Where we have a local licence or operate our own network, we might have to help government authorities in ways that could affect people’s rights to privacy or freedom of expression. This could include requests to hand over information about the services we provide, intercept voice calls or data, or block access to certain material on the internet. We have a dedicated unit within BT who handles such legal requests in line with our policies and processes, and with support from our legal and human rights teams.   

Below is a summary of the requests we’ve received in 2023 by country. Where we don’t provide this information, we give a reason why. This could be because:   

  • We can’t disclose it - in some countries, publishing this type of information is against the law, in others the law might not expressly stop us from disclosing, but authorities have told us we can’t publish it. 
  • It’s published somewhere else – if information is published for the whole industry by a government or other public body, we refer to those publications.  

Summary of interception, data disclosure and blocking requests (1 Jan to 31 Dec 2023)

  • Data disclosure: Can’t disclose
    Blocking requests: N/A
    Lawful interception: 
    Can’t disclose
    Number of websites required to be blocked: N/A

    In Australia, we provide various networked IT services including data, voice and internet services. We operate from our Sydney office and employ more than 200 people.

    Lawful interception

    The Telecommunications (Interception and Access) Act 1979 (Cth) regulates access to telecommunications content and data in Australia (including intercepting communications in specific circumstances). Under this Act, intercepting telecommunications is only justified for law enforcement and national security purposes. The only people who can issue a warrant to intercept communications are a judge, a nominated member of the Administrative Appeals Tribunal, the attorney-general or the director-general of security (in an emergency).

    Data Retention

    There are two ways data is kept in Australia.

    • The Stored Communications Regime (Telecommunications (Interception and Access) Act, Part 3-1A) allows certain law enforcement agencies to serve preservation notices on communication service providers. These notices order them to keep any communications stated in the preservation notice.

    There are three different types of preservation notice: 

    – historic domestic preservation notices
    – ongoing domestic preservation notices
    – foreign preservation notices.

    A domestic preservation notice can stay in force over the relevant communications for a maximum of 90 days. A foreign preservation notice can stay in force for 180 days.

    • The Data Retention Regime (Telecommunications (Interception and Access) Act, Part 5-1A, as amended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015) requires communication service providers to keep certain categories of data for two years. This data doesn’t include the content or substance of a communication. Communication service providers must also keep certain types of subscriber information while an account’s active and for two years after it’s closed.

    Data disclosure

    The Telecommunications (Interception and Access) Act also allows certain law enforcement and security agencies to access telecommunications data held by communications service providers.

    Requests for access to data are independently overseen by the commonwealth ombudsman or, in the case of the Australian Security Intelligence Organisation, by the inspector-general of intelligence and security.

    Web blocking

    Under the Telecommunications Act 1997 (Cth), internet service providers must try to stop telecommunications networks and facilities being used for crime. The Australian Federal Police use this power to instruct internet service providers to block websites which contain child exploitation material through the Access Limitation Scheme. It’s also used to tackle cyber-crime.

    The Australian Media and Communications Authority has a remit under Schedule 5 of the Broadcasting Services Act 1992 (Cth) to require internet service providers to stop access to certain content (for example, child sexual abuse content) which is hosted outside of Australia. It has a similar remit under Schedule 7 of the Broadcasting Act for content services located in Australia.

    Under the Copyright Act 1968 (Cth), rights holders can apply to the Federal Court for an injunction that requires internet service providers to take reasonable steps to block access to overseas operated websites which infringe copyright or facilitate copyright infringement. This power was introduced by the Copyright Amendment (Online Infringement) Act 2015 (Cth).

  • Data disclosure: 1876
    Blocking requests: 258
    Lawful interception: 0
    Number of websites required to be blocked: 1077

      2022 2021 2020
    Data Disclosure 2221 2255 2157
    Blocking requests 223 59 114
    (July-Dec)1
    Lawful interception 0 0 0
    Number of websites required to be blocked 686 99  

    1 Data only available from part way through the 2020 calendar year

    We operate from our Brussels office and employ around 200 people. We provide services to multinational corporate and public sector customers, which have complex communication and information system needs. As part of BT’s Global unit, we are a global leader in the provisioning of managed IT services for cyber security, digital workplace, contact centres, multi-cloud and infrastructure services. 

    Lawful interception

    Under Article 90ter of the Code of Criminal Procedure, communication service providers must co-operate with judiciary authorities when it comes to lawful interception.

    An examining magistrate must order an interception of the content of communications. This can be a warrant or verbally in an emergency (with confirmation), as defined in Articles 90ter to 90decies of the Code of Criminal Procedure, which was modified by the Law of 25 December 2016 on Internet Investigatory Powers. The examining magistrate can ask for communications to be intercepted:

    • in exceptional cases
    • when necessary for investigations
    • when there are strong indications that the communications relate to offences listed in Article 90ter §2 Code of Criminal Procedure
    • when other investigations are not enough to find out the truth.

    The warrant must be sent to the public prosecutor (Article 90quater §1 Code of Criminal Procedure).

    In exceptional circumstances the public prosecutor can order the content of communications to be intercepted. This can happen when the aim is to catch a suspect while they’re committing a crime (the relevant crimes are listed in Article 90ter, §5 of the Code of Criminal Procedure).

    If national security is at stake, the director general of the intelligence and safety services can order a draft authorisation for interception. This will either be accepted or rejected by a special committee in charge of surveillance. This process is governed by Articles 18/9, 18/10, 18/17 and 44 of the Intelligence and Safety Services Act of 30 November 1998.

    The General Military Intelligence and Safety Service (GMISS) can also intercept communications that come from abroad. In December each year, the GMISS produces a list of organisations and institutions whose communications it plans to intercept, with a justification for each. The minister of defence has 10 days to accept or reject the list.

    If it’s urgent, and there’s a clear need, the GMISS can intercept communications for organisations or institutions that aren’t on the list. But the GMISS must let the minister of defence know about this as soon as possible and not later than the next business day after the start of the interception. If the minister disagrees with the interception, they can stop it (Article 44/3, 1° Intelligence and Safety Services Act).

    Data Retention

    Article 126 of the Belgian Electronic Communications Act (“ECA”) and its implementing orders required certain providers of electronic communications services (more specifically providers offering (i) mobile telephony; (ii) fixed telephony; (iii) public Internet access services; and (iv) public Internet e-mail services and public Internet telephony services in Belgium) to carry out a general and indiscriminate retention of certain traffic and location data during a certain period of time for the purpose of combating crime or safeguarding national security.

    On 6 October 2020, this provision was found to be non-compliant with EU law by the EU Court of Justice (judgment in joined cases C-511/18, C-512/18 and C-520/18) and was subsequently annulled by the Belgian Constitutional Court in its judgment of 22 April 2021.

    Since Belgian law enforcement authorities are heavily dependent on identification and meta data for the investigation and prosecution of crime, the Belgian Government launched a public consultation from 7 May until 4 June to repair the annulled legislation through which it intends to reinstate data retention obligations. Following a second judgement of 18 November by the Belgian Constitutional Court, the Belgian Government launched a new public consultation on the draft amendments to the “data retention” bill which ran until 25 March 2022. The new law was approved by the Belgian Parliament on 7 July 2022.

    Data disclosure

    Operators must co-operate with judiciary authorities when it comes to data disclosure (Articles 46bis of the Code of Criminal Procedure for identification data and 88bis of the Code of Criminal Procedure for geolocation and traffic data).

