Venice Commission - Report on a rule of law and human rights compliant regulation of spyware

Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).

Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/

Greece

1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?

There is no definition of spyware in Greek law. However, both the Constitution and criminal legislation refer to spyware, directly or indirectly, and provide for various prohibitions, as explained in the answers to the other questions of the present questionnaire.
There are two provisions in the Greek Constitution which are directly related to spyware:
(i)The first is Article 19, which reiterates the old-time guarantee of the secrecy of correspondence (dating from the 19 th century), provides as follows:
“1. Secrecy of letters and all other forms of free correspondence or communication shall be absolutely inviolable. The guaranties under which the judicial authority shall not be bound by this secrecy for reasons of national security or for the purpose of investigating serious crimes shall be specified by law.
2.Matters relating to the constitution, the operation and functions of the independent authority ensuring the secrecy of paragraph 1 shall be specified by law.
3.Use of evidence acquired in violation of the present Article and Articles 9 [i.e. protection of home asylum and private life] and 9A [see hereunder] is prohibited”.
(ii)The second is Article 9A, which was adopted as an amendment to the Constitution in 2001, and provides:
“All persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law. The protection of personal data is ensured by an independent authority, which is constituted and operates as specified by law”.

2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?

In 2022, a spyware network was revealed in Greece, involving, among others, EYP (that is the Greek National Intelligence Agency), which operates under the authority of the Prime Minister’s Office. Among the persons that were found to be under the surveillance of EYP and two other private entities, whose identity has recently been disclosed were several ministers, the head of the army’s joint staff and the leader of an opposition party. After the affair was made public, the leader of EYP as well as the director of the Prime Miniter’s office, who was in charge with the supervision of EYP were dismissed and the Prime Minister himself declared that he was sorry for the relevant interceptions which, although legal, would have never been ordered. It was only then that Parliament voted law 5002 of 2022, which, in addition to the general rules forbidding interceptions and surveillance of Article 370A -370C of the Greek Criminal Code, refers to spyware (see hereunder).
Law 5002 of 2022 added Articles 370E and 370F of the Greek Criminal Code (i.e. law 4619 of 2019). Article 370E provides that any person «acting illegally and using technical means” («όποιος αθέμιτα, με τη χρήση τεχνικών μέσων») “monitors or impresses” («παρακολουθεί ή αποτυπώνει») non-public transmissions of data, for the purpose of getting informed thereof or of using the relevant data, is imprisoned for a period not exceeding ten years. As for Article 370F, it provides for an imprisonment of 2 to 5 years of any person who is producing, selling, importing or exporting or trading in any other way “software or surveillance equipment, which may intercept, record or draw on” («λογισμικά ή συσκευές παρακολούθησης, με δυνατότητα υποκλοπής, καταγραφής και άντλησης») personal data.
The same law 5002 of 2022, however, provides that the use of spyware by State agencies may be permitted, under the terms of a presidential decree which, based on available information, has not been issued to this day (Article 13 of law 5002 of 2022).

3. What kind of data, if any, could be collected with spyware?

Since the presidential decree provided for by Article 13 of law 5002 of 2002 has not yet been issued, there are no indications to this day about the kind of data that can be legally collected by spyware by State agencies.

4. Has there been any official evaluation of the need for, or added value of, spyware?

N/A

5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?

Article 19 of the Greek Constitution provides that surveillance may be ordered by the “judicial authority” for two reasons: first for reasons of national security and, second, for the purpose of investigating serious crimes.
In the case of surveillance for reasons of national security, as provided by Article 4 of law 5002/2022, the relevant order (διάταξη) is issued by the competent prosecutor following a request by EYP. The request should mention the reasons for which it is believed that national security is endangered. However, the competent prosecutor is detached (απoσπασμένος) on a full-time assignment tο EYP (under Article 5§3 of law 3649/2008) and his independence is thereof often contested. The EYP’s prosecutor’s order must be confirmed by a second (high-ranked) prosecutor who serves either at the Court of Appeals or at the Supreme Court (Areios Pagos). As provided, both prosecutors must deliver in 24 hours after EYP’ request has been submitted. Their order, however, is not supposed to reveal the reasons of the surveillance. Moreover, since it does not derive from an administrative agent but from the judiciary, it cannot be contested as such by way of a petition for annulment.
In the case of “serious crimes” -which, by the way, are enumerated by Article 6 of law 5002 of 2022- surveillance is ordered by the prosecutor who is in charge of the investigation of the relevant crime, following a request by the Directorate of Serious Crimes of the Greek Police.
Law 5002 of 2022 devotes a special section to the surveillance for national security purposes of “political persons” («πολιτικά πρόσωπα», Article 4§3). Beyond the head of the State, the Prime Minister, Ministers and MPs that term also includes local authorities’ officials. For the surveillance of these persons, before submitting a request to the competent prosecutor (see hereabove), EYP’s commander should seek the approval of the Speaker of the House of Representatives (the “Vouli”).

6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?

Article 19 of the Greek Constitution, provides for an « independent authority », with competence to « ensure the secrecy » referred to in the 1st paragraph of the same Article. That authority is the Hellenic Authority for Communication Security and Privacy (Aρχή Διασφάλισης του Απορρήτου Επικοινωνιών, ΑDΑΕ), which was created in 1994 and renamed ADAE by law 3115 of 2003. ADAE is one of the five independent authorities expressly provided for by the Greek Constitution. Its powers, however, have been seriously contested in the last few years both by EYP and by the judiciary.
EYP, for instance, refuses to disclose the reasons why a leader of an opposition party has been surveilled, in spite of a unanimous verdict ordering the opposite by the plenum of the Council of State, that is Greece’s Supreme Administrative Court, which upheld a petition for annulment of the said leader (ΣτΕ(Ολ.)465/2024).
As for the Judiciary, in January 2023, Greece’s Prosecutor General (Εισαγγελέας του Αρείου Πάγο) issued an Opinion (Γνωμοδότηση) addressed to OTE (the country’s most important telecommunications provider) instructing it, whenever it is seized on issues connected to national security, to obey orders emanating only from the judiciary and not from ADAE, since, under Article 19 of the Greek Constitution, ADAE is allegedly subordinated to the judiciary.
The other oversight mechanism in place for the activities of the security services is the Hellenic Data Protection Authority ( Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), provided for by law 2472/1997.

7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?

Article 4 para. 3 of law 5002/2022 provides for the procedure which has to be followed for the notification of targeted individuals after the surveillance has ended. There is no provision that the latter is notified that his communications have been intercepted. Therefore, interested individuals, should they suspect that they have been targeted, must submit a request thereof to ADAE, which, thereafter, submits it to ADAE. The law provides however that such requests are admissible only after the elapse time-period of three years from the termination of the surveillance.
Neither ADAE nor EYP can decide thereof, but a three-member committee, composed by EYP’s prosecutor, the high ranked second prosecutor in charge with the file (see answer to question 5) and the president of ADAE. That committee may satisfy the demand only if it considers that the disclosure does not jeopardize the scope for which the specific surveillance had been imposed. What is even more important, should that committee decide to notify the interested person, the law provides that no other information is notified to him but that his communications had indeed been intercepted for the disclosed period of time. Nevertheless, all information concerning the reasons why the surveillance was imposed are to be withheld.
It is clear from the above that no adequate protection is provided for individuals targeted. Beyond the mandatory three-year period that must elapse for the latter to initiate the above procedure, it is doubtful that even if duly notified, interested persons will obtain sufficient evidence to seek judicial protection.