Under the delegated powers framework, Peru’s executive branch has passed Legislative Decree 1182–usage of data derived from telecommunications for identification, location and geolocation of the equipment used to fight delinquency and organized crime.

It states that it has the following aim:

Article N° 2: Purpose

The purpose of the Legislative Decree is to regulate the access of the specialized unit of the National Police of Peru, in cases of flagrante delicto, to the location and geolocation of mobile phones or electronic devices of similar nature (…)

There is no doubt that this a worthy intention, but the procedure leaves completely in the air issues such as constitutionality, given that only communications are analyzed while the privacy of data as provided by current legislation regarding personal data are not.

But, what is the procedure all about?

Article N°4: Procedure

4.1 The unit responsible of the police investigation, after verifying the cases under the preceding article, submits to the Public Prosecutor’s Office the fact and issues the requirement to the specialized unit of the National Police of Peru for location and geolocation purposes.

4.2 The specialized unit of the National Police of Peru that receives the request, gets the verification of the person responsible of the requesting unit, and then places the order to the telecommunications providers of public services or to the public entities related to these services, through institutional email or other means of communication.

4.3 The public communications services providers or the public entities related to these services, are bound to provide the location and geolocation data immediately, 24 hours a day, 365 days of the year, under warning of being liable to the responsibilities regarded by law in the event of non-compliance.

That is, if the police consider it an offense in flagrante and of more than 4 years and considers that “data access would constitute a necessary means of investigation,” it would only need to request the data and it will receive it. The police will not need prior authorization of the prosecutor (who will be informed) or the judge (who according to Article 5 of the legislative Decree 1182 will be informed within 24 hours after informing the prosecutor).

In simple terms, geolocation data can be obtained with no control of prosecutor or judge, and data may be accessed through a simple request; however the judge may revoke the use of the data—but the data will already be in possession of the police. And what will they finally do with the unauthorized data? Who will store the data? Which would be the deletion log protocol? Who will have access to it?

Another question comes to the subject: The problem of the delayed coordination between the police, prosecutors and judges can be settled by generating a system that may infringe on constitutionally guaranteed freedoms such as the right to information self-determination (art. 2 clause 6), inviolability of the home (art. 2 clause 9) and freedom of movement (art. 2 clause 11)?

In summary

1.    This regulation applies not only to smartphones.

Any device (connected to the telecom network) that works with an Internet connection and can be geolocated will be considered in this regulation.

2.    Data will be given to the police at simple request.

The prosecutor will be notified, and 24 hours after the request is made the judge shall be informed. The judge may revoke the requirement only in case the data has not been already obtained.

3.    It is unknown who will use the data.

It is said that there will be a liaison unit to obtain the data, but there is no information on who will be authorized to access them once they´re delivered.

4.    The traffic data (who called, where did you call to, at what time, from which location) are not considered private.

Even though the Escher sentence (IACHR paragraph 114) considers that technical data is also protected by article 11 of the San Jose Agreement and is included in @UN Resolution 68/167 on cyberspace privacy.

5.    Call information will be stored for 12 months and telecommunications providers will have to store the metadata for 12 months to be requested at any time by the police.

6.    When can it be required?

Offenses (misdemeanors) over 4 years, in flagrante, at the police’s discretion and when appropriate for the investigations.

In conclusion, my conclusion

A regulation with a dramatic effect but not effective, and even less so when based on the unreserved respect of human rights. Do you really want to do something about this subject? If so, improve the procedures regarding coordination between the police, the prosecutor’s office and the judiciary to keep the timing as short as possible. The telecommunications providers are not the problem at this point, they just want to avoid being “sued” afterwards for taking action without an order provided by a judicial or prosecution authority. Because, how would they know which request made by the police could violate human rights?

I put the final question for you, Minister Perez Guadalupe: Who would you trust to have the power to know where to locate you at any time based on your smartphone data? That one who can control the system might be no saint, there could be adequate monitoring measures lacking, or, in the worst possible scenario, your rights and freedoms might be violated.

Quis custodiet ipsos custodies? Will it be you, Minister Perez Guadalupe?

Watching a film being shot near Plaza San Martin, Lima via photopin (license)