    The public prosecutor and the examining magistrate can require operators to give them retained data to identify an end user, and the electronic communications services the user subscribes to (Article 46bis, §1 Code of Criminal Procedure). In an extreme emergency, the public prosecutor and the examining magistrate can authorise this verbally, but they must confirm it in writing as soon as they can afterwards (Articles 46bis, §1 and 56, §2 Code of Criminal Procedure).

    An examining magistrate can require the disclosure of traffic and geolocation data through a written warrant. They can only do this where there are serious indications that crimes are taking place which could result in a sentence of one year or more in prison, and where the examining magistrate believes it is necessary to get to the truth (Article 88bis of the Code of Criminal Procedure). The justified order should describe:

    • the circumstances that mean the measure is needed
    • why the measure is proportionate in relation to the targeted person’s privacy
    • the length of the disclosure request (Article 88bis Code of Criminal Procedure).

    Web blocking

    The public prosecutor (Deputy Public Prosecutor and the authority acting for the Public Prosecutor) can through an order required internet service providers to block access to particular unlawful sites, to stop damage caused by content published online (Article 39 bis Code of Criminal Procedure). Orders often include additional obligations to redirect users to a specific URL or to remove the content if it is hosted on a service provider’s internet. And, under intellectual property law, the court can make an internet service provider carry out any measure necessary to stop the infringement of their copyright or associated rights.

    Internet service providers might also be required to block sites which carry child sexual abuse material, or promote terrorism, racial violence or hatred. 

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 0
    Blocking requests: 22
    Lawful interception: 0
    Number of websites required to be blocked:
    3097

      2022 2021 2020
    Data Disclosure 0 24 0
    Blocking requests 24 4 5
    Lawful interception 0 0 0
    Number of websites required to be blocked 461 38  

    We’ve been in Brazil for more than 20 years. We have around 200 employees there who support corporate networks, serving hundreds of organisations from the public and private sectors in various industries. We also have extensive terrestrial networks with several GPoPs and thousands of connections from strategic partners in collaboration to support BT Global Network.

    Lawful interception

    Under Law No. 9,296/1996 (called the ‘Wiretap Law’ from now on), a court can issue an order requiring a communications service provider to intercept traffic on its network. Only the police authority or the public prosecutor can request these in specific circumstances, for example as part of a criminal investigation or legal proceedings.

    Data Retention

    The Internet Law (Law No. 12,965/2014) requires communication service providers to keep internet connection logs for a year. The police, an administrative authority or public prosecutor can ask them to keep it for longer than a year. Retention is regulated by Presidential Decree 8,771 of 11 May 2016.

    As well as this, ANATEL’s Resolution No. 614/2012 requires communication service providers to keep connection logs for at least one year. Under the Resolution, connection records include:

    • the date and time of the beginning and end of internet access
    • the length of internet access
    • the IP address used
    • other information that allows the access terminal used to be identified.

    The Internet Law stops internet access providers from keeping users’ application logs. This means they can’t keep the content of internet activity or logs of which applications people have used. The Internet Law also separately provides that an internet access provider must keep its application access logs confidential for six months.

    Data disclosure

    Under Article 22 of the Internet Law, communications data can only be disclosed when requested by the police authority, the public prosecutor, other law enforcement agencies, or any other interested party. Data can be requested for evidence gathering in civil or criminal legal procedures and must be authorised by a court order.

    Users’ personal data, particularly their name, marital status, occupation, address and name of parents, must be provided by communication service providers if the police authority, the public prosecutor or other administrative authority ask for it – they don’t need a court order. This is defined in law under the Internet Law, the Money Laundering Law (Law No. 12,683/2012) and the Organised Crime Law (Law No. 12,850/2013).

    Web blocking

    There are restrictions to blocking, monitoring, filtering or analysing the contents of internet data packets that are consistent with the principle of net neutrality.

    While judges have the power to issue court orders requiring internet service providers to block access to illegal content, they usually prefer to order the party hosting the illegal content to remove it. This is because blocking access might not be proportionate. In the case of child sexual abuse material or unauthorised disclosure of sexual content, there’s a notice and takedown provision under the Internet Law. Otherwise, there are no general laws requiring content to be blocked.

  • Data disclosure: 0
    Blocking requests: 0
    Lawful interception: N/A
    Number of websites required to be blocked:
    0

      2022
    Data Disclosure 0
    Blocking requests 0
    Lawful interception N/A
    Number of websites required to be blocked 0

    In Canada, we provide various networked IT products including data, voice and internet services. We operate from our Toronto office and employ around 70 people.

    Lawful interception

    The Radiocommunication Regulations generally prohibit intercepting radio communications. But there are exceptions – for example, for emergencies, investigations by public officials, government spectrum management and communications service provider network security.

    There are several circumstances where interception is allowed under the Criminal Code (as amended by the Protecting Canadians from Online Crime Act in 2015). These are:

    • by getting both one of the communicating parties’ consent and a public officer’s order (a public officer can be a peace officer and any public officer responsible for law enforcement)
    • if an agent of the state believes there’s a risk of bodily harm to the person who consented to the interception under the previous point
    • with a formal warrant from a judge or an urgent warrant from a justice of the peace.

    In an urgent situation, where there are no other means available under the Code, interceptions can also be allowed to stop serious harm to people or property.

    The Canadian Security Intelligence Services Act establishes conditions where the Canadian Security Intelligence Service can get a warrant from a judge if there’s a threat to national security or to collect foreign intelligence.

    Part V.1 of the National Defence Act establishes the conditions under which the Communications Security Establishment of Canada can get approval from the minister of national defence to intercept private communications involving foreign entities outside Canada. This is allowed as long as there’s no other way to reasonably get the information, and provided that Canadians’ privacy interests are protected.

    Data Retention

    The Code can require communications interception over a period of time. A warrant or production order specifies the data to be kept, for example, transmission data or tracking data, and how long for. This is done on a case-by-case basis.

    Data disclosure

    Law enforcement authorities and the security services can require communication service providers to provide data in the same way as interception (see ‘Lawful interception’ above).

    Canada’s Competition Act allows the commissioner of competition to apply to a judge of a superior or county court for the disclosure of data. This disclosure is made according to the production order.

    Under the Competition Act, the commissioner can also get a search warrant, which might include the reproduction of data found on a computer system.

    Web blocking

    Superior courts have wide powers to grant blocking orders. Under the Child Pornography Reporting Act, internet service providers must notify authorities about any situations involving child sexual abuse material.

    The Quebec government had adopted a law (Bill 74) to compel communication service providers to block illegal gambling websites. In July 2018, the Superior Court of Quebec decided that this law was unconstitutional.  

  • Data disclosure: 0
    Blocking requests: N/A
    Lawful interception: N/A
    Number of websites required to be blocked: N/A

      2022
    Data Disclosure 0
    Blocking requests N/A
    Lawful interception N/A
    Number of websites required to be blocked N/A

    In Colombia, we provide a range of services including data and internet access. We employ around 100 people in our office in Bogota.

    Lawful interception

    Generally, intercepting communications can only take place through a judicial order that meets the criteria set out in relevant laws. But interception can also take place without a court order to allow interception for the purposes of a criminal investigation by the public prosecutor. This is allowed as long as the public prosecutor issues an order to the judicial police who’ll be in charge of the technical aspects of the relevant operation and processing. This exception is allowed under Law 1453/2011, which amends the Colombian Criminal Procedure Code, and Decree 1704/2012 (compiled in Decree 1078/2015).

