Where we have a local licence or operate our own network, we might have to help government authorities in ways that could affect people’s rights to privacy or freedom of expression. This could include requests to hand over information about the services we provide, intercept voice calls or data, or block access to certain material on the internet. We have a dedicated unit within BT who handles such legal requests in line with our policies and processes, and with support from our legal and human rights teams.   

Below is a summary of the requests we’ve received in 2024 by country. Where we don’t provide this information, we give a reason why. This could be because:   

  • We can’t disclose it - in some countries, publishing this type of information is against the law, in others the law might not expressly stop us from disclosing, but authorities have told us we can’t publish it. 
  • It’s published somewhere else – if information is published for the whole industry by a government or other public body, we refer to those publications.  

Summary of interception, data disclosure and blocking requests (1 Jan to 31 Dec 2024)

  • Data disclosure: Can’t disclose
    Blocking requests: N/A
    Lawful interception: Can’t disclose
    Number of websites required to be blocked: N/A

    In Australia, we provide various networked IT services including data, voice and internet services. We operate from our Sydney, Melbourne and Perth offices and employ around 100 people.

    Lawful interception

    The Telecommunications (Interception and Access) Act 1979 (Cth) regulates access to telecommunications content and data in Australia (including intercepting communications in specific circumstances). Under this Act, intercepting telecommunications is only justified for law enforcement and national security purposes. The only people who can issue a warrant to intercept communications are a judge, a nominated member of the Administrative Appeals Tribunal, the attorney-general or the director-general of security (in an emergency).

    Data Retention

    The Telecommunications (Interception and Access) (TIA) Act 1979 requires telecommunications service providers that use infrastructure in Australia to operate any of their services may be subject to data retention obligations. Service providers include: licenced carriers, carriage service providers and internet service providers. Some services are excluded from the data retention obligations. Service providers may also seek exemptions or variance from the data retention obligations.

    The data retention obligations require some telecommunications service providers to retain specific telecommunications data (the data set) relating to the services they offer for at least 2 years. The retained data must be encrypted and protected from unauthorised interference and access. Some subscriber information (a category of data in the data set) must be retained for the life of the account and for a further 2 years after the account is closed.

    Depending on the type of service offered, service providers may not be required to retain all categories of data in the data set.

    Data disclosure

    The Telecommunications (Interception and Access) Act 1979 also allows certain law enforcement and security agencies to access telecommunications data held by communications service providers.

    Requests for access to data are independently overseen by the Commonwealth Ombudsman or, in the case of the Australian Security Intelligence Organisation, by the inspector-general of intelligence and security.

    Web blocking

    Under the Telecommunications Act 1997 (Cth), internet service providers must try to stop telecommunications networks and facilities being used for crime. The Australian Federal Police use this power to instruct internet service providers to block websites which contain child exploitation material through the Access Limitation Scheme. It’s also used to tackle cyber-crime.

    The Australian Communications and Media Authority has a remit under Schedule 5 of the Broadcasting Services Act 1992 (Cth) to require internet service providers to stop access to certain content (for example, child sexual abuse content) which is hosted outside of Australia. It has a similar remit under Schedule 7 of the Broadcasting Act for content services located in Australia.

    Under the Copyright Act 1968 (Cth), rights holders can apply to the Federal Court for an injunction that requires internet service providers to take reasonable steps to block access to overseas operated websites which infringe copyright or facilitate copyright infringement. This power was introduced by the Copyright Amendment (Online Infringement) Act 2015 (Cth).

  • Data disclosure: Can’t disclose
    Blocking requests: Can’t disclose
    Lawful interception: Can’t disclose
    Number of websites required to be blocked: Can’t disclose

    We operate from our Diegem office and employ around 122 people. As part of BT International, we serve multinational customers with dedicated products, platforms and people, helping them to meet the challenges and opportunities of AI-driven change head on. Our two brand-new, AI-ready, highly scalable, international platforms, Global Voice and Global Fabric, are designed to deliver highly secure and resilient communication and network services around the world supporting customers' growth and prosperity. 

    In Belgium, article 39bis of the Belgian Code of Criminal Procedure (BCCP) provides the legal framework for investigating seized IT systems and web filtering.

    Article 90ter of the Belgian Code of Criminal Procedure grants an investigating judge the power to order real-time interception of communications under specific circumstances and for specific offenses. This article, along with Articles 46bis, 88bis, and 90quater, provides the legal basis for various measures related to electronic evidence, including identification of data, metadata, and content.

    Article 88ter of the Belgian Code of Criminal Procedure provides the legal framework for remote searching and seizure in IT systems.

    Article 90quater of the Belgian Code of Criminal Procedure outlines the conditions and procedures for obtaining orders for the identification, metadata, localisation, traffic, access, and content data of electronic communications. This article is a key legal basis for accessing electronic evidence in investigations.

    Based on the level of intrusion on privacy of the user, specific procedural conditions and safeguards have been put in place for the different types of measures.

    Lawful interception

    Under Article 90ter of the Belgian Code of Criminal Procedure, for secret purposes, an investigating judge may intercept, examine and record communications that are not accessible to the public, or data from a computer system or part thereof, using technical means. The judge may also extend the search to a computer system or part thereof.

    This measure may only be ordered in exceptional cases. It is only used when the requirements of the investigation so demand, and if other means of investigation are insufficient to establish the truth.

    If national security is at stake, the Director General of the intelligence and safety services can order a draft authorisation for interception. This will either be accepted or rejected by a special committee in charge of surveillance. This process is governed by Articles 18/9, 18/10, 18/17 and 44 of the Intelligence and Safety Services Act of 30 November 1998.

    The General Military Intelligence and Safety Service (GMISS) can also intercept communications that come from abroad. In December each year, the GMISS produces a list of organisations and institutions whose communications it plans to intercept, with a justification for each. The minister of defence has 10 days to accept or reject the list. If it is urgent, and there is a clear need, the GMISS can intercept communications for organisations or institutions that are not on the list. But the GMISS must let the minister of defence know about this as soon as possible and not later than the next business day after the start of the interception. If the minister disagrees with the interception, they can stop it (Article 44/3, 1° Intelligence and Safety Services Act).

    Data Retention

    Operators must retain data relating to subscribers and metadata for the purpose of the authorities as set out in articles 2, 74°, 91° to 93°, 126 to 126/3 and 127/2 of the Belgian Electronic Communications Act (ECA) dated 13 June 2005 and its associated regulations. 

    Operators are required to retain certain subscriber data in a generalised and undifferentiated manner for the purpose of emergency services, security and the proper functioning of the networks and electronic communications services, combating crime, fraud and specific malicious use or safeguarding national security.

    The retention period varies depending on the data but is usually 12 months. Operators must also retain certain types of metadata for certain areas of the Belgian territory. A ministerial decree implementing Article 126/3, § 1, of the ECA provides a list of judicial districts and police zones that are subject to the retention obligation, as well as the retention period. The retention period depends on the area (six, nine or twelve months).

    Data disclosure

    Operators must co-operate with judiciary authorities when it comes to data disclosure (Articles 46bis of the BCCP for identification data and 88bis of the BCCP for geolocation and traffic data).

    The public prosecutor and the examining magistrate may order operators to submit subscriber information such as the identification of the end user and the services used. (Article 46bis, §1 of the BCCP).

    In an extreme emergency, the public prosecutor and the examining magistrate can authorise this verbally. However, they must confirm it in writing as soon as possible afterwards (Articles 46bis, §1 and 56, §2 of the BCCP).

