Last week, the rights group Derechos Digitales released the text of a worrying draft decree, signed by President Michelle Bachelet in June, that could greatly increase intrusive government access to personal data. The decree, which still needs to be approved by the Comptroller General’s Office to take force, would run counter to Chileans’ right to privacy and emulates some of the worst such policies around the globe.
The decree would require telecommunication companies to retain, for at least two years, data on electronic and mobile communications of everyone in the country, including phone calls, e-mail, and messaging cellphone applications. It greatly expands the types of data companies must store, while extending the retention period from one year to two. While it does not mandate retaining the content of the communications, it covers information like the location data and the phone numbers called that can provide a detailed portrait of the user’s intimate life, especially when collected at large scale or combined with other data. If the government knows that someone placed a call to a labor union representative or a suicide hotline, it can potentially draw conclusions about the caller, even without knowing what they said. Cellphone location data can provide authorities a detailed map of a person’s movements for years.
This is a grossly disproportionate intrusion on Chileans’ privacy. It is, of course, reasonable to demand disclosure of specific data to prevent or investigate crimes, subject to safeguards. But data retention under the decree would go much farther, affecting all users, regardless of whether they are suspected of a crime. The European Union’s top court, its Court of Justice, has twice struck down similar blanket data retention laws, noting that they impose an unjustifiably broad infringement of the right to privacy. The UK ignored the ruling and passed an expanded data retention law last year, but overall the rulings have fostered an encouraging trend in the EU. In contrast, such authoritarian countries as China and Russia have recently expanded their data retention laws to increase surveillance over their citizens.
Worse, while Chile’s decree would require a court order to intercept phone and other communications, it does not include such a requirement to access data already retained. Without judicial control, the decree could virtually turn the Chilean government into a “big brother” capable of knowing where everyone is, and whom they are contacting, all the time.
The draft also forbids companies from incorporating technology or equipment that can hinder the interception or recording of communications. If this provision is interpreted broadly to forbid encryption, it would set a troubling precedent. In the digital age, encryption is a cornerstone of security for vulnerable activists and journalists working in repressive regimes around the globe. It also protects millions of ordinary users from cybercriminals and malicious hackers. Even in the US, one of the most intrusive countries, lawmakers have not move forward with proposals to restrict encryption, acknowledging its key role to impede cybercrime. The Chilean government should set a positive example by promoting encryption as essential to security, rather than following the lead of countries like Russia, Ethiopia, and Turkey that have restricted it.
When it reviews the decree in coming days, the Comptroller General’s Office will decide whether it will protect Chileans’ right to privacy or allow the government to emulate authoritarian countries. There should be no doubt about its decision.