    These orders last for 3 months. They can be extended if the public prosecutor decides there are still grounds for interception. Any extension must be examined and authorised by a judge (juez de control de garantías). The order must be issued during an ongoing investigation and with the purpose of finding evidence. Within 24 hours of getting a report from the judicial police, the public prosecutor must appear before the relevant judge to examine the legality of the interception operation.

    Interception for the purposes of intelligence and counterintelligence is allowed if certain conditions are met, under Law 1621/2013 (regulated by Decree 857/2014).

    The government carries out interceptions after the relevant communications service provider grants access. The provider doesn’t directly take part in any interception operations.

    Data Retention

    Generally, all information about a subscriber of a service must be kept for at least five years. Under the Commercial Code, all commercial documents and information must be kept for at least ten years.

    Decree 1704 states that communication service providers must keep certain subscriber data for five years. This data includes a subscriber’s ID, invoicing information and type of connection, for example voice or data. Under this Decree, the communications service provider should also give the Office of the Attorney General specific information, like zone/sector, signal strength and geographic coordinates that might help identify the terminal or devices used in a particular communication. Decree 1704 applies when there’s a judicial investigation (criminal prosecution) and the public prosecutor needs to have access to certain information as evidence.

    Communication service providers must give information to certain authorities about a subscriber’s communications’ activities under Law 1621/2013 (see ‘Data disclosure’ below). This information

    includes:

    • their technical identification data
    • the location of the cells where the relevant terminals are
    • any other information that might help identify where someone is.

    This law applies to all intelligence and counter-intelligence activity.

    Resolutions No. 912/2008 and 3066/2011 (as modified by Resolution 511/2017) require that communication service providers must keep certain subscriber information.

    Data disclosure

    Any government body which is responsible for law enforcement or prosecuting or investigating crime can ask for data disclosure. This includes the public prosecutor and other government agencies like tax authorities. There are also certain legal requirements which must be fulfilled.

    Under Law 1581/2012, personal information can only be provided to a public authority if the authority’s carrying out its duties or a judicial order has been issued.

    Web blocking

    Internet service providers can be asked to block access to internet sites or services either by a judicial order issued by a competent judge or public prosecutor, or by orders issued by administrative authorities with an investigative capacity (for example, the Superintendence of Industry and Commerce, the Banking Superintendence, the Ministry of Communications, and the Financial Analysis and Information Unit). Most web blocking requests in Colombia are to do with child sexual abuse content.

  • Data disclosure: 6
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

      2022
    Data Disclosure 12
    Blocking requests N/A
    Lawful interception N/A
    Number of websites required to be blocked N/A

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 69
    Blocking requests: N/A
    Lawful interception: Can’t disclose
    Number of websites required to be blocked: N/A

      2022 2021 2020
    Data Disclosure 69 0 *
    Blocking requests N/A 0 0
    Lawful interception * N/A *
    Number of websites required to be blocked N/A 0  

    * Can't disclose

    We employ around 400 people across France one third of which are Security specialists. Our head office is in Paris. We provide services to large companies, including multinationals and multi-sites, which have complex communication and information system needs. In France, we support major companies in the finance, telecoms, industrial and services sectors by integrating, securing and managing network and cloud infrastructure and services.

    Lawful interception

    Interception can be required through administrative requests or judicial requests under French law.

    • According to the French Homeland Security Code (the CSI), the contents of a communication can only be intercepted for national security purposes – so that’s national defence, prevention of terrorism, prevention of organised crime and delinquency. To do this a minister in charge of homeland security, defence, justice, economy, budget or customs (or their delegate) must make an administrative request, which is then approved by the prime minister following an opinion from the National Intelligence Control Commission (CNCTR). If the situation is urgent, then it’s possible that the Commission is only informed of the interception.
    • Under the French Code of Criminal Procedure a judicial request for interception is needed for detecting or investigating cases of serious crime – for example, money laundering, organised gang crime or where the criminal penalty is three or more years in prison. Depending on the circumstances, an investigative judge, or a public prosecutor can authorise the request with written permission from the liberty and custody judge.

    Operators must put measures in place to comply with any requests.

    Data Retention

    Under the Postal and Electronic Communications Code, operators must keep data about voice and data services for up to a year. This includes subscriber information, names, addresses and communications data. It also includes passwords and payment information if the subscription is to online public communications. After the Digital Rights Ireland, Tele2Sverige AB and Watson cases, several associations asked the French Council of State to check if existing legislation governing data retention and administrative data access requests was legal. The claim wasn’t upheld.

    Data disclosure

    The Code of Criminal Procedure and other relevant legislation provides for the disclosure of communications data to judicial authorities, police officers, public prosecutors or an investigative judge. A judicial authorisation isn’t always needed.

    The protection authorities ARCOM (intellectual property) and ANSSI (information systems security) can also ask operators to give them data for investigations, findings and judicial proceedings related to:

    • copyright and related rights infringement
    • criminal offences
    • preventing unauthorised access to automated data processing systems.

    Under the French Homeland Security Code, the public service in charge of security interception (the Groupement Interministériel de Contrôle) can require that communication service providers give them data for security purposes. These requests must be approved by the prime minister or their delegate.

    Under Article L.65 quinquies of the Customs Code, French customs agents can require operators to give them data for customs investigations.

    Under Article L.96 G of the Tax Proceedings Code, French tax agents can require operators to give them data for tax investigations.

    Under Article L.114-19 of the Social Security Code, French social security agents (URSSAF) can require operators to give them data for social security investigations.

    Web blocking

    A judicial authority can make internet service providers block access to particular sites, to stop damage caused by content published online. And, under intellectual property law, the court can make an internet service provider carry out any measure necessary to stop the infringement of copyright or associated rights.

    The Central Office for Action to Fight against Crime related to Information Technology and Communication might also require internet service providers to block sites which carry child sexual abuse material, or promote terrorism, racial violence or hatred. A request to remove this type of material must first be made to the publisher of the website or the hosting service provider. If they don’t reply in 24 hours, the Central Office can ask an internet service provider to block the sites. French internet service providers have also been ordered to block access to pro-terrorism websites.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure requests: 3707
    Blocking requests: N/A
    Lawful interception: 4577
    Number of websites required to be blocked: N/A

      2022 2021 2020
    Data Disclosure 3740 * *
    Blocking requests N/A N/A N/A
    Lawful interception 5285 * *
    Number of websites required to be blocked N/A N/A N/A

     

    * Federal Office publishes information

    We’ve been working in Germany for more than 20 years and provide global network and IT services to around 900 customers.

    We run our own network infrastructure in Germany, as well as our own Cityfibre Networks in four major German cities and three data centres which provide IT services and connections to our international IP network. We have five offices in Germany and around 800 employees. We provide data services including internet access, voice over internet protocol (VoIP) and cloud-based services.

    Lawful interception

    The German Telecommunications Act allows intelligence and law enforcement agencies to intercept communications, subject to limitations set out in the German Constitution.

    The right to privacy of telecommunications is protected under Article 10. Interception is authorised by a court order, which authorities must get beforehand, and must also meet certain requirements – for example, if someone’s committed or tried to commit a serious crime, or if there’s an imminent risk of a major attack on public security, like a terrorist attack. The legal bases for these court orders are in both federal law (especially section 100e of the German Criminal Procedure Code and section 23a of the German Customs Investigations Act) and in various regional acts on police powers to safeguard public security.