    An investigating judge may order operators to submit traffic and geolocation data related to electronic communications. They can only do this where there are serious indications that crimes are taking place which could result in a sentence of one year or more in prison, and where the examining magistrate believes it is necessary to get to the truth (Article 88bis of the BCCP).

    An investigating judge can issue a warrant for a remote search and seizure of a computer system that is not in the physical possession of the investigators but is reachable from a distance. This measure can also be executed across borders. (Article 88ter of the BCCP)

    Web blocking

    Article 39bis of the Belgian Code of Criminal Procedure sets out the rules for the quick seizure of stored computer data. It establishes the legal framework for the seizure and preservation of electronic data in cases where there is reasonable suspicion of a crime. This article is crucial for investigations involving digital evidence, as it ensures that relevant data can be secured before it is altered or deleted.

    The public prosecutor can through an order required operators to block access to particular unlawful sites, to stop damage caused by content published online.

    Orders often include additional obligations to redirect users to a specific URL or to remove the content. Under intellectual property law, the court can make an internet service provider carry out any measure necessary to stop the infringement of their copyright or associated rights.

    Internet service providers might also be required to block sites which carry child sexual abuse material, or promote terrorism, racial violence or hatred.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 0
    Blocking requests: 112
    Lawful interception: 0
    Number of websites required to be blocked: 6503

     2023202220212020
    Data Disclosure00240
    Blocking requests222445
    Lawful interception0000
    Number of websites required to be blocked309746138 

    We’ve been in Brazil for more than 20 years. We have around 160 employees there who support corporate networks, serving hundreds of organisations from the public and private sectors in various industries. We also have extensive terrestrial networks with several GPoPs and thousands of connections from strategic partners in collaboration to support BT Global Network.

    Lawful interception

    Under Law No. 9,296/1996 (called the ‘Wiretap Law’ from now on), a court can issue an order requiring a communications service provider to intercept traffic on its network. Only the police authority or the public prosecutor can request these in specific circumstances, for example as part of a criminal investigation or legal proceedings.

    Data Retention

    The Internet Law (Law No. 12,965/2014) requires communication service providers to keep internet connection logs for a year. The police, an administrative authority or public prosecutor can ask them to keep it for longer than a year. Retention is regulated by Presidential Decree 8,771 of 11 May 2016. Connection logs are defined by ANATEL as a set of information regarding the start and end date and time of an internet connection, its duration, and the IP address used by the terminal to send and receive data packets, among other elements that allow identification of the access terminal used.

    The Internet Law stops internet access providers from keeping users’ application logs. This means they can’t keep the content of internet activity or logs of which applications people have used. The Internet Law also separately provides that an internet access provider must keep its application access logs confidential for six months.

    Data disclosure

    Under Article 22 of the Internet Law, communications data can only be disclosed when requested by the police authority, the public prosecutor, other law enforcement agencies, or any other interested party. Data can be requested for evidence gathering in civil or criminal legal procedures and must be authorised by a court order.

    Web blocking

    There are restrictions to blocking, monitoring, filtering or analysing the contents of internet data packets that are consistent with the principle of net neutrality. While judges have the power to issue court orders requiring internet service providers to block access to illegal content, they usually prefer to order the party hosting the illegal content to remove it. Article 19 of Law No. 12,965/2014 requires that with the aim of ensuring freedom of expression and preventing censorship, the internet application provider can only be held civilly liable for damages resulting from content generated by third parties if, after a specific court order, it fails to take the necessary measures, within the scope and technical limits of its service and within the deadline set, to make the infringing content unavailable, except as otherwise provided by law.

  • Data disclosure: 0
    Blocking requests: 0
    Lawful interception: N/A
    Number of websites required to be blocked: 0

     20232022
    Data Disclosure00
    Blocking requests00
    Lawful interceptionN/AN/A
    Number of websites required to be blocked00

    In Canada, we provide various networked IT products including data, voice and internet services. We operate from our Toronto office and employ around 70 people.

    Lawful interception

    The Radiocommunication Regulations generally prohibit intercepting radio communications. But there are exceptions – for example, for emergencies, investigations by public officials, government spectrum management and communications service provider network security.

    There are several circumstances where interception is allowed under the Criminal Code (as amended by the Protecting Canadians from Online Crime Act in 2015). These are:

    • by getting both one of the communicating parties’ consent and a public officer’s order (a public officer can be a peace officer and any public officer responsible for law enforcement)
    • if an agent of the state believes there’s a risk of bodily harm to the person who consented to the interception under the previous point
    • with a formal warrant from a judge or an urgent warrant from a justice of the peace.

    In an urgent situation, where there are no other means available under the Code, interceptions can also be allowed to stop serious harm to people or property.

    The Canadian Security Intelligence Services Act establishes conditions where the Canadian Security Intelligence Service can get a warrant from a judge if there’s a threat to national security or to collect foreign intelligence.

    Part V.1 of the National Defence Act establishes the conditions under which the Communications Security Establishment of Canada can get approval from the minister of national defence to intercept private communications involving foreign entities outside Canada. This is allowed as long as there’s no other way to reasonably get the information, and provided that Canadians’ privacy interests are protected.

    Data Retention

    The Code can require communications interception over a period of time. A warrant or production order specifies the data to be kept, for example, transmission data or tracking data, and how long for. This is done on a case-by-case basis.

    Data disclosure

    Law enforcement authorities and the security services can require communication service providers to provide data in the same way as interception (see ‘Lawful interception’ above).

    Canada’s Competition Act allows the commissioner of competition to apply to a judge of a superior or county court for the disclosure of data. This disclosure is made according to the production order.

    Under the Competition Act, the commissioner can also get a search warrant, which might include the reproduction of data found on a computer system.

    Web blocking

    Superior courts have wide powers to grant blocking orders. Under the Child Pornography Reporting Act, internet service providers must notify authorities about any situations involving child sexual abuse material.

    The Quebec government had adopted a law (Bill 74) to compel communication service providers to block illegal gambling websites. In July 2018, the Superior Court of Quebec decided that this law was unconstitutional.  

  • Data disclosure: 0
    Blocking requests: N/A
    Lawful interception: N/A
    Number of websites required to be blocked: N/A

     20232022
    Data Disclosure00
    Blocking requestsN/AN/A
    Lawful interceptionN/AN/A
    Number of websites required to be blockedN/AN/A

    In Colombia, we provide a range of services including data and internet access. We employ around 100 people in our office in Bogota.

    Lawful interception

    Generally, intercepting communications can only take place through a judicial order that meets the criteria set out in relevant laws. But interception can also take place without a court order to allow interception for the purposes of a criminal investigation by the public prosecutor. This is allowed as long as the public prosecutor issues an order to the judicial police who’ll be in charge of the technical aspects of the relevant operation and processing. This exception is allowed under Law 1453/2011, which amends the Colombian Criminal Procedure Code, and Decree 1704/2012 (compiled in Decree 1078/2015).

    These orders last for 3 months. They can be extended if the public prosecutor decides there are still grounds for interception. Any extension must be examined and authorised by a judge (juez de control de garantías). The order must be issued during an ongoing investigation and with the purpose of finding evidence. Within 24 hours of getting a report from the judicial police, the public prosecutor must appear before the relevant judge to examine the legality of the interception operation.

    Interception for the purposes of intelligence and counterintelligence is allowed if certain conditions are met, under Law 1621/2013 (regulated by Decree 857/2014).

    The government carries out interceptions after the relevant communications service provider grants access. The provider doesn’t directly take part in any interception operations.

