New Polish Digital Law Is Government Overreach

The new electronic communications law would allow for broad surveillance of citizens

18 January 2023

Krzysztof Izdebski and Marta Musidłowska

The new Polish legislation was supposed to implement years-old EU standards on digital safeguards, but instead Warsaw used the moment to extend the government’s ability to monitor its populace. If passed, Poland could face another rule of law infringement.

Summary: The Polish government has proposed a new Electronic Communications Law that increases the possibility of surveillance of citizens. The Polish legislation, which was supposed to implement the EU Directive establishing the European Electronic Communications Code, is at the same time incompatible with EU law. This is, moreover, confirmed by one of the opinions presented by the government itself.

What is in the draft? The Polish authorities ignored the CJEU’s judgments on data retention and upheld the current system allowing data to be stored for potentially all citizens and for as long as 12 months. However, according to the European Court, it is not possible to treat all citizens as suspects and store their data just in case.

Telecommunications companies will still have to store, among other things, data identifying phone owners, who they called and how long they talked to, or with whom they exchanged text messages. What is new is that a similar obligation has been imposed on internet service providers, including information about emails and instant messaging.

The draft has stirred up a huge controversy, and its entry into force, regardless of deepening violations of the right to privacy, may have a chilling effect on NGO activities. Equally important, there are concerns that it could also be used against competitors in the parliamentary elections taking place in Poland this year. The project also evokes obvious associations with the use of Pegasus against the opposition and journalists in Poland or Hungary, among others.

Long read: Controversial Polish Digital Law

On 12 January 2022, the first reading of the Electronic Communications Law, also known as “lex pilot,” took place in the Polish Parliament. Its main purpose is to align Polish regulations with the provisions of the European Electronic Communications Code, which member states were to implement by December 2020.

Despite more than two years of working on the law and the spectre of receiving a penalty for failing to fully transpose the Code by a certain date, the draft violates the basic values of the European Union rather than implementing them.

Editor’s Pick: The Age of Russian Disinformation and War

The invasion of privacy for Poles and the lack of real judicial control over the performance of police officers and intelligence services is another step by the Polish government towards forming its own definition of the rule of law as well as excessive surveillance of its own citizens. In the context of the high-profile Pegasus scandal, the upcoming parliamentary elections in Poland and the crisis of confidence in EU institutions due to the Qatargate affair, this legislation raises legitimate fears.

Background of the Proposesd Law

The European Electronic Communications Code aims to make a general contribution to the development of the internal market in networks and services by improving the functioning of the telecommunications market.

While it contains many provisions on the need to ensure the security of networks and services for EU citizens, it does not mention the need to tighten data retention regulations and expand the catalogue of collected data on internet users without a strictly defined purpose. Such provisions, however, are included in the proposed Electronic Communications Law in Poland – and, as the drafters themselves actually demonstrate, they are not justified under the EU regulation. The draft leaves in place provisions that already give Polish services a broad view of citizens’ telecommunications data, obliging mobile operators to store telephone call histories.

The biggest controversy, however, relates to the issue of expanding those entities obliged to store service users’ data and extending the catalogue of this data significantly. According to the draft, this will no longer be only identifying data, such as name, surname and national id number (PESEL), but also metadata, such as IP addresses, or data on “interpersonal communication not using numbers” (i.e., from communicators like Messenger or WhatsApp) and e-mails. The companies in charge will be required to store the data for a retention period of 12 months and make it available to authorities – primarily the Police, the Internal Security Agency, the Central Anti-Corruption Bureau and the Border Guard.

As the rationale for these provisions, the drafters cite “support of the processes of detecting, identifying and combating threats emerging in cyberspace.” In practice, this will mean that the data can be used in almost any situation in which an authority believes (even without sufficient evidence) that a specific threat must be prevented.

Data Protection

The lack of transparent procedures for data acquisition by the services and the disproportionality of weighing individual rights against broadly defined national security or public order have already been a thorny subject for the Polish government, leading to domestic and EU-level investigations.

Already in 2014, the Constitutional Court ruled that the retention of telecommunications data and access to it by authorised services should be subject to prior, institutionally-independent control. The judgment, however, was never properly implemented.