    The Criminal Procedure Code allows the public prosecutor’s office to issue an interception order in an urgent situation, which the competent court must confirm within three working days (section 100e (1) of the Criminal Procedure Code). The Federal Criminal Police Office Act also allows the president of the Federal Criminal Police Office to grant an interception order, as long as they then get judicial approval.

    As well as this, the Law on the Restriction of Privacy of Correspondence, Post and Telecommunications (called the ‘G-10Law’ from now on) allows the intelligence services to intercept a person’s communications without a court order. This can happen if they are suspicious that this person has committed certain offences which, among other things, endanger national security (section 1(1) no.1 and section 3 of the G-10 Law). The federal ministry of the interior must order any interception activities requested by federal intelligence services (section 10 of the G-10 Law) and the G-10 Commission must approve these in advance (section 15(5) of the G-10 Law).

    The exception is for situations where danger is imminent – in this case subsequent approval is enough (section 15(6) of the G-10 Law). The competent supreme authority of the state is responsible for orders for interception by state intelligence services (section 10 of the G-10 Law). The provisions for approving these measures must be set out in the respective state law (section 16 of the G-10 Law).

    The G-10 Law also allows German intelligence services to carry out untargeted interception in certain circumstances – that is intercepting certain geographic regions, rather than a specific individual suspect. This is allowed when interception is to stop:

    • armed attacks, including terrorist attacks, on Germany
    • certain serious crimes, including international drugs trafficking and money laundering (section 5 of the G-10 Law)
    • danger to the life or wellbeing of an individual who is abroad, where this danger directly affects the interests of Germany (section 8 of the G-10 Law).

    An authorised court order isn’t needed for this but the federal ministry of the interior must set the geographic parameters of the untargeted interception. The Parliamentary Control Panel must also approve this in advance, unless there is imminent danger, in which case subsequent approval is enough (section 14(2) of the G-10 Law).

    Anyone providing publicly available telecommunications services to more than 10,000 subscribers must install a surveillance system which complies with technical requirements set out in the German Telecommunications Surveillance Directive. Communication service providers can choose to carry out legal interception in house or delegate it to agents. Communication service providers, or their agents, must always be available for requests by phone and process them during normal business hours.

    Data Retention

    Under federal legislation adopted in 2008 (sections 113a and following of the Telecommunications Act), providers of public telecommunications services were required to keep subscriber information and traffic data for six months. But in 2010 the German Federal Constitutional Court held this legislation to be contrary to the German Constitution, because it was a disproportionate restriction of the right to privacy.

    Data retention legislation adopted in 2015 limits the data that is retained – for example, emails aren’t included. It also limits the length of the storage, which is normally ten weeks, but only four weeks for location data. Processes to comply with this legislation had to be implemented by 1 July 2017.

    In late 2016, the CJEU held that UK and Swedish legislation that required communication service providers to store subscriber and traffic data wasn’t compatible with the EU Charter of Human Rights. One of the reasons the CJEU gave was that the storage requirement must be limited to specific situations that could justify a temporary retention of data (see the Tele2 Sverige AB and Watson judgments).

    Although the CJEU decision didn’t directly concern German data retention legislation, the Court’s reasoning suggested that Germany’s legislation might not conform to EU law. For this reason, a German Superior Administrative Court granted a preliminary injunction to a German internet service provider that had chosen not to implement current legislation because of constitutional and EU law concerns. After this decision, the German Federal Network Agency stated it would stop enforcing the existing legislation until the end of the main proceedings, which might include a referral of the matter to the CJEU. Another German Administrative Court confirmed this position in favour of a German communications service provider in 2019.

    Data disclosure

    Under the Telecommunications Act, data can only be disclosed if the requesting party is legally authorised, and the disclosing party is legally authorised to disclose the data.

    The main avenue for disclosure of subscriber data is an automated procedure under which the German Federal Network Agency is tasked with retrieving data and forwarding it to the public authority that has asked for it (e.g. the police). This means that communication service providers must store all subscriber data on a server that the German Federal Networks Agency can always access (section 112 of the Telecommunications Act). A prior judicial order isn’t needed for the disclosure of subscriber data (i.e. not traffic or content data). If the automated procedure doesn’t deliver the right results, public authorities can also ask communication service providers directly for so called manual disclosure of subscriber data (section 113 of the Telecommunications Act). Communication service providers can choose to keep these subscriber files in-house or pass this on to a third-party supplier.

    By contrast, in general, disclosure of traffic data does need a prior judicial order, usually requested by the public prosecutor’s office (sections 100e and 101a of the German Criminal Procedure Code). If the situation is urgent, the public prosecutor’s office can issue a disclosure order, as long as it’s ratified by a competent court within three working days (sections 100e and 101a of the Criminal Procedure Code). Competent authorities can order disclosure of traffic data obtained as part of any interception activities carried out under the G-10 Law (see ‘Lawful interception’ above) without a court order, as long as the disclosure serves specific purposes (e.g. where they need it to stop a serious crime) (section 4(4) of the G-10 Law).

    Web blocking

    Under the German Interstate Treaty on Broadcasting and Telemedia, an internet service provider can be required by court order to block access to sites containing illegal content. Because no blocking order was ever made, the German Access Impediment Act about blocking child sexual abuse content was repealed after two years and hasn’t been replaced. Instead, the German Interstate Treaty on the Protection of Minors in the Media makes it a legal obligation for every internet service provider to check whether its content is appropriate for children.

    Under statutory law, various German courts have held that access providers can be liable for failing to block access to websites containing illegal content – for example content that infringes intellectual property rights. But according to a recent decision of the German Federal Supreme Court, there’s no room for this liability where rights’ owners haven’t taken reasonable steps to take direct action against the people responsible for the illegal online content.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 0
    Blocking requests: N/A
    Lawful interception: N/A
    Number of websites required to be blocked:
    N/A

      2022
    Data Disclosure 0
    Blocking requests N/A
    Lawful interception N/A
    Number of websites required to be blocked N/A

    We have a long history of operating and investing in India, having started in 1987. With headquarters in New Delhi, BT India has operations in six key cities: New Delhi, Bangalore, Mumbai, Pune, Kolkata and Chennai. We started our commercial operations in 2007 when we got a licence to operate international and national long distance services.

    Our main delivery hub is based in Gurgaon, New Delhi. It covers all our lines of businesses and customers, from UK consumers to large multinational businesses. It’s also the largest BT building in the world, with almost 5,000 people working there.

    Lawful interception

    Interception, monitoring and collection of any information (including traffic data) are governed by:

    • the Information Technology Act 2000 (the ‘IT Act’)
    • the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009
    • the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules 2009.

    (Collectively, these are called the ‘IT Rules’.)

    ‘Information’ is broadly defined as including data, text, images, sound, voice, codes, computer programs, software and databases, microfilm and computer-generated microfiche.

    The Indian Telegraph Act 1885 and the Indian Telegraph Rules 1951 (the ‘Telegraph Laws’) regulate the monitoring of messages. This is again broadly defined to include any communication sent by telegraph or given to a telegraph officer to be sent or delivered.

    The terms ‘information’ and ‘messages’ are collectively referred to as ‘communications’. The IT Act, IT Rules and Telegraph Laws are collectively referred to as the ‘Data Interception Laws’.

