Poland’s Ombudsman has appealed for revisions to laws governing data retention by security services, emphasizing citizen notification rights.
Data Retention Concerns Raised
The Polish Ombudsman is urging changes to regulations concerning data retention by Polish security services. The Ombudsman believes a real mechanism for informing individuals about the acquisition of their data is necessary, ideally within one or two years of the data being obtained.
Formal Appeal to Ministries
The Ombudsman has formally addressed the Minister of Digital Affairs, the Minister of Justice-General Prosecutor, the Minister of Interior and Administration, and the Minister Coordinator of Special Services regarding legislative changes related to telecom data retention by services and the police.
Data as Detailed Personal Information
The Ombudsman points out that telecom data – including billing information, location data, IP addresses, and subscriber details – provides state authorities with precise information about an individual’s life. This data can be stored and used against a person, potentially as intrusive as covert surveillance of communications content.
Need for Individual Notification
The Ombudsman’s assessment includes the need for a practical mechanism to notify individuals when their data has been acquired, occurring one or two years after the fact.
European Court Ruling Cited
Marcin Wiącek referenced a May 28, 2024 ruling by the European Court of Human Rights in the case of Pietrzak and Bychawska-Siniarska and others v. Poland. The ruling primarily addressed issues of operational control and systemic flaws in covert surveillance. The Ombudsman presented these concerns in a submission on August 7, 2025, outlining necessary legal changes.
System Designed for National Security
The Ombudsman believes the entire data retention system is designed based on standards permissible only for national security purposes. Current regulations allow for generalized and undifferentiated retention of traffic and location data as a “default model.”
Legislative Changes Required
The Ombudsman assesses that changes require amendments to the Code of Criminal Procedure, and laws including the Electronic Communications Law, the Police Act, the Border Guard Act, the Internal Security Agency and Intelligence Agency Acts, the Central Anti-Corruption Bureau Act, the Military Intelligence Service and Military Counterintelligence Service Acts, the National Revenue Administration Act, the Military Gendarmerie Act, and the State Protection Service Act. Resumption of work on the implementing regulation to Article 49(2) of the Electronic Communications Law is also needed.
Data Protection Authority Raises Concerns
In March, the President of the Office for the Protection of Personal Data also highlighted the issue, stating that regulations requiring mobile operators to collect and store user data for 12 months are inconsistent with the Constitution and EU law.
