Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
There is no specific regulation on the use of any spyware (including Pegasus) by intelligence services Regarding criminal investigations the Criminal Procedure Law was amended by the Organic Law 13/2015 “for the strengthening of procedural safeguards and the regulation of technological research measures” (a translation of the relevant parts of this law is annexed to this report).
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
2.1.- Criminal Investigations.
3. What kind of data, if any, could be collected with spyware?
There are not specific rules on the issue.
4. Has there been any official evaluation of the need for, or added value of, spyware?
The evaluation of the topic it is taking place since December 2023, linked to the use of the Pegasus Spyware in the context of the secessionist process in Catalonia.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
5.1.- Intelligence services: ex ante judicial authorisation:
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
6.1.Parliamentary Oversight:
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
There is no post-surveillance notification mechanism. The remedies available are those derived from the general legal provisions for the protection of privacy and secrecy of communications. Appeals have been lodged against the use of these programmes, as described in answer 4.2 above.
Spain
Among the technological research measures are included the remote searches on IT equipment. This subject is regulated under general/common principles related to the interception of communications in new technologies (Chapter IV, Title VIII) and under an specific regulation on remote searches on IT equipment (Chapter IX, Title VIII).
There is no specific legal definition of spyware, however, Art 588,septies.a of the law states: “The competent judge may authorise the use of identification data and codes, as well as the installation of software, which allow, remotely and telematically, the remote examination, without the knowledge of the owner or user, of the content of a computer, electronic device, computer system, computer mass data storage instrument or database.” The underlined text in italics could be understood as the legal definition of spyware for criminal investigations in Spain.
The Criminal Procedure Law, in its TITLE VIII (Investigation measures restricting the rights recognised in Article 18 of the Constitution) regulates the issue.
Chapter IV (art.588.bis) establishes the common rules on the ‘interception of telephone and telematic communications, the interception and recording of oral communications through the use of electronic devices, the use of technical devices for tracking, tracing and capturing images, the recording of mass storage devices and the remote recording of data processing equipment’ Art.588.bis.a defines the guiding principles and the rules that the judge must follow to grant authorisation for an interception of this type. This judicial authorisation must be founded in the principles of speciality, adequacy, exceptionality, necessity and proportionality of the measure. These principles are defined in the same Article. Other aspects of the common principles are developed: application for judicial authorisation (Art. 588.bis.b), judicial authorisation (Art. 588.bis.c); secrecy (Art.588.bis.d); time limit (Art.588. .bis.e), request for extension (Art. 588.bis.f), effects on third parties (Art. 588.bis.h), use of
information obtained in other proceedings and accidental discoveries (Art. 588.bis.i), end of the measure (Art. 588.bis.j), deletion of records (Art. 588.bis.k).
Chapter IX (art.588.septies) rules specifically on remote searches on IT equipment. Art.588.septies.a establishes the premises. It only authorises this type of measure for specific offences (committed by criminal organisations, terrorism, offences against minors or persons with disabilities, offences against the constitution, treason or affecting national defence, offences committed through computer tools). It also establishes the content to be specified in the judicial authorisation of the measure (Art. 588.septies.a.2). The chapter also regulates the duty to cooperate (art. 588.septies.b) and the time limit (art. 588 septies, c), which is one month, extendable to a maximum of three months.
2.2.- Intelligence investigations.
As stated in the previous answer, there are not specifical rules for intelligence services.
Therefore, in these cases, the general framework concerning the oversight of intelligence services in Spain should be applied. This framework encompasses:
- Law 9/1968, 5 of April, about official secrets, modified by Law, of 11 October 1978
- Law 11/1995, 11 of May, regulation the use and control over credits of reserved expenses
- Law 11/2002, 6 of May, regulating the National Intelligence Center
- Organic Law 2/2002, 6 of May, regulating the previous judicial control over the National Intelligence Center.
This legal framework establishes both democratic (parliamentary) and judicial oversight over the use of such tools by intelligence services.