    The telecom licence agreements we’ve entered into with the Indian Department of Telecommunications (the ‘Licence Agreements’) also allow certain government agencies (the ‘Monitoring Agencies’) to monitor communications traffic on a communications service provider’s network.

    Typically, an authorised government agency will serve a communications service provider with an order to intercept communications. This must be issued by a competent authority under the Data Interception Laws. Competent authorities include the secretary to the government of India in the Ministry of Home Affairs, the secretary in charge of the Home Department and the secretary to the government of India in the Department of Information Technology under the Ministry of Communications and Information Technology.

    The interception regime in India is evolving. Since October 2014, the government has required all communication service providers to connect their networks to a centralised monitoring system (CMS) under the terms of the Licence Agreements.

    The CMS was set up by the government to allow certain law enforcement agencies to intercept and monitor mobile and landbased telecommunications and internet-based traffic in India in real-time. This includes all communications. The CMS allows authorised law enforcement agencies to remotely access a communications service provider’s network at any time without the provider knowing about this.

    Data Retention

    The Data Interception Laws govern the retention of intercepted and monitored communications. An authorised government agency can compel a communications service provider to keep communications through an order from the competent authority. Under the Licence Agreements, communication service providers must keep records of all communications exchanged on their network for one year. This can include detailed call logs showing dates, and duration and time of each call. Relevant authorities can require that this data is kept for longer periods of time.

    Data disclosure

    The Data Interception Laws also govern the disclosure of intercepted or monitored communications. An order from the competent authority directing a communications service provider to intercept or monitor communications can also ask for their disclosure. The Monitoring Agencies are also allowed to access the communication records maintained by the communications service provider under the terms of the Licence Agreements.

    Web blocking

    BT India’s operations don’t control access to the internet or information held on it. And we don’t do any form of web blocking.

  • Data disclosure: 1895
    Blocking requests: 143
    Lawful interception: 1144
    Websites required to be blocked: 985

      2022 2021 2020
    Data Disclosure 2134 2362 *
    Blocking requests 139 158 0
    Lawful interception 1106 * *
    Number of websites required to be blocked 1507 1718  

     

    * The Ministry of Justice publishes this information

    BT Italia was formed after we acquired Albacom in 1995. We changed its name to BT Italia in 2006. Our head office is in Milan and we employ over 700 staff nationwide.

    In Italy, we operate a 9,800-kilometre long haul fibre optic infrastructure which connects the domestic PoPs, nationwide spread, and GPoPs, running global MPLS. We also locally serve BT’s global multinational customers and some of the major Italian financial services firms, utilities, fashion, retail and manufacturing companies, providing them networking, cloud and security solutions.

    Lawful interception

    There are a number of laws which govern interception and surveillance in Italy. The Code of Criminal Procedure allows a public prosecutor to ask a judge to authorise all forms of interception of communications in criminal cases, provided that it meets certain statutory conditions. In particular, interception is only permitted if there’s strong evidence that serious crimes are taking place – for example crimes punishable by at least five years in prison, drug or weapon trafficking, or child sexual abuse. Interception of communications can also only be permitted if it’s absolutely necessary for the purposes of the investigation.

    The authorisation issued by a judge is valid for 15 days, or 40 days in cases about the prosecution of organised crime. This can be extended for another 15 days at a time, or 20 days in cases of organised crime. If it’s urgent and a delay could seriously prejudice an investigation, the public prosecutor can order interception without judicial authorisation, as long as the order is immediately (at least within 24 hours) communicated to a judge. The judge has to decide whether to confirm or revoke the order within 48 hours. If they don’t confirm this within 48 hours, the interception is stopped and any data collected can’t be used.

    Under the Implementation Rules of the Code of Criminal Procedure, the Italian Home Office or senior officers of the main Italian police forces can ask the public prosecutor to authorise an interception to stop terrorism or organised crime. The prime minister or the directors of the secret services empowered by the prime minister can also make the same request, permitted by Law Decree no.144.

    As a general rule, interception must be carried out using equipment installed at the public prosecutor’s office dealing with the investigation. But if it’s urgent and the equipment doesn’t work properly or isn’t right, the public prosecutor can issue a reasoned order authorising the interception to be carried out using the equipment of the judicial police. When intercepting electronic communications like emails, the public prosecutor can order that the operation is made through equipment owned by private entities or individuals.

    The Italian rules around lawful interception were recently amended by Legislative Decree no.216 of 29 December 2017. This modified some rules of the Italian Code of Criminal Procedure, extending obligations of confidentiality for intercepted communications. In particular, the new rules provide that intercepted communications – and, when relevant, their transcriptions – must be stored at the public prosecutor’s office. Only the preliminary investigations judge, the lawyers of the relevant parties and other authorised roles (for example court officers) can access these. As well as this, the Legislative Decree reinforces the protection of private conversations between an accused person and their lawyer. If the lawyer asks, interceptions that aren’t relevant to a trial (including those containing sensitive data) must be destroyed.

    Data Retention

    Data retention requirements for preventing and punishing crime were originally contained in the Data Protection Code. This required telephone traffic data to be kept for 24 months and internet traffic data for 12 months (Article 132 of Data Protection Code).

    Following the judgment in Digital Rights Ireland, which invalidated the underlying EU Data Retention Directive, Italy introduced an anti-terrorism law. This required all telephone and telematics data kept and collected on 21 April 2015 to be retained until 30 June 2017. This law then expired, which meant the general data retention rule under the Data Protection Code applied again. No specific government order is required for these general obligations.

    Recently, Law 167/2017 provided a new exemption from the data retention requirements of the Data Protection Code. Under Article 24 of Law 167/2017, telephony and telematics traffic data can be kept for 72 months where necessary to stop certain types of serious crimes, for example terrorism or organised crime.

    The law doesn’t provide a way to target specific individuals, whose data should be kept on the basis that there is objective evidence showing links to the planning or commission of serious crimes. In practice it is likely that those people will only be able to be identified afterwards, for example, by the public prosecutor when they start an investigation into the serious crime. 

    Data disclosure

    The disclosure of retained data is mainly governed by the Electronic Communications Code and the Data Protection Code. In general, the competent judicial authority can request that communication service providers provide data for the purposes of justice, with a detailed order referring to the criminal proceedings concerned and outlining the specific data required. The obligation of a communications service provider to comply is set out in Article 96 of the Electronic Communications Code.

    Under Article 132 of the Data Protection Code, the public prosecutor, a person accused of a crime or their counsel can ask for retained data to be disclosed during the relevant retention periods.

    Under Article 55 of the Electronic Communications Code, a judicial authority can also access, for purposes of justice, data held by the Home Office. Each communications service provider will have passed this data to the Home Office about their own subscribers.

    Under Article 226 of the Implementation Rules of the Code of Criminal Procedure, the public prosecutor, the Home Office, directors of the national secret services or senior police officers can request data disclosure in terrorism or organised cases.

    Communication service providers must disclose any requested information and grant access to their databases to the Italian secret services for national cyber-security reasons. This is under Act No.124 of 23 August 2007 and the Decree of the Prime Minister No.110835 of 17 February 2017.

    Web blocking

    Either a judicial authority (in criminal or civil proceedings) or a competent independent supervisory administrative authority (for specific crimes) can require a communications service provider to block access to internet sites or services.