    Data Retention

    Generally, all information about a subscriber of a service must be kept for at least five years. Under the Commercial Code, all commercial documents and information must be kept for at least ten years.

    Decree 1704 states that communication service providers must keep certain subscriber data for five years. This data includes a subscriber’s ID, invoicing information and type of connection, for example voice or data. Under this Decree, the communications service provider should also give the Office of the Attorney General specific information, like zone/sector, signal strength and geographic coordinates that might help identify the terminal or devices used in a particular communication. Decree 1704 applies when there’s a judicial investigation (criminal prosecution) and the public prosecutor needs to have access to certain information as evidence.

    Communication service providers must give information to certain authorities about a subscriber’s communications’ activities under Law 1621/2013 (see ‘Data disclosure’ below). This information

    includes:

    • their technical identification data
    • the location of the cells where the relevant terminals are
    • any other information that might help identify where someone is.

    This law applies to all intelligence and counter-intelligence activity.

    Resolutions No. 912/2008 and 3066/2011 (as modified by Resolution 511/2017) require that communication service providers must keep certain subscriber information.

    Data disclosure

    Any government body which is responsible for law enforcement or prosecuting or investigating crime can ask for data disclosure. This includes the public prosecutor and other government agencies like tax authorities. There are also certain legal requirements which must be fulfilled.

    Under Law 1581/2012, personal information can only be provided to a public authority if the authority’s carrying out its duties or a judicial order has been issued.

    Web blocking

    Internet service providers can be asked to block access to internet sites or services either by a judicial order issued by a competent judge or public prosecutor, or by orders issued by administrative authorities with an investigative capacity (for example, the Superintendence of Industry and Commerce, the Banking Superintendence, the Ministry of Communications, and the Financial Analysis and Information Unit). Most web blocking requests in Colombia are to do with child sexual abuse content.

  • Data disclosure: 7
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

     20232022
    Data Disclosure612
    Blocking requestsN/AN/A
    Lawful interceptionN/AN/A
    Number of websites required to be blockedN/AN/A

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 91
    Blocking requests: N/A
    Lawful interception: N/A
    Number of websites required to be blocked: N/A

     2023202220212020
    Data Disclosure69690*
    Blocking requestsN/AN/A00
    Lawful interception**N/A*
    Number of websites required to be blockedN/AN/A0 

     

    * Can't disclose

    We employ around 400 people across France one third of which are Security specialists. Our head office is in Paris. We provide services to large companies, including multinationals and multi-sites, which have complex communication and information system needs. In France, we support major companies in the finance, telecoms, industrial and services sectors by integrating, securing and managing network and cloud infrastructure and services.

    Lawful interception

    Interception can be required through administrative requests or judicial requests under French law.

    • According to the French Homeland Security Code (the CSI), the contents of a communication can only be intercepted for national security purposes – so that’s national defence, prevention of terrorism, prevention of organised crime and delinquency. To do this a minister in charge of homeland security, defence, justice, economy, budget or customs (or their delegate) must make an administrative request, which is then approved by the prime minister following an opinion from the National Intelligence Control Commission (CNCTR). If the situation is urgent, then it’s possible that the Commission is only informed of the interception.
    • Under the French Code of Criminal Procedure a judicial request for interception is needed for detecting or investigating cases of serious crime – for example, money laundering, organised gang crime or where the criminal penalty is three or more years in prison. Depending on the circumstances, an investigative judge, or a public prosecutor can authorise the request with written permission from the liberty and custody judge.

    Operators must put measures in place to comply with any requests.

    Data Retention

    Under the Postal and Electronic Communications Code, operators must keep data about voice and data services for up to a year. This includes subscriber information, names, addresses and communications data. It also includes passwords and payment information if the subscription is to online public communications. After the Digital Rights Ireland, Tele2Sverige AB and Watson cases, several associations asked the French Council of State to check if existing legislation governing data retention and administrative data access requests was legal. The claim wasn’t upheld.

    Data disclosure

    The Code of Criminal Procedure and other relevant legislation provides for the disclosure of communications data to judicial authorities, police officers, public prosecutors or an investigative judge. A judicial authorisation isn’t always needed.

    The protection authorities ARCOM (intellectual property) and ANSSI (information systems security) can also ask operators to give them data for investigations, findings and judicial proceedings related to:

    • copyright and related rights infringement
    • criminal offences
    • preventing unauthorised access to automated data processing systems.

    Under the French Homeland Security Code, the public service in charge of security interception (the Groupement Interministériel de Contrôle) can require that communication service providers give them data for security purposes. These requests must be approved by the prime minister or their delegate.

    Under Article L.65 quinquies of the Customs Code, French customs agents can require operators to give them data for customs investigations.

    Under Article L.96 G of the Tax Proceedings Code, French tax agents can require operators to give them data for tax investigations.

    Under Article L.114-19 of the Social Security Code, French social security agents (URSSAF) can require operators to give them data for social security investigations.

    Web blocking

    A judicial authority can make internet service providers block access to particular sites, to stop damage caused by content published online. And, under intellectual property law, the court can make an internet service provider carry out any measure necessary to stop the infringement of copyright or associated rights.

    The Central Office for Action to Fight against Crime related to Information Technology and Communication might also require internet service providers to block sites which carry child sexual abuse material, or promote terrorism, racial violence or hatred. A request to remove this type of material must first be made to the publisher of the website or the hosting service provider. If they don’t reply in 24 hours, the Central Office can ask an internet service provider to block the sites. French internet service providers have also been ordered to block access to pro-terrorism websites.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure requests: 4517
    Blocking requests: N/A
    Lawful interception: 5464
    Number of websites required to be blocked: N/A

     2023202220212020
    Data Disclosure37073740**
    Blocking requestsN/AN/AN/AN/A
    Lawful interception45775285**
    Number of websites required to be blockedN/AN/AN/AN/A

     

    * Federal Office publishes information

    We’ve been working in Germany for more than 20 years and provide global security, cloud, and network services to multinational companies.

    We run our own network infrastructure and data centre capacity in Germany which provide IT services and connections to our international IP network. We have two offices in Germany and around 300 employees.

    Lawful interception

    The German Telecommunications Act (TKG) allows intelligence and law enforcement agencies to intercept communications, subject to limitations set out in the German Constitution (GG).

    The right to privacy of telecommunications is protected under Article 10 GG. Interception is authorised by a court order, which authorities must get beforehand, and must also meet certain requirements – for example, if someone’s committed or tried to commit a serious crime, or if there’s an imminent risk of a major attack on public security, like a terrorist attack. The legal bases for these court orders are in both federal law (especially section 100e of the German Criminal Procedure Code and section 23a of the German Customs Investigations Act) and in various regional acts on police powers to safeguard public security.

    The Criminal Procedure Code (StPO) allows the public prosecutor’s office to issue an interception order in an urgent situation, which the competent court must confirm within three working days (section 100e (1) of the Criminal Procedure Code). The Federal Criminal Police Office Act also allows the president of the Federal Criminal Police Office to grant an interception order, as long as they then get judicial approval.

    As well as this, the Law on the Restriction of Privacy of Correspondence, Post and Telecommunications (the ‘G-10Law’) allows the intelligence services to intercept a person’s communications without a court order. This can happen if they are suspicious that this person has committed certain offences which, among other things, endanger national security (section 1(1) no.1 and section 3 of the G-10 Law). The federal ministry of the interior must order any interception activities requested by federal intelligence services (section 10 of the G-10 Law) and the G-10 Commission must approve these in advance (section 15(5) of the G-10 Law).

