Venice Commission - Report on a rule of law and human rights compliant regulation of spyware

Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).

Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/

Crotia

1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?

In Croatia there is no explicit permission or prohibition related to the use of spyware. Indeed, Croatia does not have specific spyware laws, but spyware use is implied within broader surveillance regulations.

2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?

There are no specific rules; therefore, the general rules on targeted surveillance apply. The Croatian Constitution ensures personal data privacy (Article 37) and prohibits the use of illegally obtained evidence in court (Article 29). Laws such as the Criminal Procedure Act, Police Affairs and Powers Act, and Security and Intelligence System Act (SISA) guide surveillance within criminal and intelligence contexts. Croatian law allows police to use spyware-like surveillance for serious criminal cases only if other investigative methods are insufficient. These actions require judicial approval from an investigating judge, with written reasons justifying the need for surveillance. Orders last up to three months, with possible extensions for ongoing investigations. Article 36 § 2 of the Security and Intelligence System Act of the Republic of Croatia allows targeted surveillance in the absence of a prior authorisation, provided that such authorisation is granted by the relevant authorising body within a deadline that varies between 24 hours.

3. What kind of data, if any, could be collected with spyware?

4. Has there been any official evaluation of the need for, or added value of, spyware?

5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?

Article 332 of the Criminal Procedure Act stipulates that in order to conduct special evidence-collecting measures during preliminary criminal investigations, it is necessary to obtain a written order from the investigating judge, which must include a statement of reasons specifying: information concerning the person in respect of whom the measures are carried out, relevant circumstances justifying the need for secret surveillance measures, the time-limits in which the measures can be carried out – which must be proportionate to the legitimate aim pursued – and the scope of the measures (Article 182, paragraph 1 of the Criminal Procedure Act). These measures can only be ordered upon a written request from the State Attorney, which must include a statement of reasons. Article 33 of the 2006 SISA specifies a list of measures for secret data collection by the Security and Intelligence Agency. For the following more intrusive measures, a judicial warrant of the highest court (the Supreme Court of the Republic of Croatia) is needed: secret surveillance of the communication content, postal censorship (secret surveillance of mail and other postage), secret surveillance and technical recording of the interior of facilities, closed spaces and objects, as well as the secret surveillance and monitoring, with audio recording of the content of communication between persons in open and public spaces (Article 36). On the other side, the following measures can be taken if approved by one of the Directors of security and intelligence agencies within their respective scope of activities: secret surveillance of the telecommunications traffic data, location of the user and international telecommunications; secret surveillance and monitoring, with recording of images and photos of persons in open and public spaces; secret purchase of documents and objects (Article 38).

6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?

In the case of Croatia, Parliamentary committees (The Committee for Internal Affairs and National Security) oversee intelligence agencies. Moreover, high-level judicial authorization is required for certain intelligence measures. The Office of the National Security Council oversees these agencies, ensuring actions are lawful and proportional, with authority to correct violations and report findings to top government officials. Finally, Specialized bodies like the Council for Civic Oversight of Security Intelligence Agencies and the Council for Civic Oversight of Police Powers provide non-judicial oversight, handling public complaints, verifying legality, and reporting findings to the government.
The Council for Civic Oversight of Security Intelligence Agencies conducts a regular ex-post oversight of agencies, focused on the legality of work and implementation of special data gathering measures. It acts on the basis of requests sent by citizens and legal persons about potential irregularities and human rights violations. The Council is composed of seven citizens appointed by the Parliament on the basis of a public call for four-year mandates but with specific expertise and full security clearances. Where, in the conducted oversight, it is established that there have been some unlawful acts, the Chairperson of the Council shall notify the President of the Republic, the President of the Parliament, the President of the Government and the Chief State Attorney.

7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?

The Croatian Ombudsman handles human rights complaints regarding misuse of surveillance powers and can review the constitutionality of actions by government bodies, including the police. Moreover, the State Administration System Act allows individuals harmed by illegal or improper state surveillance to seek compensation through civil courts. This objective liability framework applies regardless of fault, based on a causal link between state actions and damage.