Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
3. What kind of data, if any, could be collected with spyware?
N/A
Le type de données n’est pas spécifié dans la législation. La L.R&S exige cependant que les principes de légalité, proportionnalité et subsidiarité soient respectés. L’article 2, § 1, alinéa 4 de la LR&S dispose que toute mise en œuvre d'une méthode spécifique ou exceptionnelle de recueil des données implique le respect des principes de subsidiarité et de proportionnalité. L’article 12 de la loi dispose plus spécifiquement que les services de renseignement et de sécurité ne peuvent utiliser des moyens de contrainte que dans les conditions prévues par la loi. L’article 18/6, § 1, 2° alinéa dispose que l'intrusion des services de renseignement et de sécurité dans les systèmes informatiques, ne peut avoir d'autre but que le recueil de données pertinentes qui y sont stockées, traitées ou transmises, sans qu'il y ait destruction ou altération irréversible de celles-ci. L’article 18/9 de la loi dispose qu’une méthode exceptionnelle ne peut être mise en œuvre si les méthodes ordinaires de recueil de données sont jugées insuffisantes pour permettre de récolter les informations nécessaires à l'aboutissement d'une mission de renseignement. La méthode spécifique doit être choisie en fonction du degré de gravité de la menace potentielle pour laquelle elle est mise en œuvre ou en fonction du degré de gravité du
N/A
/
In the criminal law context, pursuant to judicial authorizations, covert electronic surveillance tools can be deployed enabling the interceptions of private communications, transmission data and/or the acquisition of static data from electronic devices.
/
The law does not set up any specific limitations in this respect.
For intelligence investigations, such data can be any information, among others personal data, special categories of personal data, data rendered anonymous and data addressed to the public and available from public sources (see Security Sevices Act, § 21). It has to be limited to data needed to perform the functions of the authority, i.e. prevention and combating of changing the constitutional order or territorial integrity of the state by force, and collection and processing of information necessary for such purpose, prevention and combating of intelligence activities directed against the state, including protection of state secrets and classified information of foreign states, prevention and combating of terrorism and terrorist financing and support and prevention and combating of corruption endangering national security, and collection and processing of information necessary for such purpose, or combating of those criminal offences the pre-trial investigation of which is within the competence of the Estonian Internal Security Service as well as collection and processing of information concerning foreign states, or foreign factors or activities, which is necessary for the state in formulating the foreign, economic and national defence policy and for national defence, conduct of counter-intelligence for the protection of the foreign missions of the state and such structural units or staff of the Defence Forces which are outside the territory of the state or conduct of counter-intelligence for the protection of the staff of the Estonian Foreign Intelligence Service, persons recruited for co-operation, and property in the possession of the Estonian Foreign Intelligence Service.
There are no specific rules limiting the collection of data with spyware. However, there are general rules on prohibitions of intelligence collection. For instance, Section 82 of the Act on Military Intelligence provides that elecommunications interception, collecting data other than through telecommunications interception, on-site interception, technical observation, radio signals intelligence or network traffic intelligence shall not be targeted at communications or information in respect of which a party may not testify or has the right to refuse to testify under chapter 17, section 13, 14, 16, 20 or section 22, subsection 2 of the Code of Judicial Procedure. These provisions of the Code of Judicial Procedure relate to professional secrecy in the relationship between a lawyer and his client, clergy privilege and doctor-client privilege. Similar provisions can be found from the Coercive Measures Act and the Police Act.
/
The Federal Constitutional Court places strict limits on online searches, especially when they intrude into core areas of private life. Telecommunication surveillance, which involves monitoring active communications, is subject to fewer restrictions but still requires clear, proportional legal authorization. In contrast, covert searches of IT systems are generally allowed only when there is a direct and serious threat to life, freedom, or crucial public interests. These searches must have judicial approval and safeguard private life.
Since the presidential decree provided for by Article 13 of law 5002 of 2002 has not yet been issued, there are no indications to this day about the kind of data that can be legally collected by spyware by State agencies.
The Electronic Communications Act contains a provision authorizing the use of cookies, cf., paragraph 2 of Article 88, which states:
There is no definition or general classification of types of data in Irish law. The kind of data that can be collected depends on the provisions of the Act in question.