    The exception is for situations where danger is imminent – in this case subsequent approval is enough (section 15(6) of the G-10 Law). The competent supreme authority of the state is responsible for orders for interception by state intelligence services (section 10 of the G-10 Law). The provisions for approving these measures must be set out in the respective state law (section 16 of the G-10 Law).

    The G-10 Law also allows German intelligence services to carry out untargeted interception in certain circumstances – that is intercepting certain geographic regions, rather than a specific individual suspect. This is allowed when interception is to stop:

    • armed attacks, including terrorist attacks, on Germany
    • certain serious crimes, including international drugs trafficking and money laundering (section 5 of the G-10 Law)
    • danger to the life or wellbeing of an individual who is abroad, where this danger directly affects the interests of Germany (section 8 of the G-10 Law).

    An authorised court order isn’t needed for this but the federal ministry of the interior must set the geographic parameters of the untargeted interception. The Parliamentary Control Panel must also approve this in advance, unless there is imminent danger, in which case subsequent approval is enough (section 14(2) of the G-10 Law).

    Anyone providing publicly available telecommunications services to more than 10,000 subscribers must install a surveillance system which complies with technical requirements set out in the German Telecommunications Surveillance Directive. Communication service providers can choose to carry out legal interception in house or delegate it to agents. Communication service providers, or their agents, must always be available for requests by digital means only and process them without undue delay.

    Data disclosure

    Under the Telecommunications Act, data can only be disclosed if the requesting party is legally authorised, and the disclosing party is legally authorised to disclose the data.

    The main avenue for disclosure of subscriber data is an automated procedure under which the German Federal Network Agency is tasked with retrieving data and forwarding it to the public authority that has asked for it (e.g. the police). This means that communication service providers must store all subscriber data on a server that the German Federal Networks Agency can always access (section 173 of the Telecommunications Act). A prior judicial order isn’t needed for the disclosure of subscriber data (i.e. not traffic or content data). If the automated procedure doesn’t deliver the right results, public authorities can also ask communication service providers directly for so called manual disclosure of subscriber data (section 174 of the Telecommunications Act). Communication service providers can choose to keep these subscriber files in-house or pass this on to a third-party supplier.

    By contrast, in general, disclosure of traffic data does need a prior judicial order, usually requested by the public prosecutor’s office (sections 100e and 100a of the German Criminal Procedure Code). If the situation is urgent, the public prosecutor’s office can issue a disclosure order, as long as it’s ratified by a competent court within three working days (sections 100e and 101a of the Criminal Procedure Code). Competent authorities can order disclosure of traffic data obtained as part of any interception activities carried out under the G-10 Law (see ‘Lawful interception’ above) without a court order, as long as the disclosure serves specific purposes (e.g. where they need it to stop a serious crime) (section 4(4) of the G-10 Law).

    Web blocking

    Under the German Interstate Treaty on Broadcasting and Telemedia (MStV) and the Telemedia Act (TMG), internet service providers can be required by court order to block access to sites containing illegal content. This blocking authority serves as a mechanism to prevent access to websites that violate German law.

    The Interstate Treaty on the Protection of Minors in the Media (JMStV) establishes obligations primarily for content providers rather than internet service providers. Under this framework ISPs are not generally required to actively monitor or check content for child appropriateness.

    Under current statutory law and court decisions, access providers can be held liable for failing to block access to websites containing illegal content, particularly content that infringes intellectual property rights. However, blocking is considered the last resort ("ultima ratio").

    While German courts retain the authority to order website blocking for illegal content, current law emphasises that such measures should only be used as a last resort after rights holders have pursued reasonable direct action against content providers. Recent court decisions have further narrowed the circumstances under which ISPs can be compelled to implement blocking measures, with the focus shifting towards contend removal and platform-specific obligations rather than broad ISP blocking requirements.

    The Network Enforcement Act (NetzDG) requires social media platforms with over 2 million users to remove illegal content, including hate speech, within specific timeframes or face substantial fines.

    Digital Services Act

    The Digital Services Act (DSA), effective since February 2024, introduces new requirements for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking.

  • Data disclosure: 0
    Blocking requests: N/A
    Lawful interception: N/A
    Number of websites required to be blocked: N/A

     20232022
    Data Disclosure00
    Blocking requestsN/AN/A
    Lawful interceptionN/AN/A
    Number of websites required to be blockedN/AN/A

    We have a long history of operating and investing in India, having started in 1987. With headquarters in New Delhi, BT India has operations in six key cities: New Delhi, Bangalore, Mumbai, Pune, Kolkata and Chennai. We started our commercial operations in 2007 when we got a licence to operate international and national long distance services.

    Our main delivery hub is based in Gurgaon, New Delhi. It covers all our lines of businesses and customers, from UK consumers to large multinational businesses. It’s also the largest BT building in the world, with almost 5,000 people working there.

    Lawful interception

    Interception, monitoring and collection of any information (including traffic data) are governed by:

    • the Information Technology Act 2000 (the ‘IT Act’)
    • the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009
    • the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules 2009.

    (Collectively, these are called the ‘IT Rules’.)

    ‘Information’ is broadly defined as including data, text, images, sound, voice, codes, computer programs, software and databases, microfilm and computer-generated microfiche.

    The Indian Telegraph Act 1885 and the Indian Telegraph Rules 1951 (the ‘Telegraph Laws’) regulate the monitoring of messages. This is again broadly defined to include any communication sent by telegraph or given to a telegraph officer to be sent or delivered.

    The terms ‘information’ and ‘messages’ are collectively referred to as ‘communications’. The IT Act, IT Rules and Telegraph Laws are collectively referred to as the ‘Data Interception Laws’.

    The telecom licence agreements we’ve entered into with the Indian Department of Telecommunications (the ‘Licence Agreements’) also allow certain government agencies (the ‘Monitoring Agencies’) to monitor communications traffic on a communications service provider’s network.

    Typically, an authorised government agency will serve a communications service provider with an order to intercept communications. This must be issued by a competent authority under the Data Interception Laws. Competent authorities include the secretary to the government of India in the Ministry of Home Affairs, the secretary in charge of the Home Department and the secretary to the government of India in the Department of Information Technology under the Ministry of Communications and Information Technology.

    The interception regime in India is evolving. Since October 2014, the government has required all communication service providers to connect their networks to a centralised monitoring system (CMS) under the terms of the Licence Agreements.

    The CMS was set up by the government to allow certain law enforcement agencies to intercept and monitor mobile and landbased telecommunications and internet-based traffic in India in real-time. This includes all communications. The CMS allows authorised law enforcement agencies to remotely access a communications service provider’s network at any time without the provider knowing about this.

    Data Retention

    The Data Interception Laws govern the retention of intercepted and monitored communications. An authorised government agency can compel a communications service provider to keep communications through an order from the competent authority. Under the Licence Agreements, communication service providers must keep records of all communications exchanged on their network for one year. This can include detailed call logs showing dates, and duration and time of each call. Relevant authorities can require that this data is kept for longer periods of time.

    Data disclosure

    The Data Interception Laws also govern the disclosure of intercepted or monitored communications. An order from the competent authority directing a communications service provider to intercept or monitor communications can also ask for their disclosure. The Monitoring Agencies are also allowed to access the communication records maintained by the communications service provider under the terms of the Licence Agreements.

    Web blocking

    BT India’s operations don’t control access to the internet or information held on it. And we don’t do any form of web blocking.

