Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
There is no explicit authorization for the use of spyware in criminal or intellectual investigations in Iceland. However, prosecutors and the police can obtain a court order to listen to or record phone calls during criminal investigations. Access to electronic communications data, however, does not always require a court order, as it can be granted with the user’s consent.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
There are two ways of approaching this question: First, electronic surveillance of content (subject matter) and second, monitoring data from electronic communication such as A calling B at a specific time (without accessing the content of communication).
3. What kind of data, if any, could be collected with spyware?
The Electronic Communications Act contains a provision authorizing the use of cookies, cf., paragraph 2 of Article 88, which states:
4. Has there been any official evaluation of the need for, or added value of, spyware?
A consultation process was conducted regarding the permission to store telecommunications data for criminal investigations. It is important to note in this respect that the Data Retention Directive (Directive 2006/24/(EC) was declared invalid in 2014 by the Court of Justice of the EU. This ruling, made in response to a case brought by Digital Rights Ireland against the Irish authorities, found that blanket data collection violated the right to privacy.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
This is the task of the police and the prosecutor and based on court order in cases of listening, as previously described.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
The Police Monitoring Committee, an independent administrative body, was established on 1 January 2017. Its main role is to receive notifications from citizens regarding alleged criminal conduct of the police, improper police working methods or misbehavior. The Committee operates on under the Police Act No. 90/1996, cf., Act No. 62/2016, and Regulation No. 222/2017. Court orders permitting surveillance, such as listening, may be appealed to the Court of Appeal (Landsréttur).
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
N/A
Iceland
The legal framework consists of a joint reading of Chapter XIII of the Electronic Communications Act No. 70/2022 and Chapter XI of the Code of Criminal Procedure No. 88/2008.
In connection with proposed amendments to the Criminal Code (addressing the retrieval of profits, internet crimes etc., in line with international treaty obligations), the Ministry of Justice initiated a consultation process. This process anticipated amendments to provisions concerning the search and seizure of electronic data and the use of listening devices.
An electronic communications undertaking in Iceland must comply with police instructions in criminal investigations, provided these instructions are supported by a court order or legal authorization, cf. Article 92 of the Electronic Communication Act No.
70/2022 and the Criminal Code No. 88/2008.
According to the Electronic Communication Act any kind of processing of electronic communications, including storage, listening, recording or interception is unauthorised, unless this is done with informed consent of a user or according to legal authorisation, cf., Article 88, paragraph 1. This applies to the content of electronic communication, i.e. phone calls and SMS texts.
Police authorisation is based on section XI of the Criminal Code: “Telephone tapping and other comparable measures”. The explanatory report of the Criminal Code clarifies that under Article 80 of the Criminal Code, such measures allow access to data on telephone calls and other telecommunication, excluding the content.
On the other hand, Article 81 of the Criminal Code provides that subject to the conditions stated in Article 83 and the first paragraph of Article 84, telecoms may be required, in the interests of an investigation, to permit the tapping or recording of telephone calls or other telecommunications with a specific telephone, computer or other type of telecommunications device, or with a telephone, computer or other type of telecommunications device owned by or at the disposal of a specific person. Furthermore, subject to the same conditions, the police may be permitted to monitor or record telecommunications with equipment designed for this purpose.
It is always mandatory to base a request on court order for listening or recording phone calls, cf., Article 81 and 84 of the Criminal Code. It is however obligatory to grant information on the basis of Article 80 of the Criminal Code if the unequivocal consent of the person in charge, and the actual user of the telephone, computer or other telecommunications device, has been given.
The investigative measures listed in Article 80-82 of the Criminal Code always require a court order. According to Article 83 certain conditions must be fulfilled to be granted permission to carry out such measures: there must be reason to expect that information that may be of great significance for the investigation of a case will be obtained in that way. In addition to what is stated in the first paragraph, a condition that must be met in order to apply measures under Article 81 and the first paragraph of Article 82 is that the investigation must be directed towards an offence that may entail six years’ imprisonment according to law and that it is demanded by substantial public or private interests.
Under Article 84, a court ruling must specify the telephone or other telecommunications device involved, or identify the owner or person in charge of the telecommunications device (cf. Article 80 and 81), or detail the method used to record sound, take visual images, monitor individuals or place tracking devices (cf. Article 82), including the location of these actions. Furthermore, authorisation to take measures is limited to a specified period, not exceeding four weeks per instance.
According to Article 82, paragraph 2, sound recordings or images of people may be taken, and individuals may be monitored in the interests of an investigation, in public places or in places to which the public has access without the conditions of Article 83 and the first paragraph of Article 84 being met. Regarding this, the Electronic Communications Act contains a provision on electronic communications data (Article 89).
Electronic communications undertakings are required to store data for six months and provide it to the police based on a court order or without court order if the unequivocal consent of the person in charge, and the actual user of the telephone, computer or other telecommunications device, has been given, cf., Article 92 of the Electronic Communications Act, and Article 80 and 84 of the Criminal Code. There is hence not an implicit requirement for court order.
The purpose of data storage is to ensure that the electronic communications undertakings can provide information about which customer was using a specific telephone number, IP-address, or user name. This includes details of all user communications, the dates, recipients, and the volume of data transmitted, as well as the telephone number used during a specified period.
It should be noted that the Ministry of Justice plans to revise the procedural rules regarding phone recordings and related measures. The revision will assess the need for amendments in line with the Budapest Convention and updates to domestic laws since its ratification, such as the Electronic Communications Act.
The use of any kind of system and equipment, including software, which collects and/or stores information about activities or communications of user in his terminal equipment, provides access to information stored in his terminal device or monitors his activities is unauthorised, unless according to informed consent of the user or according to legal authorisation. Despite this, the use of such equipment is authorised to attain access to information and/or to technical storage for a lawful purpose and with the knowledge of the user in question.
The explanatory report on Article 88, addressing the confidentiality of electronic communication includes a discussion on this issue.