The Charm? – Promulgation of the Metadata Law

Introduction: Third Time…

“Third time’s the charm” they say; is it though?

Late last week, on January 29^th, 2024, President of the Portuguese Republic, Marcelo Rebelo de Sousa, approved and signed the reform of the so-called Metadata law, published as Law no. 5/2024, of February 5^th (available here), without having it preventively screened by the Constitutional Court.

This approval follows the declaration of unconstitutionality of Law 32/2008, of July 17, in 2022, and the declaration of unconstitutionality of the first proposed reformed statute, in December 2023.

You can find below some of the key changes that contributed to the approval of this impactful instrument, followed by an explanatory synopsis of the relevance of the topic to the fundamental rights of privacy and data protection.

What’s New: What has Parliament Changed?

Carrying out a systematic analysis, the Portuguese Parliament began by adding the obligation to keep data collected in Portuguese territory or in another European Union member state, in compliance with the principles imposed by the Data Protection Act, namely the General Data Protection Regulation.

It then chose to maintain, in art. 4, the same categories of metadata that were previously contemplated in the law, not having, to that extent, specified to a greater degree (as the Constitutional Court had observed) which metadata must be collected (and are subject to mandatory transmission to the Public Prosecutor’s Office after judicial authorization by the investigating judge) and which must be eliminated.

Attempting to respond to the Constitutional Court’s two previous judgments on this matter, however, the text extended Article 6 to cover not only the period for which metadata must be kept, but also the rules on its retention. Accordingly, article 6 now determines:

• Data relating to the civil identification of subscribers, IP addresses and network-connection data must be kept by the providers of publicly available electronic communications services or of a public communications network (“the providers”) for one year;
• Traffic and location data may only be retained following a reasoned judicial authorization, at the request of the Public Prosecutor’s Office, to be decided within 72 hours, and must only be kept for the time “strictly necessary for the pursuit of the purpose” for which they are collected, meaning providers must refrain from retaining or accessing this metadata for any other purpose.

Finally, Article 9 now stipulates that, when this metadata is transmitted to the Public Prosecutor’s Office, under the authorization of a criminal investigation judge, the order authorizing this transmission must be notified to the data subject within a maximum of 10 days from the date on which it was issued.

Background: What are Metadata and Why do they Affect Fundamental Rights?

Metadata, as the Portuguese Parliament rightly points out (here), is “data about data” or, in other words, pieces of information that make it possible to characterize other pieces of information, identifying it, describing it, or locating it. For this very reason, the fact that metadata does not enable the assertion of the content of a given communication (which it cannot) does not mean that this data is useless in profiling and controlling/supervising the conduct of both senders and recipients. In fact, so-called metadata makes it possible to identify the sender of a communication, its recipient, its composition, medium and duration, as well as the location of the recipient and sender.

Considering this risk of metadata analysis interfering with the privacy and freedom of those involved, the Court of Justice of the European Union declared Directive 2006/24/EC, allowing public prosecutors to store and use data generated or processed in the context of electronic communications, to be contrary to fundamental EU law in 2014. This decision, in turn, led to declarations of unconstitutionality, repeals and legal reforms of the legal instruments that had implemented such Directive, a bit throughout Europe.

In Portugal, it was only in 2022 that articles 4, 6 and 9 of Law 32/2008, of July 17 (which essentially allowed the collection and storage, as well as the transmission, without notification to interested parties, of generalized metadata in undifferentiated electronic communications, of all individuals who produce them) were declared unconstitutional by the Constitutional Court (in a ruling available here), in the part that precisely allowed that indiscriminate collection of metadata and its transmission without notification to the data subject. Following this Constitutional Court Decision, the National Assembly put forward a new wording for those provisions, in October 2022. This proposal was, however, rejected by the Constitutional Court, in a preventive decision from December 2023 (available here), as it was felt that the right to privacy with regard to both the intimate lives of individuals and their personal data was still being harmed.

The Next Steps: … the Charm?

As the President of the Republic did not raise any preventive concerns as to the constitutionality of the reformed statute, it has been promulgated and will soon be integrated into the national legal system. Its implementation and the natural unfolding of the situation must be awaited, in order to assess the ultimate fairness of this legislative proposition. Will this formulation satisfy the sieves of the Constitutional Court in concrete review? Are there still constitutional questions to be answered? And what to say about investigating authorities’ obligation to report the metadata analysis to the objects of their investigations? Is the third time really the charm?