  • Data disclosure: 2083
    Blocking requests: 150
    Lawful interception: 1279
    Websites required to be blocked: 1136

     2023202220212020
    Data Disclosure189521342362*
    Blocking requests1431391580
    Lawful interception11441106**
    Number of websites required to be blocked98515071718 

    * The Ministry of Justice publishes this information

    BT Italia was formed after we acquired Albacom in 1995. We changed its name to BT Italia in 2006. Our head office is in Milan and we employ over 700 staff nationwide.

    In Italy, we operate a 9,800-kilometre long haul fibre optic infrastructure which connects the domestic PoPs, nationwide spread, and GPoPs, running global MPLS. We also locally serve BT’s global multinational customers and some of the major Italian financial services firms, utilities, fashion, retail and manufacturing companies, providing them networking, cloud and security solutions.

    Lawful interception

    There are a number of laws which govern interception and surveillance in Italy. The Code of Criminal Procedure allows a public prosecutor to ask a judge to authorise all forms of interception of communications in criminal cases, provided that it meets certain statutory conditions. In particular, interception is only permitted if there’s strong evidence that serious crimes are taking place – for example crimes punishable by at least five years in prison, drug or weapon trafficking, or child sexual abuse. Interception of communications can also only be permitted if it’s absolutely necessary for the purposes of the investigation.

    The authorisation issued by a judge is valid for 15 days, or 40 days in cases about the prosecution of organised crime. This can be extended for another 15 days at a time, or 20 days in cases of organised crime. If it’s urgent and a delay could seriously prejudice an investigation, the public prosecutor can order interception without judicial authorisation, as long as the order is immediately (at least within 24 hours) communicated to a judge. The judge has to decide whether to confirm or revoke the order within 48 hours. If they don’t confirm this within 48 hours, the interception is stopped and any data collected can’t be used.

    Under the Implementation Rules of the Code of Criminal Procedure, the Italian Home Office or senior officers of the main Italian police forces can ask the public prosecutor to authorise an interception to stop terrorism or organised crime. The prime minister or the directors of the secret services empowered by the prime minister can also make the same request, permitted by Law Decree no.144.

    As a general rule, interception must be carried out using equipment installed at the public prosecutor’s office dealing with the investigation. But if it’s urgent and the equipment doesn’t work properly or isn’t right, the public prosecutor can issue a reasoned order authorising the interception to be carried out using the equipment of the judicial police. When intercepting electronic communications like emails, the public prosecutor can order that the operation is made through equipment owned by private entities or individuals.

    The Italian rules around lawful interception were recently amended by Legislative Decree no.216 of 29 December 2017. This modified some rules of the Italian Code of Criminal Procedure, extending obligations of confidentiality for intercepted communications. In particular, the new rules provide that intercepted communications – and, when relevant, their transcriptions – must be stored at the public prosecutor’s office. Only the preliminary investigations judge, the lawyers of the relevant parties and other authorised roles (for example court officers) can access these. As well as this, the Legislative Decree reinforces the protection of private conversations between an accused person and their lawyer. If the lawyer asks, interceptions that aren’t relevant to a trial (including those containing sensitive data) must be destroyed.

    Data Retention

    Data retention requirements for preventing and punishing crime were originally contained in the Data Protection Code. This required telephone traffic data to be kept for 24 months and internet traffic data for 12 months (Article 132 of Data Protection Code).

    Following the judgment in Digital Rights Ireland, which invalidated the underlying EU Data Retention Directive, Italy introduced an anti-terrorism law. This required all telephone and telematics data kept and collected on 21 April 2015 to be retained until 30 June 2017. This law then expired, which meant the general data retention rule under the Data Protection Code applied again. No specific government order is required for these general obligations.

    Recently, Law 167/2017 provided a new exemption from the data retention requirements of the Data Protection Code. Under Article 24 of Law 167/2017, telephony and telematics traffic data can be kept for 72 months where necessary to stop certain types of serious crimes, for example terrorism or organised crime.

    The law doesn’t provide a way to target specific individuals, whose data should be kept on the basis that there is objective evidence showing links to the planning or commission of serious crimes. In practice it is likely that those people will only be able to be identified afterwards, for example, by the public prosecutor when they start an investigation into the serious crime. 

    Data disclosure

    The disclosure of retained data is mainly governed by the Electronic Communications Code and the Data Protection Code. In general, the competent judicial authority can request that communication service providers provide data for the purposes of justice, with a detailed order referring to the criminal proceedings concerned and outlining the specific data required. The obligation of a communications service provider to comply is set out in Article 96 of the Electronic Communications Code.

    Under Article 132 of the Data Protection Code, the public prosecutor, a person accused of a crime or their counsel can ask for retained data to be disclosed during the relevant retention periods.

    Under Article 55 of the Electronic Communications Code, a judicial authority can also access, for purposes of justice, data held by the Home Office. Each communications service provider will have passed this data to the Home Office about their own subscribers.

    Under Article 226 of the Implementation Rules of the Code of Criminal Procedure, the public prosecutor, the Home Office, directors of the national secret services or senior police officers can request data disclosure in terrorism or organised cases.

    Communication service providers must disclose any requested information and grant access to their databases to the Italian secret services for national cyber-security reasons. This is under Act No.124 of 23 August 2007 and the Decree of the Prime Minister No.110835 of 17 February 2017.

    Web blocking

    Either a judicial authority (in criminal or civil proceedings) or a competent independent supervisory administrative authority (for specific crimes) can require a communications service provider to block access to internet sites or services.

    The National Centre Against Child Pornography Centre, established by the Home Office, publishes a list of sites containing child abuse material. Internet service providers must block these within six hours of getting the list, which is continuously updated. Internet service providers must also tell the Centre if they become aware of any of this content. They must also block any material if a judicial authority orders them to for a criminal investigation.

    There are also regulations which require internet service providers to block access to copyright infringing material if the Italian Communications Authority orders it. This can include removing single instances of copyright infringing material where the internet service provider hosts the material, or blocking access in the case of a serious infringement, including where the material’s on a website hosted in Italy.

    Law 167/2017 requires the Authority to issue a new regulation which governs cases of online copyright infringement, specifically to include interim injunctions that rights holders can apply for from the Authority. This new regulation will, among other things, provide an appeal mechanism against the Authority’s decisions as well as appropriate measures to make sure violations aren’t repeated. So far this regulation hasn’t been adopted.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking.

  • Data disclosure: 1
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

     2023202220212020
    Data Disclosure1402
    Blocking requestsN/AN/AN/A0
    Lawful interceptionN/AN/AN/AN/A
    Number of websites required to be blockedN/AN/AN/A 

    We were one of the earliest entrants in Japan's telecommunications market after it was opened to foreign operators in 1985. With offices in Tokyo, we provide data, voice and security services to hundreds of Japanese and international customers from three highly redundant main POPs and 10 associated POPs across the country.

    Lawful interception

    Under the Act on Wiretapping for Criminal Investigation, a district court judge can issue a warrant to competent investigation authorities who are investigating crime to intercept communications. Communication service providers must cooperate fully with investigation authorities.

    There isn’t a law in Japan which justifies interception for state security.

    Data Retention

    There aren’t any general requirements for communication service providers to keep data. But the Code of Criminal Procedure allows competent investigation authorities to order a provider to keep a history of communications relating to criminal investigations for up to 60 days, on a case-by-case basis. 