    The National Centre Against Child Pornography Centre, established by the Home Office, publishes a list of sites containing child abuse material. Internet service providers must block these within six hours of getting the list, which is continuously updated. Internet service providers must also tell the Centre if they become aware of any of this content. They must also block any material if a judicial authority orders them to for a criminal investigation.

    There are also regulations which require internet service providers to block access to copyright infringing material if the Italian Communications Authority orders it. This can include removing single instances of copyright infringing material where the internet service provider hosts the material, or blocking access in the case of a serious infringement, including where the material’s on a website hosted in Italy.

    Law 167/2017 requires the Authority to issue a new regulation which governs cases of online copyright infringement, specifically to include interim injunctions that rights holders can apply for from the Authority. This new regulation will, among other things, provide an appeal mechanism against the Authority’s decisions as well as appropriate measures to make sure violations aren’t repeated. So far this regulation hasn’t been adopted.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 1
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

      2022 2021 2020
    Data Disclosure 4 0 2
    Blocking requests N/A N/A 0
    Lawful interception N/A N/A N/A
    Number of websites required to be blocked N/A N/A  

    We’ve been working in Japan since 1985, with offices in Tokyo and Osaka that employ over 50 people. We provide network coverage to 11,200 customer sites in Japan. This includes three IP Connect Global PoPs and voice connectivity from Tokyo, which provides inbound and outbound voice calls.

    We also run a 24x7 multilingual network operations centre in Tokyo and provides hosting services, with support on site and a helpdesk. In Japan we cater for both domestic customers and large multinational companies.

    Lawful interception

    Under the Act on Wiretapping for Criminal Investigation, a district court judge can issue a warrant to competent investigation authorities who are investigating crime to intercept communications. Communication service providers must cooperate fully with investigation authorities.

    There isn’t a law in Japan which justifies interception for state security.

    Data Retention

    There aren’t any general requirements for communication service providers to keep data. But the Code of Criminal Procedure allows competent investigation authorities to order a provider to keep a history of communications relating to criminal investigations for up to 60 days, on a case-by-case basis. 

    Data disclosure

    The Code of Criminal Procedure also allows the competent investigation authorities to carry out searches or seize electromagnetic records. This includes communication histories, like names and dates and times. They can do this to investigate an offence, and a judge must issue a warrant.

    Web blocking

    There aren’t any legal requirements to block access to internet content in Japan.

    Some legislation requires internet service providers to make an effort to co-operate with investigating agencies or take action to stop people sending information about child sexual abuse material, or hacking websites. One way this is done is by actively managing passwords. These actions are on a best-efforts basis. But there are also efforts in both the public sector (by the Ministry of Internal Affairs and Communications) and the private sector (by the Internet Content Safety Association) to identify and filter inappropriate content like child sexual abuse materials.

  • Data disclosure: 13
    Blocking requests: N/A
    Lawful interception: 7
    Websites required to be blocked: N/A

      2022 2021 2020
    Data Disclosure 16 * *
    Blocking requests N/A N/A 0
    Lawful interception 4 * *
    Number of websites required to be blocked N/A N/A  

     

    * See information published by the Ministry of Justice

    In the Netherlands, our head office is in Amsterdam where we employ over 500 people.

    We have had a presence in the Netherlands since 1989. We provide network and IT services, professional services and wholesale services as well as a range of domestic VPN, ethernet and internet services, including more than 6,700 km of fibre network nationwide. BT also has its own data centres in Amsterdam, Rotterdam and Nieuwegein.

    Lawful interception

    Under Chapter 13 of the Dutch Telecommunications Act providers of public telecommunications networks and services are required to provide a permanent capability for interception and to co-operate with judiciary authorities when it comes to lawful interception.

    The powers of the Dutch judiciary authorities to intercept communication for law enforcement purposes are laid down in Art. 126la-126nb of the Dutch Code of Criminal Procedure.

    Under Art. 126m of the Code of Criminal Procedure, the public prosecutor can order officers charged with an investigation – for example, the police – to carry out an interception of communication. Such an order can only be given in case of a suspicion of a crime punishable by imprisonment of four years or more (with the suspect being eligible for pre-trial detention) which constitutes a serious breach of the legal order, if the interception is urgently needed for the investigation and following a written court order.

    When the order relates to communication over a public telecommunications network or using a public telecommunications service, the  public prosecutor must issue a formal request to the telecommunications service provider to assist with the interception activities, unless this is not possible or not in the interest of the investigation to ask for this cooperation. The telecommunications service provider must comply.

    Art. 126t and Art. 126zg of the Dutch Code of Criminal Procedure provide for similar powers in case of organised crime or indications of a terrorist crime.

    The powers of the intelligence and security services to intercept communication are laid down in the Act on the Intelligence and Security Services 2017 (the ‘WIV’).

    Under the WIV the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) may carry out targeted interception, recording and tapping of any form of conversation or electronic communication, inter alia by means of a telephone or internet tap. They are also allowed to carry out untargeted or bulk interception of electronic communication, subsequently determining its nature, determining or verifying the persons or organizations involved, and applying automated data analysis to the metadata and selectively selecting the content data for further analysis. Operators must help them do this – for example, by decrypting encrypted data.

    The AIVD and the MIVD may use these powers if this is necessary for the tasks of the intelligence and security services, the means are proportionate in relation to the purpose and there are no less intrusive means available. The powers should also be deployed as targeted as possible. The use of these powers requires the prior authorisation of the concerned minister: for the AIVD this is the minister of the interior and kingdom relations, for the MIVD the minister of defence. At the written request of the head of the relevant service, the competent minister can grant this permission for a maximum period of 3 months, after which a request can be made for an extension for the same period. Judicial authorisation isn’t needed.

    Data Retention

    Art. 13.2a of the Dutch Telecommunication Act contains a data retention obligation for providers of public telecommunication networks and/or services but it is currently not in effect. This provision is the Dutch implementation of the EU Data Retention Directive which was invalidated in 2014 by the EU Court of Justice in case C-293/12 and C-594/12 (Digital Rights Ireland), because it violated the right to respect for private life and the right to protection of personal data as laid down in Art. 7 and 8 of the EU Charter of Fundamental Rights. After that, the Dutch implementation act continued to be in force, until on 11 March 2015 the District Court of The Hague following the EU Court of Justice, declared Art. 13.2a Dutch Telecommunication Act non-binding and put it out of effect. As a result, there is currently no obligation regarding for communications service providers to retain communications data for law enforcement and national security purposes in the Netherlands.

    This might change in the future. In October 2016, the secretary of state for justice and security submitted a proposal for a new data retention law to parliament which require communication service providers to keep internet related data for six months and telephone data for 12 months. Following the judgments of the EU Court of Justice in the Tele2 Sverige AB and Watson cases (cases C-203/15 and C-698/15), the minister announced that the proposal would be significantly amended and the mandatory retention would be limited to the identification data (e.g. IP addresses or phone numbers) of the user of a communication service. It is currently not clear if, when and in what form this law will enter into force.

    Data disclosure

    The Code of Criminal Procedure and the WIV allow the public prosecutor, the AIVD, the MIVD and, in some cases, officers in charge of an investigation to request providers of telecommunication service to provide communications meta data and/or data concerning the subscriber or users of the service.

    Web blocking

    Under Art. 6:196c of the Dutch Civil Code and Art. 54a of the Dutch Penal Code online intermediaries such as internet providers, hosting providers and online platforms service are exempted from civil and/or criminal liability for their customers’ content on and use of their services. They can only be held liable if they are (made) aware of clearly unlawful content and fail to take action to promptly remove this content or make it inaccessible.