As interceptions are involved, as a rule, the dynamic flow of conversations and communications. As mentioned above, the Italian legislator has regulated and thus authorized the use of spyware in the criminal proceedings exclusively for the interception of face-to-face conversation carried out on a portable device (Article 266, paragraph 2 and 2-bis CCP). Any other form of interception is therefore not expressly authorized by law. In practice, however, the Court of Cassation has often considered legitimate the use of other functions performed by the trojan horse, even if not expressly permitted by the littera legis. For example, in the decision no. 3591/2021, judges considered legitimate the acquisition of a file Excel in progress on a personal computer by means of a screenshot made by the spyware, since it is a mere detection of the computer data in progress, object of “communicative behaviour” susceptible to interception and also to video recording pursuant to Article 266-bis CCP, and not a computer search aimed at searching and extracting pre-existing data. Moreover, in the decision no. 40903/2016, it was considered legitimate to use a trojan with a keylogging mode to obtain the access password to the suspect's email that he was typing on his device.
/
As now indicated, the underlying feature of Kosovo’s present legal framework is its silence or absence of specific provisions relating to spyware. However by way of a broader reading of the relevant legislation, it is to be understood that any collected data through means of electronic communication can only be permitted as far as they are justified on the grounds of criminal procedure proceedings and national security considerations.
According to the Law of the Kyrgyz Republic of October 16, 1998 No. 131 “On operational investigative activities”, the data that can be collected during targeted surveillance can be judged by the following types of operational investigative activities:
/
There is no available information on this matter.
According to Article 8 § 1(c) of the Loi SRE, in Luxembourg the Police can use spyware to capture computer data, whereas the Security Services can seek, in a targeted manner, information necessary for the performance of one of its missions or monitor and control communications which cannot be technically intercepted using normal telecommunications networks.
/
Article 27 para. (5) of the Law no. 59/2012 on the special investigation activity allows for the use technical means intended for covert obtaining of information for carrying out any special investigative measures under the conditions of this Law. However, analysing the wording of the special investigation measures that can be carried out under this law, it can be concluded that only computerized data, location or tracking data and recording of communications and/or images may be collected by technical means intended for covert obtaining of information.
Des communications privées sous réserve d’une autorisation judiciaire, mais il n’est pas fait référence à des logiciels espions (cf. question 1).
/
In Art. 4 para 1 point 19 of the Law on Communications Surveillance is the definition of information related to monitored communication. "Information Related to Monitored Communication" refers to data about telecommunications services for the person and/or object that is the target of communication monitoring, particularly data related to the communication itself, data about the services, data about the location, and any other relevant data.
Law enforcement authorities:
There appears to be no specific limitations to the kind of data. Both laws are technology neutral. For data reading, Article 216 o section 4 says that “The reading may include communications, electronically stored data and other information about use of the computer system or the user account”.
The use of spyware is not explicitly regulated by polish law – its application falls under the general legal frameworks governing surveillance and data collection by law enforcement and intelligence agencies. There is no clear catalog of the types of information that can be collected. In Polish scientific literature, examples include intercepting and collecting various types of communication data, such as SMS, emails, and messages from apps like WhatsApp, Signal, and Telegram. It also involves
/
As there is no specific definition, no specific discipline dedicated to the use of spyware and no concrete case history in the judicial field, further information is not available to answer this question.
In Article 179 of the Code of Criminal Procedure entitled "Order on search of computer data" it is prescribed that the order issued by the judge contains a description of the data that needs to be searched and processed. The law does not specify exactly what the data can be, but from the general provisions it is clear that it is about the data needed to conduct a criminal investigation for specific criminal offenses prescribed by this law.
The law does not regulate this issue. Section 2 par. 1 PAIA merely stipulates that “information-technical devices” shall be used for “obtaining the contents of messages transmitted over electronic communications networks, including the interception of telephone communications” and “making visual, audio, audio-visual or other recordings”.
There are not specific rules on the issue.
