1. Retention of data – general rules
Under the Bulgarian Data Protection Act personal data can be retained for no longer than required by the purposes, for which the data are collected. There are no specific regulations in the Act as to the interpretation of this rule and its application for different categories of data. Therefore, it is up to the data controllers to define the purpose of collection and processing of each type of data, as well as the adequate term for their retention.
2. Retention of data for security and crime prevention purposes
2.1. Regulatory framework – development
Bulgaria joined the European Union on 1 January 2007, after the adoption of Directive 2006/24 on the retention of data (“the Directive”). As at that date there were neither specific legal provisions in the domestic data protection legislation, nor voluntary data retention codes, as to the retention of personal data for the purposes of national security and prevention and investigation of crime.
The provisions of the Directive were implemented in Bulgaria by Regulation No 40 of 7 January 2008 on the categories of data to be retained by providers of publicly available electronic communication services or public communicating networks for the purposes of national security and crime investigation (“the Regulation”).
2.2. The Regulation and the social debate that followed its adoption
The provisions of the Regulation introduced into Bulgarian law the obligations for data retention for fixed and mobile operators, as well as for internet service providers (for whom the requirement to comply with the obligations was deferred until March 2009). The list of categories of data to be retained repeated the provisions of the Directive and the term of retention of all categories of data was 12 months.
As per art. 5 of the Regulation providers of publicly available electronic communication services and/or networks were obliged:
The above provisions as to the conditions, necessity and the methods of access of the authorities to the retained data gave rise to serious social debate as to whether such access is justified by the interest whose protection was sought with the new provisions. The debate was further fuelled by the general attitude and the lack of trust among the society in the Ministry of Internal Affairs and the authorities of prosecution and investigation, due to wide spread allegations as to their corruption and connection with organised crime, leading to uncertainties whether the access to retained data will not be used for unlawful collection of information about individuals for the purposes of organised crime.
The Regulation was appealed before the Bulgarian Supreme Administrative Court by “Program Access to Information Foundation” as contradicting the Bulgarian legal provisions (such as the main principle as regards privacy laid down in the Bulgarian Constitution) and the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR).
On 11 December 2008 the Supreme Administrative Court abolished art. 5 of the Regulation, based on the motives that the conditions for providing access to the authorities to retained data and the means of such access do not guarantee that the rights of access will not be misused. The Court held therefore that art. 5 of the Regulation was in contradiction with the provisions of the Bulgarian Constitution on privacy and with art. 8 of the ECHR.
2.3. The Electronic Communications Act
Swift reaction followed by the Bulgarian Parliament after the decision of the Supreme Administrative Court for the abolition of art. 5 of the Regulation. There were attempts to reinstate in the Electronic Communications Act (which is a legislative instrument of a higher ranking than the Regulation) the rights of the Ministry of Internal Affairs to have passive direct access to the data retained by fixed and mobile operators and internet service providers. In February 2009 the Electronic Communications Act was amended to incorporate new provisions on the conditions and methods of access to retained data by the authorities for the purposes of crime prevention and investigation, as well as the provisions on the categories of data to be retained and the term of retention.
Albeit still creating ambiguities, the new provisions in the Electronic Communications Act were more specific and narrower in scope in terms of conditions for providing access to retained data. Such conditions were the needs of detection and investigation of serious criminal offences and criminal offences covered under Chapter Nine A of the Criminal Code (various forms of cyber crime). Furthermore, the data was to be collected, retained and used under the terms and according to the procedure established by the the Special Intelligence Means Act and the Criminal Procedure Code, thus providing better guarantees than the Regulation for the justification of the access to retained data.
3. Further amendments to the Electronic Communications Act and current provisions on data retention for security and crime prevention purposes
Another attempt was made to reinstate the right of the Ministry of Internal Affairs and the prosecution authorities to have direct access to the communications data retained by fixed and mobile operators and internet service providers when amendments to the Electronic Communications Act were discussed and voted in Parliament in February 2010. The supporters of the proposed amendments used as grounds the need of the prosecution and the investigation authorities to have direct access to retained data in cases of investigation of serious organized crimes, such as for example the organized group for kidnapping, members of which were arrested following a police operation called “The Insolents” in December 2009.
The heated discussions of the proposed amendments in the Parliament went along with public discussions and debates on weather direct access to communications data retained by fixed and mobile operators and internet service providers should be provided to investigation and prosecution authorities. On 17 February 2010 the Bulgarian Parliament voted against the proposed amendment to the Electronic Communications Act, which would have reinstated the direct access right.
In addition to keeping the former provisions on the technical means of access to retained data, the Parliament adopted in the Electronic Communications Act specific regulations (coming into force as of 10 May 2010) on how such access will be allowed and granted. These specific provisions exhaustively list the authorities, who are entitled to request access to retained data and access is provided only based on a court order allowing the access. Fixed and mobile operators and internet service providers are required to give access to the requested data within 72 hours following the receipt of the request, sanctioned by the court. If the data provided to the investigation and prosecution authorities is not used for the purposes of the investigation, it should be destroyed by such authorities within 6 months after receipt.
It is difficult to strike a balance between the public interest (such as investigation and prevention of serious crimes) and the right of individuals to privacy. In a country like Bulgaria, where people are historically very sensitive as to their privacy being breached by state authorities the current provisions of the Electronic Communications Act provide better protection of the right to privacy than the proposed provisions for granting direct access, which did not come into effect. It is still to be seen, however, how the specific provisions regulating the mechanism for providing data access will work in practice, once they come into force in May.