    Data disclosure

    The Code of Criminal Procedure also allows the competent investigation authorities to carry out searches or seize electromagnetic records. This includes communication histories, like names and dates and times. They can do this to investigate an offence, and a judge must issue a warrant.

    Web blocking

    There aren’t any legal requirements to block access to internet content in Japan.

    Some legislation requires internet service providers to make an effort to co-operate with investigating agencies or take action to stop people sending information about child sexual abuse material, or hacking websites. One way this is done is by actively managing passwords. These actions are on a best-efforts basis. But there are also efforts in both the public sector (by the Ministry of Internal Affairs and Communications) and the private sector (by the Internet Content Safety Association) to identify and filter inappropriate content like child sexual abuse materials.

  • Data disclosure: 12
    Blocking requests: N/A
    Lawful interception: Can’t disclose
    Websites required to be blocked: N/A

     2023202220212020
    Data Disclosure2516**
    Blocking requestsN/AN/AN/A0
    Lawful interception****
    Number of websites required to be blockedN/AN/AN/A 

    * See information published by the Ministry of Justice

    Our office in the Netherlands is in Amsterdam where we employ over 200 people.  We provide services to multinational organisations and international public sector customers with complex communications and information system requirements. As part of BT International we specialise in connectivity and voice services, managed IT services, multi cloud and infrastructure services.

    The legislation for legal interception, data disclosure, data retention is primarily governed by the Dutch Telecommunications Act, the Dutch Code of Criminal Procedure and the Dutch Intelligence and Security Services Act 2017.

    Lawful interception

    Under Chapter 13 of the Dutch Telecommunications Act providers of public telecommunications networks and services are required to provide a permanent capability for interception and to co-operate with judiciary authorities when it comes to lawful interception. The powers of the Dutch judiciary authorities to intercept communication for law enforcement purposes are laid down in Art. 126m-126nb of the Dutch Code of Criminal Procedure.

    Under Art. 126m of the Code of Criminal Procedure, the public prosecutor can order officers charged with an investigation – for example, the police – to carry out an interception of communication. Such an order can only be given in case of a suspicion of a crime which constitutes a serious breach of the legal order as defined in Art. 67 section 1 of the Dutch Criminal Code, if the interception is urgently needed for the investigation and following a written court order. 

    When the order relates to communication over a public telecommunications network or using a public telecommunications service, the public prosecutor must issue a formal request to the telecommunications service provider to assist with the interception activities, unless this is not possible or not in the interest of the investigation to ask for this cooperation. The telecommunications service provider must comply.

    Art. 126t and Art. 126zg of the Dutch Code of Criminal Procedure provide for similar powers in case of organised crime or indications of a terrorist crime.

    Under the Dutch Intelligence and Security Services Act 2017 the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) may carry out targeted interception, recording and tapping of any form of conversation or electronic communication by means of a telephone or internet tap. They are also allowed to carry out untargeted or bulk interception of electronic communication, subsequently determining its nature, determining or verifying the persons or organisations involved, and applying automated data analysis to the metadata and selectively selecting the content data for further analysis. Operators must help them do this – for example, by decrypting encrypted data.

    Data Retention

    Art. 13.2a of the Dutch Telecommunication Act contains a data retention obligation for providers of public telecommunication networks and/or services to the extent the data – as specified in an annex to the Act - are generated or processed in the context of the networks or services offered, and for the purpose of investigating, detecting and prosecuting serious crimes. This data must be retained for a period of:

    a.           twelve (12) months for data relating to fixed or mobile telephone networks; and

    b.           six (6) months for data relating to internet access, internet e-mail and internet telephony calculated from the date of the communication.

    Data disclosure

    The Code of Criminal Procedure and the Dutch Intelligence and Security Services Act 2017 allow the public prosecutor, the AIVD, the MIVD and, in some cases, officers in charge of an investigation to request providers of telecommunication services to provide communications meta data and/or data concerning the subscriber or users of the service.

    Web blocking

    There is no general or specific law that makes web blocking mandatory, but there are specific situations in which certain forms of web blocking may be applied. It is rather an instrument that can be applied in specific situations, for example based on a breach of code of conduct or breach of an agreement concluded between governmental institutions, special interest groups and internet operators. On the basis of a court order a website can be blocked, or unlawful content can be removed, or to provide identifying information.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 6
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

     20232022
    Data Disclosure018
    Blocking requestsN/AN/A
    Lawful interceptionN/AN/A
    Number of websites required to be blockedN/AN/A

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 67
    Blocking requests: N/A
    Lawful interception: 0
    Websites required to be blocked: N/A

     2023202220212020
    Data Disclosure52175**
    Blocking requestsN/AN/AN/A0
    Lawful interception00**
    Number of websites required to be blockedN/AN/AN/A 

    * Can't disclose

    BT Ireland provides data, voice and internet services to government and major businesses in the Republic of Ireland. We also provide wholesale network services, supplying telecommunications products and services to key communications providers.

    Until 2009, BT Ireland also provided voice and internet services to consumers and small businesses. Most of these customers were transferred to Vodafone via a wholesale agreement. But we still provide services to a small number of consumers and small businesses on our dial-up internet service.

    Lawful interception

    Historically, the Postal and Telecommunications Services Act 1983 (as amended by the Postal Packets and Telecommunications Messages (Regulation) Act 1993) was taken to mean that a communications service provider must intercept any form of communications, including post, phone and email. These had to be issued with a written authorisation by the minister for communications or the minister for justice.

    But in 2016 the Irish Department of Justice stated publicly that it doesn’t interpret the 1993 Act as giving a lawful basis for intercepting email communications. They laid this out in a policy document called ‘Amendments to the legislative basis for the lawful interception of communications’, in November 2016.

    Under the Criminal Justice (Surveillance) Act 2009, senior law enforcement officers can apply to a district court for a court order to allow interception in specific circumstances in criminal investigations.

    A High Court judge is designated to review the use of powers under both the Postal and Telecommunications Services Act 1983, the Postal Packets and Telecommunications Messages (Regulation) Act 1993 and the Criminal Justice (Surveillance) Act 2009.

    Data Retention

    The previous law relating to the retention of data in Ireland, the Communications (Retention of Data) Act was subject to a legal challenge in the Irish High Court. This led to a referral to the CJEU, which found that the Data Retention Directive (Directive 2006/24/EC) wasn’t valid (see the case Digital Rights Ireland v Minister for Communications and Others, joined cases C-293/12 and C-514/2). A later challenge to the Act was brought in the case of Dwyer v Commissioner of An Garda Síochána & Others 2015/351 P.

    In response to these challenges, the Irish government passed the Communications (Retention of Data) (Amendment) Act 2022, parts of which came into force on 26 June 2023. Under the new law, general and indiscriminate retention of communications traffic and location data are only allowed on national security grounds and require approval by a designated judge.

    The new law requires user data and internet source data to be retained for a period of 12 months, for various purposes including combating crime, safeguarding State security, protecting the life and safety of persons, or locating missing persons. General and indiscriminate retention of communications traffic and location data is only permitted for national security purposes, subject to judicial approval by a designated judge. The law also makes provision for Preservation Orders and Production Orders which may be obtained by an Garda Síochána, the Defence Forces, the Revenue Commissioners or the Competition and Consumer Protection Commission.

    Data disclosure

    The Retention Act gives specified senior law enforcement officers (including the revenue commissioners, Competition and Consumer Protection Commission and the Garda Síochána Ombudsman Commission), military officers and judges power to order communication service providers to disclose data for certain purposes (for example, to safeguard security or prevent a serious offence). Disclosure requests must be made in writing, unless they’re urgent, in which case they can be made verbally.