Section 2 of the Act distinguishes between the following categories of data which can be collected:
In the context of parliamentary oversight, the competent parliamentary committee has requested an annual performance report from the FIS in accordance with Article 26 IntelSA and the measures against foreign computer systems in accordance with Article 37 IntelSA since 2019. In its report, the FIS provides a comprehensive assessment of the benefits of the measures and addresses technical aspects and resource issues. In terms of statistics, the following should be noted: Article 269ter, paragraph 4, CPC requires the public prosecutor's office to maintain statistics on surveillance with GovWare. The Federal Agency for the Surveillance of Mail and Telecommunication (an agency within the Justice Department) is required by Article 16, paragraph 1 (k) of the Federal Act on Post and Telecommunications Surveillance to produce statistics on surveillance measures by fedpol and FIS. These statistics show that nine operations used special computer software in 2023, compared to seven in the previous year. The Federal Administrative Court has recently handed down a judgement on the use of Pegasus by Switzerland. It is not yet final. A lawyer demanded access to the contract for Israeli spyware used by the Federal Office of Police (fedpol) and the Federal Intelligence Service (FIS) under the Swiss Transparency Act. The spyware in question is Pegasus. In a recommendation dated 25 January 2022, the Federal Data Protection and Information Commissioner (FDPIC) instructed fedpol to inform the requesting party of the existence or non-existence of a contract with the NSO Group and, if such a contract exists, to grant access to it in accordance with the Transparency Act. On 15 February 2022, fedpol defied the Commissioner's recommendation by refusing access to the information and documents requested, invoking several exceptions to the principle of transparency. In March 2021, the lawyer appealed the decision, demanding that it be annulled and that fedpol inform him of the existence or non-existence of a possible contract with the NSO Group and, if such a contract existed, granthim access to it. In its ruling of 9 January 2002, the Federal Administrative Court states that there is a significant public interest in determining whether the software acquired by Switzerland is Pegasus. This is particularly relevant in light of recent revelations that it is used by certain states to target members of the opposition, journalists, or foreign political leaders. However, the Court is convinced that knowledge of the information requested could put the measures taken by Switzerland at risk in the event of a concrete threat to its internal and external security, which would in turn hinder the work of the law enforcement authorities. The Court was clear that the use of such a surveillance programme is strictly regulated by Swiss law and only permitted in the event of a suspicion of a serious criminal offence or a threat to national security. Furthermore, the cantonal and federal prosecutors' offices keep annual surveillance statistics for the Federal Post and Telecommunications Surveillance Service (PTSS). The court therefore dismissed the appeal. The judgement in the original French language is available under https://bvger.web-law.ch/pdf/A-1310-2022_2024-01-09_56ada72b-8077-4a1d-8bc5-860a7c3d37f7.pdf. The judgement is not yet final; the case is pending before the federal supreme court.
The joint Order of the General Prosecutor's Office of Ukraine, the Ministry of Internal Affairs of Ukraine, the Security Service of Ukraine, the Administration of the State Border Guard Service of Ukraine, the Ministry of Finance of Ukraine, the Ministry of Justice of Ukraine (dated 16.11.2012) “On the approval of the Instructions on the organization of Covert investigative (detective) actions and the use of their results in criminal proceedings":
In the United Kingdom Section 99 § 2 of the IPA 2016 provides that communications, equipment data or any other information can be obtained through a targeted equipment interference warrant.
U.S. law imposes a burden on authorities to demonstrate that collection meets the kinds of standards articulated in the jurisprudence arising under the Fourth Amendment and potentially other fundamental rights protections in U.S. law.
Austria
Belgium
préjudice potentiel pour l'exercice des missions des services ou du danger potentiel pour la sécurité de la source humaine. L’article 18/9, § 4 de la loi dispose en outre qu’une méthode exceptionnelle ne peut être mise en œuvre à l'égard d'un avocat, d'un médecin, d'un journaliste, ou moyens de communications qu'ils utilisent à des fins professionnelles, qu'à la condition que le service de renseignement et de sécurité dispose préalablement d'indices sérieux attestant que l'avocat, le médecin ou le journaliste participe ou a participé personnellement et activement à la naissance ou au développement d'une menace potentielle grave visée au paragraphe 1er. L’article 2, § 2 de la loi interdit cependant aux services de renseignement et de sécurité d'obtenir, d'analyser ou d'exploiter des données protégées par le secret professionnel d'un avocat ou d'un médecin ou par le secret des sources d'un journaliste.