The Court of Justice of the European Union has also repeatedly pointed out that national regulation providing for generalised and undifferentiated retention of traffic and location data for the purpose of combating serious crime goes beyond the limits of what is absolutely necessary and cannot be considered legitimate in a democratic society. This finding is based, among other things, on the Charter of Fundamental Rights (including the right to respect for private life).

Data retention should be subject to appropriate limitations and be accompanied by strict safeguards to effectively protect personal data from the risk of abuse. This retention must also not be systemic in nature. To explain these exceptional situations, the CJEU’s Quadrature de Net ruling cites situations characterised by “an imminent threat or extraordinary risk that justifies the official declaration of a state of emergency in a Member State, national legislation provided for, for a limited period of time.”

Fundamental Rights Violations

The controversy around the draft Electronic Communications Law attempts to find justification in the political arena.

First, the proposed legislation seems to exacerbate the level of the rule of law in Poland – such broad, insufficiently legitimate access to citizens’ data violates basic human rights, as expressed in the values on which the European Union is based. As is well known, a fine has already been imposed on Poland based on a finding of a high risk of grave violation of EU values, which amounted to more than €160 million as of May 2022. Adopting the legislation in its current form would risk triggering the Article 7 procedure against Poland again and imposing further penalties.

Second, unfortunately, these types of violations are nothing new. As former Ombudsman Adam Bodnar commented, “it is a grim testimony to Poland to maintain a regulation that encourages state bodies to break the law and ensures that illegal actions will be sanctioned in the criminal process.”

According to the Panoptykon Foundation, Polish services have accessed citizens’ data as many as 1.82 million times in 2021, and people who have been vetted in this way will never know.

What’s more, the Polish Police recently bought new IT tools to fight crime. Their scope of use, however, remains unclear. One of the tools will allow the Police to retrieve and recover data from locked or encrypted devices – including smartphones and tablets, but also drones or GPS navigation. Police will be able to check call lists, all messages, including those from instant messaging, as well as internet activity history (including likes or other reactions on social media) and location data. They will also be able to access data in the cloud and all content stored there, including correspondence and even live-tracking routes. In view of such technical capabilities, it is to be expected that this number will increase rather than decrease soon.

The services also eagerly and quite extensively used the Pegasus programme. Despite an ongoing investigation, the scale of use and people unjustifiably surveilled may never be fully known.

The unsupervised and almost unrestricted access to data resources in the hands of service officers raises serious questions, especially in view of the upcoming parliamentary elections.

Moreover, the Cambridge Analytica scandals that were revealed after the Brexit campaign highlighted additional vulnerabilities. Wanting to avoid a recurrence of these events, the European Union has begun working on several regulations aimed at, among other things, transparency in the operation of social media algorithms or restrictions on the use of sensitive data (including data on political views) for advertising purposes. The main regulations are the European Digital Services Act (the content of which has already been finalised) and the draft regulation on transparency and targeting of political advertising, which is still in progress.

However, some provisions of the Digital Services Act will take effect in mid-2023, while others will not take effect until the first quarter of 2024. Until then, there is a risk of the continued practice by political parties of micro-targeting and abusing their access to data.

Digital Dystopia

The consequences of adopting the Electronic Communications Law in its current form could be extremely severe.

There might be an increase in tension between Warsaw and Brussels – not only over the deepening delay in the full transposition of the Code but also over the gross disproportionality of certain provisions of the Polish law with the protection of personal data and the basic human right to privacy.

Already, however, in the backdrop of the Qatargate corruption scandal and the crisis of confidence in EU institutions, the Polish ruling party members are increasingly challenging rule-of-law violations against Poland, like those stemming from the Pegasus scandal.

In Warsaw’s view, by failing to uphold the basic principles of the European Union, MEPs have lost their authority and legitimacy to make judgments about others.

One can only hope that the growing influence of various stakeholders (NGOs, think tanks, business unions) and the clear voice of objections they are expressing will be convincing enough to stop the bill from becoming law. And that these voices will not be prematurely silenced.




Summary by Krzysztof Izdebski

Long read by Marta Musidłowska

This article is part of the #DemocraCE project.

Your Central European Intelligence

Democratic security comes at a price. What is yours?
Subscribe now for full access to expert analysis and policy debate on Central Europe.


Weekly updates with our latest articles and the editorial commentary.