4.1.- Current parliamentary developments linked to the use of Pegasus:
The plenary session of the Congress of Deputies passed a resolution on 21 December 2023 to set up two commissions of Inquiry.
1) Parliamentary Committee of Inquiry into the spying and intrusion into privacy and intimacy, through the Pegasus and Candiru malware, of political leaders, activists, lawyers, journalists, institutions and their families and relatives. The purpose of the Committee is as follows:
a) To know in detail the involvement of state institutions in alleged unlawful interference against political leaders, institutions and other individuals.
b) To investigate the alleged responsibility and misuse of technical bodies in all ministerial departments and the linking of these bodies to espionage.
d) To know the contracts, costs and contracting processes for the alleged development and/or purchase of Pegasus software or other tools used for espionage by official bodies..
e) To investigate all initiatives carried out by state authorities in order to persecute political dissidence.
f) To propose and raise redress measures for all those affected by illegal investigations, as well as accountability for misuse of government machinery.
g) To propose appropriate control, investigation and prevention measures to shield democracy from abuses of state power and prevent its use against civil and political rights.
The Committee was constituted on 28 February 2024 by electing its governing bodies.
2) Parliamentary Committee of Inquiry into the so-called 'Operation Catalonia' and the actions of the Ministry of the Interior during the governments of the Popular Party in relation to the alleged irregularities linking high-ranking officials and police commanders to the existence of a vigilante plot.
In relation to the use of spyware, the following purpose of the Commission should be emphasised.
...
d) To know the contracts, expenses and contracting procedures for the alleged development and/or purchase of software called "PEGASUS", or other tools allegedly used for spying by official bodies.…
The Committee was constituted on 28 February 2024, by electing its governing bodies, with the commitment of the Committee's chair to begin its work quickly.
4.2.- Current judicial and legal developments linked to the use of Pegasus
Bill to reform the legal framework
On 8 September 2023, the Parliamentary Group of the Basque Nationalist Party presented a bill to amend Law 11/2002 and Organic Law 2/2002. The bill proposes a strengthening of prior judicial control by replacing the figure of the single Supreme Court magistrate in charge of these matters with a three-member chamber of Supreme Court magistrates. The bill has been adopted as a full initiative by the lower Chamber on 27 February 2024 but has not yet been passed by the Chamber.
Ex-post judicial control over the use of Pegasus in the frame of the secessionist process in Catalonia.
The investigating court number 29 of Barcelona in preliminary proceedings 1154/2023 investigating the use of Pegasus to spy on politicians and other relevant persons in the context of the Catalan independence process requested the Council of Ministers to declassify the judicial resolution issued by the judge of the Supreme Court in charge of authorising the interception of communications of these individuals. This judge’s decision was issued at the request of the director of the CNI and supposedly authorised the use of the Pegasus programme. The Council of Ministers agreed to the (partial) declassification of the decision of the Supreme Court judge by agreement of the Council of Ministers of 16 January 2024. The decision of the Supreme Court judge was sent to the investigating judge and is part of the judicial file, which is still secret and therefore not yet known to the public.
c) To know in detail all the Foreign Ministry's activities in relation to the investigations carried out in an allegedly illegal manner, without being sub judice, of the Generalitat's delegations abroad.
The general principle of prior judicial control is formulated in Art. 12 of Law 11/2002 and developed in Organic Law 2/2002.
In essence (a full translation of LO 2/2002 is annexed to this report) the legal regulation establishes the appointment by the General Council of the Judiciary of a Supreme Court magistrate (from the administrative or criminal chamber) and a substitute to authorise interceptions of communications by intelligence services. Both must have at least three years' seniority in the Supreme Court. Their term of office shall be five years. This judge may authorise the interception of communications at the proposal of the Director of the CNI. The director's proposal shall always be in writing and shall clearly state the reasons and the duration. The judicial decision shall be duly reasoned and for a fixed duration. It shall also provide for the destruction of all information obtained which is not related to the subject matter of the authorisation. The judicial decision shall be secret, although (see below) it may be declassified in accordance with the procedure provided for in the general legislation on official secrets.