    Other law enforcement agencies can get search warrants under a wide range of legislation, like the Criminal Justice Acts, the Competition and Consumer Protection Act 2014, the Companies Act and the Taxes Consolidation Act 1997. Search warrants that mean a communications service provider must provide copies of retained data can be issued by a district court judge or a peace commissioner.

    Web blocking

    A copyright holder can apply to the Irish High Court to grant an injunction requiring internet service providers to block specific IP addresses which are infringing copyright. This is allowed under the Copyright & Related Rights Act 2000 (as amended by the European Union (Copyright and Related Rights) Regulations 2012).

    In 2016, the Irish Court of Appeal affirmed the power of the High Court to order non-infringing internet service providers to put a graduated response system in place for customers who infringe copyright under the Copyright & Related Rights Act 2000 (see the case Sony Music Entertainment (Ireland) Ltd & Others v UPC Communications Ireland Ltd [2016] IECA 231). We aren’t aware of any further orders being granted by the High Court. But it is possible they have been granted but not publicised.

    BT Ireland is a member of the Internet Service Providers Association of Ireland (ISPAI). Their code of practice requires members to comply with notices from www.hotline.ie that ask for potentially illegal material to be removed from websites or newsgroups hosted by members, as long as it is technically practical to do that.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 43
    Blocking requests: 119
    Lawful interception: 0
    Websites required to be blocked: 155

     2023202220212020
    Data Disclosure2218547
    Blocking requests41343239
    Lawful interception0001
    Number of websites required to be blocked1005774 

    We have provided services in Spain for 25 years. Our headquarters are in Madrid and we employ around 220 people.

    Lawful interception

    Interception powers are governed by the Criminal Procedure Act, which was approved by Royal Decree of 14 September 1882, as amended by Act 13/2015 of 5 October 2015. A competent court can order communications to be intercepted if the judicial police, the intelligence agencies or the customs agencies ask them to, and it is for a criminal investigation about certain serious offences – for example organised crime or terrorism.

    In urgent cases, and where an investigation is being carried out into crimes by armed gangs or terrorists, the ministry of Home Affairs, or the secretary of state for security, can order the interception of communications. The courts must review and confirm or revoke the order within 72 hours.

    Requests for interception must be based on objective evidence that they’ll help verify facts or circumstances that are relevant to a criminal investigation.

    Under the Organic Act 2/2002, the Supreme Court can authorise the secretary of state for directorship of the National Intelligence Centre to adopt measures that might affect the secrecy of communications, including intercepting them. This is as long as these measures are necessary to perform the tasks assigned to the NIC – for example to protect national security and prevent crime.

    Under Law 9/2014 of the General Telecommunications and the Royal Decree 424/2005, a communications service provider must intercept communications when asked by a court or the NIC. So communication service providers must maintain a permanent technical interface for this purpose, based on government technical specifications. They must use this to transfer intercepted information to interception reception centres, where authorities can access it.

    Data Retention

    Data retention is governed by Law 25/2007 on retention of data related to electronic communications and public communication networks.

    Operators that provide publicly available electronic communications services or operate public communications networks must keep traffic data about voice services, including fixed and mobile, and internet services for 12 months. Communication service providers and internet service providers must keep data for crime-fighting purposes, even if a specific order hasn’t been issued. This period can be reduced to six months or extended up to two years by the government, after consulting with the communication service providers, and depending on the data in question.

    Law 25/2007 expressly states that content data can’t be retained.

    Data disclosure

    Law 25/2007 allows authorised agents to ask for data for detecting, investigating or prosecuting serious criminal offences. These agencies include members of the state security forces, Customs Surveillance Directorate or agents from the National Intelligence Centre, who must get an order from the competent court. Data disclosure is also regulated by Act 13/2015, which modifies the Criminal Procedure Act.

    Web blocking

    Under Act 34/2002 on Information Society Services and Electronic Commerce, authorities can block access to a website if it infringes certain principles of public policy and human dignity, including intellectual property rights and the protection of children. In certain cases – for example if the measure to be adopted might affect fundamental rights like freedom of speech or right to information – the competent court must authorise the web blocking.

    Any provider of information services, including internet service providers, must co-operate with authorities when it comes to blocking internet sites.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 0
    Blocking requests: N/A
    Lawful interception: 0
    Websites required to be blocked: N/A

     20232022
    Data Disclosure03
    Blocking requestsN/AN/A
    Lawful interception00
    Number of websites required to be blockedN/AN/A

    BT Nordics Sweden AB, based in Stockholm, is part of BT International and operates across the Nordics where it supports local operations of global multinationals as well as locally based multinationals.

    Legal Interception

    In Sweden, lawful interception of communications is permitted under specific legal frameworks, primarily the Act on Secret Surveillance in Criminal Investigations (LSI), the Electronic Communications Act (ECA).  These regulations outline the conditions under which law enforcement agencies can intercept communications, the types of crimes for which it is authorised, and the supervising mechanisms in place.  Interception is primarily allowed in investigations of serious crimes, as defined in chapter 27, section 18 of the LSI, and must be of exceptional importance for the investigation.  The decision to intercept communications requires careful consideration and is not granted lightly. There are specific criteria and procedures outlined in the legislation.

    Data Disclosure

    Pursuant to the Swedish Act on Retention and Access to Electronic Communications Data (SECA) retained data may be accessed with legal basis described in SECA 9:33, the RB 27:19; or EIA (lag 2012: 278). SECA 9:33 applies to providers of electronic communications networks or services. The provision must be read in conjunction with the following:

    • SECA 9:31, laying down the duty of confidentiality in respect of subscriber data, the content of the communication, and data related to the communication.  The data necessary to disclose the providers involved in the transmission of the message, shall be disclosed to the public authority who ordered that the data be preserved. The same must apply if the data have also been retained.
    • RB 27:19, which concerns “secret surveillance”, i.e. the secret collection of data related to electronic messages under transmission or that have been transmitted to or from a telephone number or other address, data disclosing the electronic communications equipment that have been present in a specific geographic area, or data disclosing in which geographic area a specific electronic communications equipment is or has been located. Retained data of the kind mentioned above may be disclosed to the police in the investigation of an offence (including attempt and preparatory acts). 
    • The Electronic Intelligence Act (EIA) which provides for the collection of the same data as mentioned in RB 27:19 when necessary for intelligence activities aimed at preventing, intervening against, or uncovering criminal activities as further specified in that act. The reference to the EIA in SECA 9:21 entails that retained data may be accessed for intelligence purposes. The activity must concern an offence with a prescribed penalty of imprisonment for at least 2 years or other offences as specified in EIA § 2. The authorities that may access retained data for intelligence purposes are the Police Authority, the Police Security Service, and the Customs Authority.

    Data Retention

    The data retention provisions are laid down in the Swedish Act on Retention and Access to Electronic Communications Data (SECA).  The data to be registered and stored are broadly specified in SECA 9:19, which specifies that the data are necessary to trace and identify the source of the communication, the final destination of the communication, date, time, and duration of the communication, type of communication, communication equipment, as well as the location of mobile communication devices at the time of the communications’ beginning and end. The data are described in more detail in the Government Regulation on Electronic Communications (2022:511) 9:7 and 9:8.

