security agencies

The powers of the General Intelligence and Security Agency (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and the Military Intelligence and Security Agency (Militaire Inlichtingen- en Veiligheidsdienst, MIVD) are regulated in the Intelligence and Security Agencies Act 2002. Art. 28 gives both agencies the power to order telecom providers to produce traffic data, similar to the law-enforcement power of art. 126n DCCP (see above). For this, no authorisation is needed. There is no description of the cases in which the agencies can do this, except that it ‘must be necessary for the good execution of their task’ (art. 18); also, there is a general proportionality requirement (art. 31).

Moreover, a bill is considered to give the agencies also a power to request (parts of) databases from telecom providers for data-mining purposes, upon authorisation of the relevant Minister.

For location data that are not traffic data or stored by others than telecom providers, the agencies can use a general power to ask for (presumably voluntary) production of data (art. 17); they can also search places and, if necessary, seize goods (art. 22) or hack computers, e.g., of telecom providers (art. 24).  

1. 1. 1. Access to location data by other public authorities

The General Administrative Law Act (Algemene Wet Bestuursrecht) provides some powers for supervising authorities to access data. However, in relation to location data this is rather far-fetched, so this will not be discussed further in this chapter.

1. 1. 1. Electronic bracelets

In the Netherlands, some applications of electronic bracelets exist. For example, since 2003 electronic detention is possible. The person who has been convicted has to wear a bracelet and stay at home. The bracelets are provided with a GSM system connected to the home telephone of the persons wearing them. The restriction to the home environment is the sanction and is considered to be a lighter form of detention than detention in a prison. It is meant only for persons with a detention period of 90 days maximum. If the person leaves his home, or his working area to which he can also be authorized, a signal is given to supervisors and they can come into action. The considerations in favour of electronic detention are the ability to continue family life and work. Reintegration in society is the main objective. Besides, because of the lack of need for intensive supervision, costs of detention are diminished. These arguments have been discussed in parliament as well as in academic studies.

With regard to detention during her Majesty’s pleasure (in Dutch: TBS, Terbeschikkingstelling) there have been some experiments using GPS. Within the Dutch legal system, TBS is a period of time during which a person is detained under the scrutiny of legal, medical or social order. The TBS system ensures professional guidance for detainees and offers supervised reintegration into society. In order to obtain this objective, there are releases on parole. During the release, the detainee wears a bracelet with a GPS sensor. However, the experiments have not been successful so far, because the sensors can be shielded to easy with, for example, aluminium foil. Another problem lies in the accuracy in urban territories.

The safety of the system is subject to discussion, because of some cases of escaped detained persons, who then committed new crimes, during the last months. However, new experiments will be launched soon.

1. 1. 1. Mandatory data retention of location data

Even before the EU discussion and the consequent Directive on Data Retention, the Netherlands had created an obligation, with a limited scope, for telecom providers to store traffic data, including location data. The reason for this is that it is impossible to wiretap someone who uses prepaid cards, for lack of a known number to tap. To address this problem, article 13.4 (2) of the 1998 Telecommunications Act stipulated that telecom providers have to store traffic data for a period of three months. The data to be stored are listed in an Order in Council, which was enacted only as of 1 March 2002. The data listed are time, number, and cell-ID. Through the cell-ID, the location of a mobile telecommunication therefore has to be stored for three months.

To implement the Data Retention Directive, a draft Bill was published in January 2007, which would alter the Telecommunications Act and the current, limited, data-retention provision. Art. 13.4 would now be extended to require all telecommunication providers to store the traffic data as designated in an Order in Council for a period of 18 months. These data would include not only the location of the cell of origin and the cell of receipt of mobile telecommunications, but also the location of any other cell during the communication. The draft Bill has triggered critical reactions not only by the telecommunications industry, but also by the Dutch Data Protection Authority. The latter argued that the 18-month retention period was unsubstantiated and should be changed to the European minimum period of 6 months, and that no retention should be required of location data generated during a call, since this would enable ‘an all too intrusive, comprehensive secret surveillance of the movements of very large numbers of unsuspected citizens’ (our translation).