5.2.- Criminal investigations: ex ante judicial authorisation
As stated supra in answer to question 2, the law stablishes a detailed regulation on the judicial authorisation needed to use these kinds of programs.
1.1.-Legal Framework
The specific laws on intelligence services oversight are:
Law 9/68 (amended in 1978 with the entry into force of the Constitution) establishes which matters may be declared secret or reserved ("classified matters") and the body that may declare them as such (basically the Council of Ministers). This declaration shall not affect (Article 10.2) the Congress of Deputies or the Senate, which shall have access to the information in the manner established in their regulations and, where appropriate, in camera sessions.
Parliamentary oversight of classified expenditure is provided for in Law 11/1995, Article 7.3 of this law entrusts it to a standing parliamentary committee. For its part, Law 11/2002 attributes to the same committee (art. 11) the control over the operation of the National Intelligence Centre (CNI). This control involves the periodic appearance of members of the government and, in particular, of the director of the CNI.
The current regulation of this standing parliamentary committee is developed by the Resolution of the Presidency of the Congress of Deputies on official secrets of 26 April 2022. By virtue of this resolution, the permanent parliamentary committee (popularly known as the Official Secrets Committee, although its official name is the Committee for the control of credits destined to reserved expenses) is composed of the President of the Congress of Deputies and a representative of each Parliamentary Group appointed by the absolute majority of the chamber The committee meets "in camera" and its members are bound by an obligation of confidentiality. No records of its meetings are published.
The resolution of the presidency establishes the following relevant points on access to classified information:
- The request for information can be submitted by any parliamentary committee or parliamentary group.
- If the information is secret, the government provides the information through the members of the standing committee .
- If the information is "reserved", the information is transmitted to the spokespersons of the parliamentary groups or to their representatives in the requesting committee (if it comes from a request for information from another parliamentary committee).
- Exceptionally, the government may request that the information be transmitted to the president of the Congress (or of the requiring committee if it comes from one other than the standing committee on official secrets).
In addition to these specific instruments, the general regime of information and control of the parliament over the government is applicable. In particular, there is the possibility of setting up parliamentary committees of inquiry (by agreement of the majority of the plenary of the chamber) whose work may cover any subject (Art. 76.4 SC), including reserved or secret matters, on which a duty of confidentiality may be imposed or which may agree to hold in camera sessions (Art. 64.4.a Standing Rules of the Congreso) and whose conclusions must also respect the matters qualified as secret.
2.- Judicial Control
Spain has an ex-ante and an ex-post system of judicial control of any intervention by intelligence services that involves an invasion of privacy rights and the secrecy of communications. Both systems are applicable to cases of use of software such as those mentioned in the consultation.
a) Ex- ante Judicial Control:
See supra answer 2.1.
b) Ex-post Judicial Control:
Ex post judicial control of secrets related to the activities of the intelligence services was established by the case law at the end of the last century. According to this case law, any judge in the framework of a judicial investigation can ask the Council of Ministers to declassify information considered confidential. The Council of Ministers' discretion is not entirely free. It has to be a sufficiently reasoned decision in which the reasons cannot exclude considerations of general interest following the specific judicial investigation and the individual assessment of the fundamental rights concerned. The refusal by the Council of Ministers of the requested information or documentation may be challenged before the Administrative Chamber of the Supreme Court, which will assess whether it is in accordance with the law, even by examining "in camera" the requested documentation (access to which was denied to the complainant judge but which the Council of Ministers must make available to the Supreme Court) to check whether the refusal is properly reasoned. In certain cases, the Supreme Court has ruled the declassification of documents considered secret by the government. The basic case law is contained in Judgments of the Supreme Court (Third Chamber): 4, April 1997 and 30, January 1998.