Bosnia and Herzegovina
Bulgaria
Canada
Crotia
Denmark
Estonia
Security Authorities Act provides for general principles for the collection of personal data in § 3:
"§ 3. Principles of activity of security authority
(1) A security authority collects and processes information, including personal data, insofar as this is necessary for performing its functions, considering the following principles:
1) the manner and scope of collection and processing of information and the organisational and technical safeguards applied may not excessively adversely affect the fundamental rights of a person compared to the objective pursued by the security authority;
2) the collection and processing of information may not endanger the life or health of a person, unnecessarily endanger property or the environment or unnecessarily infringe other personal rights;
3) information is processed and retained for as long as necessary for the performance of the security authority’s function and in accordance with the objective of the activity of the security authority;
4) information is collected and processed in a manner which ensures its security, including protects against unauthorised or unlawful processing and accidental loss or destruction thereof or damage thereto by applying appropriate technical or organisational measures.
(2) A security authority is to only use measures necessary for performing its functions. In the case there are several possible measures, the security authority is to use the measure which restricts the fundamental rights of persons as little as possible in connection with the performance of a function of the security authority. A measure which does not restrict the fundamental rights of an individual excessively compared to the objective pursued by the security authority may be used."
In criminal proceedings, such data is limited by the aim of surveillance – to collect evidence in the criminal proceedings. Other data collected may be preserved and used:
1) in another covert operation;
2) in other criminal proceedings;
3) in security vetting;
4) for assessment of the reliability of a foreign investment within the meaning of Foreign Investment Reliability Assessment Act;
5) in situations provided for by law, to prevent money laundering or terrorist financing;
6) when deciding the hiring of a person or the granting of an authorisation or licence to a person, to verify whether the person meets the requirements provided by law. Information collected by a covert operation may be preserved for study and research purposes. Personal data and, where this is needed, the relevant setting, must be completely altered in order to avoid revealing any persons who participated in the operation or were enlisted for it. Where the criminal file includes a recording of information that has been made in the course of a covert operation and that does not need to be preserved, the person whose fundamental rights were interfered with by the covert operation may, when the judgment has entered into effect, make a motion to destroy such a recording (Criminal Procedure Act, § 126 12 Sections 3, 4 and 5).
Finland
France
Germany
Greece
Iceland
The use of any kind of system and equipment, including software, which collects and/or stores information about activities or communications of user in his terminal equipment, provides access to information stored in his terminal device or monitors his activities is unauthorised, unless according to informed consent of the user or according to legal authorisation. Despite this, the use of such equipment is authorised to attain access to information and/or to technical storage for a lawful purpose and with the knowledge of the user in question.
The explanatory report on Article 88, addressing the confidentiality of electronic communication includes a discussion on this issue.
Ireland
Criminal Justice (Surveillance) Act 2009
Under this Act, data can be collected through surveillance. Data can be in the form of books, recordings, written or printed material, or information stored or preserved electronically or otherwise than in legible form. Surveillance is defined as monitoring, observing, listening to or making a recording of someone or something or their movements activities, and communications. Data can be collected through the use of surveillance devices and tracking devices. A tracking device is defined as a surveillance device that is used only for the purpose of providing information regarding the location of a person, vehicle or thing. The courts have been strict in interpreting the Act and ensuring the data collected qualifies as surveillance under the Act.
Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
The 1993 Act is limited to traditional telecommunications providers. Communication is defined as a postal packet or telecommunications message, including a telegram. This Act does not apply to communications from ‘over-the-top’ services, such as WhatsApp, Facebook Messenger and Gmail. It only applies to messages transmitted by traditional operators such as landline, cable and mobile phone providers and internet connectivity providers. In 2021, the designated judge reporting on the operation of the legislation noted that updated legislation to allow for state bodies to access encrypted forms of telecommunications was urgently required and long overdue. Similar comments were made by O’Connor J in the report from this year. He recommended that ‘over-the-top’ services be brought within the scope of the legislation.
