Venice Commission - Report on a rule of law and human rights compliant regulation of spyware

Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).

Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/

Bulgaria

1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?

In Bulgaria there is no specific framework for the use of spyware. While not separately and autonomously regulated, the use of spyware would be allowed under the notion of “special technical means/special investigative measures”.

2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?

Although there are not specific rules regulating the use of spyware, Bulgaria permits their use as part of its special technical measures.
Articles 32 and 34 of the Bulgarian Constitution guarantee citizens’ privacy, including protections against unauthorized monitoring, photography, or recording. Any exceptions, such as surveillance, must be legally justified and approved by the judiciary. With regard to surveillance, it is only permitted in cases involving serious crimes that threaten national security.
The Criminal Procedure Code restricts spyware usage to severe intentional crimes, establishing stringent conditions for its application, and requiring judicial approval. Evidence collection includes methods like wiretapping, surveillance, and undercover operations but must meet a proportionality standard, ensuring other methods are infeasible.

3. What kind of data, if any, could be collected with spyware?

4. Has there been any official evaluation of the need for, or added value of, spyware?

5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?

In the case of Bulgaria, it is up to the judicial authorities to manage authorizations. Bulgaria’s legal framework aligns with general targeted surveillance laws, applying to both criminal and intelligence investigations. Any use of surveillance technology requires judicial approval, which acts as a prior or post-action check on its application. Unauthorized surveillance is punishable under the Criminal Code, with penalties ranging from one to eight years in prison depending on the severity of the misuse.
Spyware use in national security is regulated under acts like the State Agency of National Security Act and the Special Intelligence Means Act. These laws allow intelligence officers to surveil individuals and gather intelligence, but only with judicial authorization in serious cases like terrorism and organized crime.

6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?

In Bulgaria, Parliamentary oversight is conducted by specialized committees. Moreover, the National Bureau for Control over Special Intelligence Means carries out oversight as an independent expert body.

7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?

The Personal Data Protection Act mandates secure handling of personal data, with timely breach notification requirements to relevant authorities and affected individuals.