    The storage period is set out in SECA 9:22:

    • Data related to telephony or the processing of messages through a mobile termination point: 6 months. However, location data may be stored for 2 months only.
    • Data related to internet access shall be stored for 10 months. However, data that identify the equipment that finally secludes the communication from the service provider to the subscriber shall be stored only for 6 months.
    • The storage period commences on the date when the communication ended.
    • The data shall be deleted upon expiration of the storage period. Exceptions exist in respect of data access based on SECA 9:33 first para point 2 and 5 (access to subscriber data); RB 27:19 (secret surveillance in the investigation of serious crime); EIA lag 2012: 278 (secret surveillance in intelligence activities); or where the data are subject to a preservation order as per RB 27:16.  In such case, the provider shall continue to store the data until it has been disclosed as per the request or the preservation period has expired, following which the data must immediately be deleted.

    Moreover, in 2025 draft legislation is being considered to amend and extend the data retention period in SECA up to one or two years for purposes of protecting national security and to combat serious crimes.

    Digital Services Act

    The Digital Services Act (DSA) came into force on November 16, 2022, with most obligations applying from February 17, 2024. It introduces a new legal framework for digital services within the EU, including requirements on hosting providers for blocking content and reporting on such blocking. Where the DSA is applicable to BT services, and to the extent that any such requests have been received, this reporting will be included in our next reporting.

  • Data disclosure: 338
    Blocking requests: N/A
    Lawful interception: N/A
    Websites required to be blocked: N/A

     2023202220212020
    Data Disclosure300145730
    Blocking requestsN/AN/AN/A39
    Lawful interception*****
    Number of websites required to be blocked********

    * Can't disclose
    ** We block websites as mandated in two online lists published by the gambling authorities.

    In Switzerland, we provide various networked IT services including data, voice and internet services. We have operated in Switzerland since 1992. Our headquarters are in Zurich-Wallisellen and we have offices in Berne, Basel and Geneva, which employ more than 200 people.

    Lawful interception

    The revised Postal and Telecommunications Surveillance Act, along with the Federal Act on International Judicial Assistance in Criminal Matters, allow certain law enforcement authorities to carry out surveillance of telecommunications networks. They need communication service providers to provide access to their premises and systems for real time and retroactive surveillance. Other providers and company network and public access point operators must also provide access. Authorities can ask for surveillance:

    • in criminal proceedings
    • to search for missing people or for people who have to serve a custodial sentence
    • to provide international legal assistance
    • as required under the Federal Intelligence Service Act (see below).

    Law enforcement authorities must get court approval for surveillance requests. The Surveillance Office runs a centralised data processing system. Surveillance data collected from communications service providers goes through this database. The Surveillance Office can then give it to the authority who has asked for it. While communication service providers have only very limited rights to challenge surveillance requests, people who are the target of the surveillance can challenge them.

    The Federal Intelligence Service Act allows the Federal Intelligence Service to ask for help from communication service providers for interception activities. It’s possible for a private operator to challenge these requests under Federal Intelligence Service Act in the Federal Administrative Court.

    In exceptional circumstances, like an emergency or when national interests or security are at risk, the Federal Telecommunications Act allows the Federal Council or the Federal Department on the Environment, Transport, Energy and Communications to order communication services to be intercepted, limited or interrupted.

    Data Retention

    Under the Postal and Telecommunications Surveillance Act, communication service providers must keep certain information about users for the length of their contractual relationship, and then for six months after this ends. It also requires communication service providers to keep certain identification, traffic and marginal communications data for six months.

    Data disclosure

    Communication service providers must keep their users’ communications confidential. But if the Surveillance Office asks for them, they must give them the data.

    Web blocking

    At the moment there are no laws specifically regulating website blocking in Switzerland. But these requirements might arise either to limit our own potential liability for contributing to the distribution of unlawful content, or where courts order certain unlawful content (like copyright infringing material or illegal pornography) be blocked.

     

  • Data disclosure: 5
    Blocking requests: N/A 
    Lawful interception: 0
    Websites required to be blocked: N/A

     2023202220212020
    Data Disclosure03**
    Blocking requestsN/AN/A00
    Lawful interception****
    Number of websites required to be blockedN/AN/AN/AN/A

    * Can't disclose

    We employ more approximately 700 people and have offices in 5 cities across the US.

    We own and operate our own network infrastructure in North America. This includes nationwide coverage in all major US cities, making ours one of the largest networks of this type in the region. Around half of our top 2,000 customers operate in North America, which is why we have such a large presence here.

    Lawful interception

    There are separate laws for law enforcement access to communications data and access for national security and intelligence purposes.

    Under the Wiretap Act, a federal or authorised state judge can issue a wiretap order that allows law enforcement agencies to intercept oral, wire or electronic communications. The application must meet certain conditions, which include probable cause that the interception will reveal a federal crime.

    A court can also issue a pen/trap order, which is authorised by the Pen/Trap Statute, as long as an executive officer provides the required certification. The order can be used to get dialling, routing, addressing or signalling information, but not the contents of a communication.

    The Foreign Intelligence Surveillance Act allows the Foreign Intelligence Surveillance Court to authorise a federal officer to conduct certain surveillance if there’s probable cause that the target is a foreign power or an agent of one (among other requirements). In an emergency, the Attorney General can authorise the order to get foreign intelligence information, but they must also inform a judge and apply for an order in the usual way within seven days.

    The Attorney General can also authorise interception without a court order under the Attorney General Foreign Intelligence Surveillance Act directive. This allows an interception for up to one year if it only targets communications between foreign powers, and if other conditions around the impact on US citizens are met.

    The Foreign Intelligence Surveillance Act also allows the Attorney General to order a communications service provider to provide information, facilities or technical assistance for interception. They don’t need a court order for this, but the communications service provider can ask for a judicial review.

    The Communications Assistance for Law Enforcement Act states that communication service providers and related equipment manufacturers must have a permanent capability on their networks which allows law enforcement officers to carry out electronic surveillance.

    Data Retention

    The Stored Communications Act regulates the government’s ability to get the stored content of electronic communications and subscriber data from communication service providers. They can order providers to preserve communications records for 90 days and extend this for a further 90 days.

    Under the Federal Communications Commission Regulations, telecommunication carriers must keep any records that are necessary for billing information about telephone toll calls for 18 months.

    Civil litigants also have the right to require communications data to be preserved under the Federal Rules of Civil Procedure.

    Data disclosure

    Law enforcement officials and intelligence agency officials can make a communication service provider disclose data they hold through court orders, warrants or subpoenas. These must be authorised under the Stored Communications Act.

    The intelligence agencies can ask for data about foreign powers, either by National Security Letters, under the PATRIOT Act, or by a Foreign Intelligence Surveillance Act court order. The CLOUD Act amended the Stored Communications Act to allow federal law enforcement to compel communications services providers to provide requested data stored on servers regardless of whether the data is stored in the US or overseas.

    The Communications Act also gives consumers the right to require reasonable disclosure of their own data from companies that store it.

    Web blocking

    Blocking internet content generally isn’t authorised under current legislation. The US Supreme Court has invalidated blocking orders made in the lower courts on the basis that they breach the right of free expression in the First Amendment to the American Constitution. This includes indecent material likely to be accessible to under 18s.

    There are exceptions to this, including in the Digital Millennium Copyright Act. Here copyright holders can ask for injunctions against internet service providers which force them to take down infringing content.

    UK-US Data Access Agreement

    Under the Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime, which entered into force on 3 October 2022, BT Plc can be served directly with legal requests for disclosure of data from law enforcement authorities in the USA (UK law enforcement can make similar requests of US telecommunications providers). These requests are covered above in our transparency reporting for the UK.

Privacy and free expression

Fighting modern slavery