Communications (Retention of Data) Act 2011, as amended by the Communications
(Retention of Data) (Amendment) Act 2022
The 2011 Act only applies to metadata and does not regulate the content of communications. It applies to data in the electronic communications sector, specifically traffic and location data, and data necessary to identify a user and data processed in connection with communications on landlines, mobile phones and the internet. This Act applies to ‘service providers’, but only to traditional telecoms and connectivity providers and not ‘over-the-top’ services. All service providers must retain ‘user data’ and ‘internet source data’. User data, internet source data, and Schedule 2 data (location and communications traffic data) can be accessed under this Act. Internet source data is available in relation to investigations of serious offences, revenue offences, police disciplinary matters, in the interest of the security of the state, to preserve human life and to locate a missing person. Schedule 2 data is generally available only in relation to state security unless the data is being held for a purpose other than compliance with a High Court order imposing data retention obligations, in which case it is also available in relation to serious offences, revenue offences and police disciplinary matters.
Italy
Korea
Kosovo
When it comes to the kind of data, the Law on Electronic Communications is instructive, as it contains a definition, providing as follows: "Data shall mean all data related to communications that are subject to lawful interception order, including, inter alia, time, duration, source, destination, location and type of broadcast equipment or acceptance involved in communications, but excluding the content of a communication."
Kyrgzstan
− control of postal items, telegraph and other messages;
− listening to and recording conversations conducted via telephone and other communication devices;
− removing information from technical communication channels;
− operational surveillance (including indirect surveillance using technical means);
− the use of technical means to obtain information that does not affect the inviolability of private life, home, personal and family secrets protected by law, as well as the secrecy of personal deposits and savings, correspondence, telephone conversations, postal, telegraph and other communications;
− search for technical means of illegal removal of information;
− operational search in networks and communication channels;
− covert wiretapping and recording of conversations (using video, audio equipment and/or special technical means);
− obtaining information about connections between subscribers and (or) subscriber devices.
Liechtenstein
Lithuania
Luxembourg
Malta
Moldova
For example, to collect the traffic data or to identify the subscriber or user of an electronic communications network, the wording of article 31 and, respectively, 34 of the Law no. 59/2012 makes a clear refence to electronic communications service providers.
In a recent Judgement, the Constitutional Court of the Republic of Moldova had analyzed if the criminal investigation authority’s possibility to access a person’s telephone transfer data without respecting the rules of ratione materiae, personae and temporis of the secret surveillance is in compliance with right to the secrecy of correspondence protected by the Constitution. The Court
considered that, although it may be a useful means of investigating and uncovering offences, the Court considers that access to the history of information concerning previous telephone conversations must be accompanied, mutatis mutandis, by the conditions and guarantees applicable to the special investigative measures provided for in Articles 132, 132, 132 and 134 of the Code of Criminal Procedure. These conditions and safeguards must be tailored to the precise characteristics of the collection of the telephone conversation history. At the same time, the period for which the measure in question may be requested must be
proportionate to the necessity and proportionality of the retrieval of the telephone call records and may not exceed the period for which the telecommunications network and/or service provider is obliged to retain them under Article 20 para. (3) let. (c) of the Electronic Communications Act.
In the Courts opinion, the fact that the contested norm concerned the history of the telephone conversation and not a real-time collection of this information is irrelevant from the point of view of compliance with the applicable safeguards, as both cases concern access by the authorities to information on individuals' telephone conversations (see Judgement no. 22 of 19 December 2023).
Monaco
Morocco
North Macedonia
Netherlands
Yes. In 2022, the Research and Data Centre of the Dutch Ministry of Justice and Security published an evaluation report on the Dutch hacking power for law enforcement authorities. It is an empirical study into the implementation of the hacking power (Article 126nba, 126uba, 126zpa DCCP). Between March 2019 and March 2021, the hacking power was issued in 26 criminal investigations. It has been used in criminal investigations into more serious forms of traditional crime such as (attempted) murder, cases involving narcotics, falsification of documents, money laundering, sexual offences, terrorism offences, and membership of a criminal organisation. The report clarified that the Dutch police used of a commercial tool in the ‘vast majority’ of cases. The name of the commercials tool(s) used is not public.