    The Dutch government and the internet industry have agreed on a code of conduct with a procedure for handling notice and take down requests with regard to unlawful or criminal content on the internet. When service providers comply with this procedure, they cannot be held liable for the unlawful actions of their users. They can however still be required by a court or public prosecutor to block or remove unlawful content and/or to provide identifying information.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 0
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

      2022
    Data Disclosure 18
    Blocking requests N/A
    Lawful interception N/A
    Number of websites required to be blocked N/A

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 52
    Blocking requests: N/A
    Lawful interception: 0
    Websites required to be blocked: N/A

      2022 2021 2020
    Data Disclosure 175 * *
    Blocking requests N/A N/A 0
    Lawful interception 0 * *
    Number of websites required to be blocked N/A N/A  

    * Can't disclose

    BT Ireland provides data, voice and internet services to government and major businesses in the Republic of Ireland. We also provide wholesale network services, supplying telecommunications products and services to key communications providers.

    Until 2009, BT Ireland also provided voice and internet services to consumers and small businesses. Most of these customers were transferred to Vodafone via a wholesale agreement. But we still provide services to a small number of consumers and small businesses on our dial-up internet service.

    Lawful interception

    Historically, the Postal and Telecommunications Services Act 1983 (as amended by the Postal Packets and Telecommunications Messages (Regulation) Act 1993) was taken to mean that a communications service provider must intercept any form of communications, including post, phone and email. These had to be issued with a written authorisation by the minister for communications or the minister for justice.

    But in 2016 the Irish Department of Justice stated publicly that it doesn’t interpret the 1993 Act as giving a lawful basis for intercepting email communications. They laid this out in a policy document called ‘Amendments to the legislative basis for the lawful interception of communications’, in November 2016.

    Under the Criminal Justice (Surveillance) Act 2009, senior law enforcement officers can apply to a district court for a court order to allow interception in specific circumstances in criminal investigations.

    A High Court judge is designated to review the use of powers under both the Postal and Telecommunications Services Act 1983, the Postal Packets and Telecommunications Messages (Regulation) Act 1993 and the Criminal Justice (Surveillance) Act 2009.

    Data Retention

    The previous law relating to the retention of data in Ireland, the Communications (Retention of Data) Act was subject to a legal challenge in the Irish High Court. This led to a referral to the CJEU, which found that the Data Retention Directive (Directive 2006/24/EC) wasn’t valid (see the case Digital Rights Ireland v Minister for Communications and Others, joined cases C-293/12 and C-514/2). A later challenge to the Act was brought in the case of Dwyer v Commissioner of An Garda Síochána & Others 2015/351 P.

    In response to these challenges, the Irish government passed the Communications (Retention of Data) (Amendment) Act 2022, parts of which came into force on 26 June 2023. Under the new law, general and indiscriminate retention of communications traffic and location data are only allowed on national security grounds and require approval by a designated judge.

    The new law requires user data and internet source data to be retained for a period of 12 months, for various purposes including combating crime, safeguarding State security, protecting the life and safety of persons, or locating missing persons. General and indiscriminate retention of communications traffic and location data is only permitted for national security purposes, subject to judicial approval by a designated judge. The law also makes provision for Preservation Orders and Production Orders which may be obtained by an Garda Síochána, the Defence Forces, the Revenue Commissioners or the Competition and Consumer Protection Commission.

    Data disclosure

    The Retention Act gives specified senior law enforcement officers (including the revenue commissioners, Competition and Consumer Protection Commission and the Garda Síochána Ombudsman Commission), military officers and judges power to order communication service providers to disclose data for certain purposes (for example, to safeguard security or prevent a serious offence). Disclosure requests must be made in writing, unless they’re urgent, in which case they can be made verbally.

    Other law enforcement agencies can get search warrants under a wide range of legislation, like the Criminal Justice Acts, the Competition and Consumer Protection Act 2014, the Companies Act and the Taxes Consolidation Act 1997. Search warrants that mean a communications service provider must provide copies of retained data can be issued by a district court judge or a peace commissioner.

    Web blocking

    A copyright holder can apply to the Irish High Court to grant an injunction requiring internet service providers to block specific IP addresses which are infringing copyright. This is allowed under the Copyright & Related Rights Act 2000 (as amended by the European Union (Copyright and Related Rights) Regulations 2012).

    In 2016, the Irish Court of Appeal affirmed the power of the High Court to order non-infringing internet service providers to put a graduated response system in place for customers who infringe copyright under the Copyright & Related Rights Act 2000 (see the case Sony Music Entertainment (Ireland) Ltd & Others v UPC Communications Ireland Ltd [2016] IECA 231). We aren’t aware of any further orders being granted by the High Court. But it is possible they have been granted but not publicised.

    BT Ireland is a member of the Internet Service Providers Association of Ireland (ISPAI). Their code of practice requires members to comply with notices from www.hotline.ie that ask for potentially illegal material to be removed from websites or newsgroups hosted by members, as long as it is technically practical to do that.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 22
    Blocking requests: 41
    Lawful interception: 0
    Websites required to be blocked: 100

      2022 2021 2020
    Data Disclosure 18 5 47
    Blocking requests 34 32 39
    Lawful interception 0 0 1
    Number of websites required to be blocked 57 74  

    We have provided services in Spain for 25 years. Our headquarters are in Madrid and we employ around 220 people.

    Lawful interception

    Interception powers are governed by the Criminal Procedure Act, which was approved by Royal Decree of 14 September 1882, as amended by Act 13/2015 of 5 October 2015. A competent court can order communications to be intercepted if the judicial police, the intelligence agencies or the customs agencies ask them to, and it is for a criminal investigation about certain serious offences – for example organised crime or terrorism.

    In urgent cases, and where an investigation is being carried out into crimes by armed gangs or terrorists, the ministry of Home Affairs, or the secretary of state for security, can order the interception of communications. The courts must review and confirm or revoke the order within 72 hours.

    Requests for interception must be based on objective evidence that they’ll help verify facts or circumstances that are relevant to a criminal investigation.

    Under the Organic Act 2/2002, the Supreme Court can authorise the secretary of state for directorship of the National Intelligence Centre to adopt measures that might affect the secrecy of communications, including intercepting them. This is as long as these measures are necessary to perform the tasks assigned to the NIC – for example to protect national security and prevent crime.

    Under Law 9/2014 of the General Telecommunications and the Royal Decree 424/2005, a communications service provider must intercept communications when asked by a court or the NIC. So communication service providers must maintain a permanent technical interface for this purpose, based on government technical specifications. They must use this to transfer intercepted information to interception reception centres, where authorities can access it.

    Data Retention

    Data retention is governed by Law 25/2007 on retention of data related to electronic communications and public communication networks.

    Operators that provide publicly available electronic communications services or operate public communications networks must keep traffic data about voice services, including fixed and mobile, and internet services for 12 months. Communication service providers and internet service providers must keep data for crime-fighting purposes, even if a specific order hasn’t been issued. This period can be reduced to six months or extended up to two years by the government, after consulting with the communication service providers, and depending on the data in question.

    Law 25/2007 expressly states that content data can’t be retained.

