Peru's controversial new data retention law

We take a look at what Peru’s new data law might mean

Peru has introduced a controversial new data retention law that will allow authorities to access user data from telecoms, such as whom they communicate with and for how long and where they are communicating from. Crucially the decree states [Spanish] that location data is no longer a protected private communication under the Peruvian constitution.

Telecom providers in Peru will be required to retain this user data for one year. Authorities can access the data in real time as well as historical location data. Telecoms can also be obliged to retain data for an additional two years.

The Electronic Frontier Foundation reports that the decree was adopted with no public consultation and under legislation covering crime and public safety. The document mentions attempts to stem organised crime, drug trafficking, and illegal logging, but it was passed a day before a public holiday when it could possibly seep through the cracks unnoticed and avoid debate.

Miguel Morachimo, director of NGO Hiperderecho, told the EFF that removing the privacy safeguards for location data is a clear mistake and gives the police too much power to access that data. “The fact that it was directly approved by the Executive Branch without prior debate and in the middle of national holiday season is especially undemocratic,” he said.

One of the biggest bones of contention with the Peruvian law is over geolocation data and removing its privacy safeguards in the face of growing concerns around the sensitivity of such data. In 2011 for example, the EU published its official opinion [PDF] on geolocation data, stating that because smartphones are inextricably linked to their owner, it can provide a “very intimate insight into the private life of the owners”.

“This will leave Peruvian police with access to more precise, more comprehensive, and more pervasive data than would ever have been possible under previous policies,” wrote Global Voices, which criticised the government for ignoring the potential abuses.

National newspaper La Republica reports that telecoms will only hand over data from within a 300 to 500 square metre zone around a cell tower where a suspect is believed to be located or to have committed a crime, according to General Jose Lavelle, the head of the national police, Policía Nacional del Perú (PNP).

“There’s no way this law allows us to intercept telephone calls, let alone force telephone companies to provide information on the contents of communications,” said General Lavalle. He defended the law saying that it just speeds up the process of accessing data in an investigation.

The decree is unusual in that it goes against the trend of countries repealing data retention laws, New York-qualified technology lawyer Paul Lanois tells IDG Connect.

Neighbouring Argentina amended its National Telecommunications Law in 2004, which required ISPs to store traffic data for a 10 year period. In 2007, the Argentinian Supreme Court ruled that the law was unconstitutional and by 2009 the court annulled the law, calling it a “drastic interference with the private sphere of the individual”.

In 2009, Brazil heard the case of Escher et al v. Brazil. Arlei José Escher and several others who were members of two groups representing agricultural and rural worker interests had their telephone conversations tapped by police in 1999 with the details later published in national newspapers. While the State accepted no responsibility, the court found that the police violated the American Convention on Human Rights, specifically Article 11 protecting phone conversations.

“This is particularly interesting because Peru is a signatory of the convention,” explains Lanois. There may be grounds for the new Peruvian law to be challenged in the Inter-American Court of Human Rights, he says, with the Escher case as a precedent.

In more recent times, the Court of Justice of the European Union ruled that the EU’s Data Retention Directive is invalid following a challenge from the group Digital Rights Ireland. Challenges to data retention and surveillance have become more common in a post Edward Snowden world but have been ongoing for years.

Despite assurances from the PNP that the law will only be used for the worst of crimes, it has been criticised heavily in Peru’s national media with calls for reforms. Writing in La Republica, columnist Marco Sifuentes said that the government, led by President Ollanta Humala, is “for all intents and purposes a kind of stalker”.

Internet and mobile phone use is continuing to grow in the country, which creates more avenues for communications to be abused, say many opponents to data retention.

One blogger said that with all of these serious concerns and the genuine need for discussion on public safety, the government needs to reconvene on the matter and get the balance right.