In Chile, a new decree seeks to expand laws that force internet service providers to keep personal data. It would extend the period that the information must be retained and add new categories of data to store. Forced data retention has become popular in some Latin American countries, and this new decree raises a red flag for privacy in the region.
The “Spy Decree”
In August 2017, the Ministry of Internal Affairs and Public Security (the Ministry) issued Decree 866 which seeks to modify Article 222 from the Code of Criminal Procedure. The article states that all ISPs must retain IP address information showing the websites you visit — including the date, time, and duration of the visit — for one year, and must keep these records available for the judiciary. The objective of mandatory data retention is to preserve information that could be useful for future criminal investigations. The problem is that it creates a massive, disproportionate surveillance mechanism for the web browsing activity of millions of people, not because they are under suspicion for any crime, but “just in case.”
The new decree would go even further. First, it would force providers to retain more types of data: your financial data related to telecommunications services; your name; your telephone number; your IP addresses; the date, hour, and duration of your communications (of all sorts); your device information; and your geographic location history. Moreover, all of the information would be stored not for one year, but two.
This decree is extremely dangerous for user privacy, since it expands data retention to encompass all of your communications activity in Chile. It is a system for mass surveillance, designed in a way that is clearly both disproportionate and unnecessary, without further explanation.
In addition to all of this, according to the digital rights group Derechos Digitales, the decree also lacks the due formalities. According to Chilean national legislation, the suitable mechanism for modifying a national code should be a law, not a decree. This means that the decree may be unconstitutional. In any case, it bypasses consideration in Chile’s Congress and the open and democratic discussion that the issue deserves.
How mandatory blanket data retention threatens human rights and digital security
Even though the data stored under the bill’s authority does not include the content of your private communications, studies show that analyzing contextual information about communications — also called “metadata” — can reveal sensitive information about you.
For this reason, the European Court of Justice ruled in 2014 that the European Directive on Data Retention was not valid since it did not meet the human rights standards of necessity and proportionality. Similarly, the Inter-American Court of Human Rights declared that storing communications metadata is illegal.
Collecting massive amounts of users’ personal information, whether by the government, mobile operators, or third-parties, also poses a cybersecurity risk. Such databases are an attractive target for criminals. That’s why collection of personal data, when it is justified, should be reduced to the minimum necessary — instead of encouraged — so that if data breaches happen, the damage is minimized.
Finally, as digital rights activist Paz Peña explains in her post series about metadata, there is no proof that data retention has a significant effect in criminal investigations versus traditional targeted surveillance. This shows that the benefits of mass data retention are not clear, while the risks for users’ privacy and digital security are real.
Latin America is on a regressive path
Sadly, Chile is not the only Latin American country with a blanket data retention mandate.
Former Peruvian president Ollanta Humala established mandatory blanket data retention in 2015. Legislative decree 1182 gives the national police direct access to the location of electronic devices in real time, and requires ISPs to store users’ metadata for three years.
Similar mandates, with some differences in procedure and duration, are also in effect in Mexico, Colombia, and Brazil.
Finally, there have been proposals to implement data retention mandates in other countries, like Paraguay. In November 2014, the government proposed a data retention bill, which was renamed as “Pyrawebs Bill” by the local community. Although the bill didn’t pass, local organization TEDIC still worries about its return since there is no comprehensive data protection legislation in place yet in Paraguay.
What now?
As it stands now, the Comptroller General Office of the Republic of Chile (CGR) is still evaluating decree 866. Local digital rights advocates Derechos Digitales, Instituto Chileno de Derecho y Tecnologías, and Fundación Datos Protegidos delivered documents that explain the human rights issues at stake in the decree.
Help us keep an eye on them
Follow the conversation online with the hashtag #decretoespia on Twitter, and join digital rights groups in calling on the Comptroller General of the Republic to reject this dangerous decree. We will keep you posted.