    Data disclosure

    Law 25/2007 allows authorised agents to ask for data for detecting, investigating or prosecuting serious criminal offences. These agencies include members of the state security forces, Customs Surveillance Directorate or agents from the National Intelligence Centre, who must get an order from the competent court. Data disclosure is also regulated by Act 13/2015, which modifies the Criminal Procedure Act.

    Web blocking

    Under Act 34/2002 on Information Society Services and Electronic Commerce, authorities can block access to a website if it infringes certain principles of public policy and human dignity, including intellectual property rights and the protection of children. In certain cases – for example if the measure to be adopted might affect fundamental rights like freedom of speech or right to information – the competent court must authorise the web blocking.

    Any provider of information services, including internet service providers, must co-operate with authorities when it comes to blocking internet sites.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Data disclosure: 2
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

      2022
    Data Disclosure 3
    Blocking requests N/A
    Lawful interception N/A
    Number of websites required to be blocked N/A

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our reporting for 2024.

  • Lawful interception: Can't disclose
    Data disclosure: 300
    Blocking requests: N/A
    Websites required to be blocked: We block websites as mandated in two online lists published by the gambling authorities.

      2022 2021 2020
    Data Disclosure 145 73 0
    Blocking requests N/A N/A 39
    Lawful interception* * * *
    Number of websites required to be blocked ** ** **

     

    * Can't disclose
    ** We block websites as mandated in two online lists published by the gambling authorities.

    In Switzerland, we provide various networked IT services including data, voice and internet services. We have operated in Switzerland since 1992. Our headquarters are in Zurich-Wallisellen and we have offices in Berne, Basel and Geneva, which employ more than 200 people.

    Lawful interception

    The revised Postal and Telecommunications Surveillance Act, along with the Federal Act on International Judicial Assistance in Criminal Matters, allow certain law enforcement authorities to carry out surveillance of telecommunications networks. They need communication service providers to provide access to their premises and systems for real time and retroactive surveillance. Other providers and company network and public access point operators must also provide access. Authorities can ask for surveillance:

    • in criminal proceedings
    • to search for missing people or for people who have to serve a custodial sentence
    • to provide international legal assistance
    • as required under the Federal Intelligence Service Act (see below).

    Law enforcement authorities must get court approval for surveillance requests. The Surveillance Office runs a centralised data processing system. Surveillance data collected from communications service providers goes through this database. The Surveillance Office can then give it to the authority who has asked for it. While communication service providers have only very limited rights to challenge surveillance requests, people who are the target of the surveillance can challenge them.

    The Federal Intelligence Service Act allows the Federal Intelligence Service to ask for help from communication service providers for interception activities. It’s possible for a private operator to challenge these requests under Federal Intelligence Service Act in the Federal Administrative Court.

    In exceptional circumstances, like an emergency or when national interests or security are at risk, the Federal Telecommunications Act allows the Federal Council or the Federal Department on the Environment, Transport, Energy and Communications to order communication services to be intercepted, limited or interrupted.

    Data Retention

    Under the Postal and Telecommunications Surveillance Act, communication service providers must keep certain information about users for the length of their contractual relationship, and then for six months after this ends. It also requires communication service providers to keep certain identification, traffic and marginal communications data for six months.

    Data disclosure

    Communication service providers must keep their users’ communications confidential. But if the Surveillance Office asks for them, they must give them the data.

    Web blocking

    At the moment there are no laws specifically regulating website blocking in Switzerland. But these requirements might arise either to limit our own potential liability for contributing to the distribution of unlawful content, or where courts order certain unlawful content (like copyright infringing material or illegal pornography) be blocked.

     

  • Data disclosure: 0
    Blocking requests: N/A 
    Lawful interception: Can't disclose
    Websites required to be blocked: N/A

      2022 2021 2020
    Data Disclosure 3 * *
    Blocking requests N/A 0 0
    Lawful interception * * *
    Number of websites required to be blocked N/A N/A N/A

    * Can't disclose

    We’ve provided telecommunications services in the United States for more than 30 years. Our US headquarters are in Dallas, Texas. We employ more than 2,000 people and have offices in more than 16 cities across the US.

    We own and operate our own network infrastructure in North America. This includes nationwide coverage in all major US cities, making ours one of the largest networks of this type in the region. Around half of our top 2,000 customers operate in North America, which is why we have such a large presence here.

    Lawful interception

    There are separate laws for law enforcement access to communications data and access for national security and intelligence purposes.

    Under the Wiretap Act, a federal or authorised state judge can issue a wiretap order that allows law enforcement agencies to intercept oral, wire or electronic communications. The application must meet certain conditions, which include probable cause that the interception will reveal a federal crime.

    A court can also issue a pen/trap order, which is authorised by the Pen/Trap Statute, as long as an executive officer provides the required certification. The order can be used to get dialling, routing, addressing or signalling information, but not the contents of a communication.

    The Foreign Intelligence Surveillance Act allows the Foreign Intelligence Surveillance Court to authorise a federal officer to conduct certain surveillance if there’s probable cause that the target is a foreign power or an agent of one (among other requirements). In an emergency, the Attorney General can authorise the order to get foreign intelligence information, but they must also inform a judge and apply for an order in the usual way within seven days.

    The Attorney General can also authorise interception without a court order under the Attorney General Foreign Intelligence Surveillance Act directive. This allows an interception for up to one year if it only targets communications between foreign powers, and if other conditions around the impact on US citizens are met.

    The Foreign Intelligence Surveillance Act also allows the Attorney General to order a communications service provider to provide information, facilities or technical assistance for interception. They don’t need a court order for this, but the communications service provider can ask for a judicial review.

    The Communications Assistance for Law Enforcement Act states that communication service providers and related equipment manufacturers must have a permanent capability on their networks which allows law enforcement officers to carry out electronic surveillance.

    Data Retention

    The Stored Communications Act regulates the government’s ability to get the stored content of electronic communications and subscriber data from communication service providers. They can order providers to preserve communications records for 90 days and extend this for a further 90 days.

    Under the Federal Communications Commission Regulations, telecommunication carriers must keep any records that are necessary for billing information about telephone toll calls for 18 months.

    Civil litigants also have the right to require communications data to be preserved under the Federal Rules of Civil Procedure.

    Data disclosure

    Law enforcement officials and intelligence agency officials can make a communication service provider disclose data they hold through court orders, warrants or subpoenas. These must be authorised under the Stored Communications Act.

    The intelligence agencies can ask for data about foreign powers, either by National Security Letters, under the PATRIOT Act, or by a Foreign Intelligence Surveillance Act court order. The CLOUD Act amended the Stored Communications Act to allow federal law enforcement to compel communications services providers to provide requested data stored on servers regardless of whether the data is stored in the US or overseas.

    The Communications Act also gives consumers the right to require reasonable disclosure of their own data from companies that store it.

    Web blocking

    Blocking internet content generally isn’t authorised under current legislation. The US Supreme Court has invalidated blocking orders made in the lower courts on the basis that they breach the right of free expression in the First Amendment to the American Constitution. This includes indecent material likely to be accessible to under 18s.

    There are exceptions to this, including in the Digital Millennium Copyright Act. Here copyright holders can ask for injunctions against internet service providers which force them to take down infringing content.

    UK-US Data Access Agreement

    Under the Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime, which entered into force on 3 October 2022, BT Plc can be served directly with legal requests for disclosure of data from law enforcement authorities in the USA (UK law enforcement can make similar requests of US telecommunications providers). These requests are covered above in our transparency reporting for the UK.