Intelligence and Security Services:
Yes. The entire Act on intelligence and security services was evaluated in 2020, including the hacking power in Article 45. However, its focus was not on ‘targeted surveillance’ but rather on the use of hacking at organisations and the acquisition of bulk datasets. Following reports from oversight bodies, it recommended improvements for the reconnaissance phase in the use of hacking powers and regulations for acquiring and processing bulk datasets. These regulations are, in part, implemented in the recent legislation focusing on ‘State actors with cyber programs’ (2024).
Norway
Poland
recording phone calls and accessing call logs. Additionally, spyware can track browsing history and social media activity, capture GPS data for location tracking, and access stored files, including documents, photos, and videos. It may log keystrokes, including passwords, and activate the device’s camera and microphone to record audio and video. Furthermore, spyware can gather data on installed apps and system logs to monitor device usage and identify vulnerabilities.
Romania
San Marino
Serbia
Slovakia
Spain
Sweden
communication interception data: data on the content of messages that are transmitted or have been transmitted to or from a telephone number or any other address in an electronic communication network, communication monitoring information: information about messages that are transmitted or have been transmitted in an electronic communication network to or from a telephone number or any other address, location information: information about the geographical area in which certain electronic communication equipment is or has been, camera surveillance data: data obtained through optical personal surveillance, audio surveillance data: data relating to speech in a private room, conversations between others or negotiations at meetings or other gatherings to which the public does not have access, other stored and real-time data on the device not falling into the above categories.
Section 23 of the Act provides “The technology used in connection with secret data reading must be adapted to the permission granted. The technology must not make it possible to read or record any other type of information than what is specified in the permit. If such information has been read or recorded, recordings and records of this information must be immediately destroyed and the Security and Privacy Protection Board notified.
Information specified in the first paragraph may not be used in a criminal investigation to the detriment of the person who has been covered by the measure or anyone else to whom the information relates.”
Annual figures on the use of different surveillance methods by the police (including secret data reading) are published by the Prosecutor General. These break down the authorisations into the different categories above. The most recent figures, for example, show that.
However, this has a function in terms of providing evidence in a future prosecution.
Authorisation to remotely activate video surveillance on a device was given only four times in 2023. Authorisation to remotely activate audio surveillance on a device was also given only four times in 2023. The figures, published since 2020, when the Act was introduced, show that the overwhelming purpose for which secret data reading is granted in Sweden is to break a device’s encryption.
Switzerland
Ukraine
According to the provisions of the Criminal Procedure Code of Ukraine, covert investigative (detective) actions are carried out, depending on their type and specific purpose, against a suspect or another person, if only as a result of their conduct it is possible to obtain information about the crime and the person who committed it, or the circumstances , which are important for the pre-
trial investigation (about events, things and documents that are of significant importance for the pre-trial investigation) (articles 246, 253, 261 of the Criminal Procedure Code of Ukraine).
The investigating judge shall be provided with information, depending on the type of covert investigative (detective) action, obtained during the pre-trial investigation, confirming the impossibility of obtaining information about the crime or the person who committed it in another way.
United Kingdom
United States of America
In the context of criminal investigations, case law concerning communications interception suggests a few principles that apply to certain categories of sensitive information. First, the Supreme Court has found that there is no expectation of privacy under the Fourth Amendment for IP addresses. Accordingly, this data may be collected by law enforcement without a warrant and used in criminal investigations. Second, the government may collect a wide array of information about an individual from a third party, often beyond the scope of the Fourth Amendment. Thus, the government has enjoyed the ability to obtain an individual’s financial records from a bank and phone records of an individual.
In the intelligence context, FISA provides the framework under which intelligence agencies may gather phone calls, text messages, emails, and other electronic communications. It is relevant, though not specifically for the use of spyware, that FISA also provides federal authority to compel third parties to hand over data on national security grounds.