Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Spyware use is not specifically regulated, consequently it would fall under general targeted surveillance measures. Indeed, Malta’s existing laws on surveillance appear fragmented and do not address the use of advanced spyware tools. The legal provisions primarily focus on traditional surveillance methods.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
The Malta Security Service (MSS) and law enforcement agencies are the primary entities permitted to employ surveillance tools, including spyware, for national security and criminal investigation purposes. These activities must comply with the Security Services Act and Criminal Code, which outline the conditions under which surveillance can be authorized. Specific regulations also address data protection and privacy compliance under Maltese law.
3. What kind of data, if any, could be collected with spyware?
/
4. Has there been any official evaluation of the need for, or added value of, spyware?
/
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
The system of authorisations for surveillance and the system of oversight is dependent on the Executive. Under Chapter 391 of the Security Service Act, the Security Service of Malta can obtain authorisation for interception or interference with communications by means of a warrant issued by the Minister responsible for the Security Service, that is, as a norm, the Minister for Home Affairs. The law also applies to criminal proceedings.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
In Malta, there is no parliamentary nor judicial oversight of the Security Service. The operations of the Security Service are overseen by the responsible Minister (executive control), the Commissioner of the Security Service (an expert body) and the Security Committee (formed by members of the executive).
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
/
Malta
Surveillance is restricted to cases where there is a significant threat to public safety, such as organized crime, terrorism, and severe criminal activities. The use of spyware or similar technology is monitored to prevent abuse, and only minimal data necessary for the investigation is collected.
The Commissioner for the Security Services oversees the activities of the intelligence agencies. The Commissioner, appointed by the Prime Minister, is either a judge of the superior courts or an officer of the Attorney General. According to Chapter 391 of the Security Service Act, has the power to investigate complaints about the Security Service. Indeed, according to the same article, “any person may complain to the Commissioner if he is aggrieved by anything which he believes the Security Service has done in relation to him or to any property of his.”
Moreover, Malta also has a Security Committee, which is composed of the Prime Minister, the Minister responsible for the Security Service, the Minister for Foreign Affairs, and the Leader of the Opposition. This Committee examines expenditure, administration, and policy of the Security Service and is also required to write an annual report on the discharge of its functions.
On the other hand, according to Chapter 586 of the Data Protection Act, the Office of the Information and Data Protection Commissioner (IDPC) does not have the competence to supervise the data processing activities of the Maltese Security Service, nor has any power to take action against the Security Service.