Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Law enforcement authorities:
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
Law enforcement authorities:
3. What kind of data, if any, could be collected with spyware?
Law enforcement authorities:
4. Has there been any official evaluation of the need for, or added value of, spyware?
Law enforcement authorities
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Law enforcement authorities:
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
Law enforcement authorities:
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
Law enforcement:
Netherlands
Yes. In the execution of the special investigative power in Article 126nba of the Dutch Code of Criminal Procedure, which allows for the penetration of computer systems used by suspects, law enforcement authorities may utilise a ‘technical device’. This interpretation is clarified in the explanatory report of the Computer Crime Act III (Parliamentary Series II 2015-2016, 34372, no. 3, p. 10). ‘Technical devices’ are further defined and regulated in other legislation, most notably in the Regulation of Technical Devices in Criminal Procedural Law (published on 11 July 2018).
Intelligence and security services:
Yes. Intelligence and security services are authorised to ‘penetrate computer systems’ using ‘technical devices’ under Article 45 of the Dutch Act on Security and Intelligence Services. This authority includes the use of technical devices to ‘decrypt data stored or processed in automated systems’ and to ‘take over data stored or processed in automated systems’ (Article 45(b)(d)). The explanatory report of the Act on Security and Intelligence Services explicitly states that this may involve the installation of software on devices such as laptops and smartphones (Parliamentary Series II 2016-2017, 34588, no. 3, p. 79). The term ‘technical devices’ for intelligence and security services is not further defined in other laws.
Yes, there are many, as well as detailed rules in place on ‘targeted surveillance’. The hacking power in Article 126nba DCCP (for regular criminal investigations), Article 126uba (for criminal investigations into organised crime) and Article 126zpa (for investigations into terrorist crimes) refers in 126nba(1)(b) DCCP to ‘targeted surveillance’ through wiretapping (Article 126m DCCP) and ‘direct listening’ (e.g., by activating a microphone) in Article 126t DCCP. The use of this power is restricted to ‘devices in use by suspects’ and limited in scope and duration. Further regulations for ‘Investigations in computers’ (2018) contain rules regarding the crimes for which the investigatory power can be used (e.g., serious crimes, sex crimes, and computer crimes) (Article 2), the expertise of investigating officers (Articles 3-4), the recording of data on the execution of an order in log files (Articles 5-7), technical requirements for a technical tool for conducting investigative actions (Articles 8-13), the inspection of technical tools (Articles 14-20), the execution of the order (Articles 21-28), and provisions for storing data (Article 29). More regulations for use of hacking powers with ‘technical devices’ can also be found in the Regulation of technical devices in criminal procedural law (published on 11 July 2018). Regulations and definitions for the use of ‘targeted surveillance’ (referring to Article 126m DCCP and Article 126l DCCP) can be found in the 'Instructions for use of special investigative powers’ (of 2014). Regulations for wiretapping and obligations for providers of public telecommunication networks and services can be found in Section 13 of the Dutch Telecommunications Act.
Intelligence and security services:
Yes, there are detailed rules available for the use of hacking and its combination with targeted surveillance in the Act on Intelligence and Security Services 2017. The use of hacking in combination with ‘targeted interception’ is specified in Article 45(2)(c) of the Act on intelligence and security services. The use of this investigative power is limited in scope and duration. Intelligence and security an employ the investigative power of hacking when targets (individuals or organisations) pose a threat to the national security or democratic order of the Netherlands (see Article 8(2)(a) and 10(2)(a) of the Act on intelligence and security services). The use of targeted surveillance measures is also regulated in Article 47 of the Act on Intelligence and Security Services 2017. Similar detailed regulations apply regarding the scope, duration, and authorisation, as with the hacking power. Further regulations for wiretapping and obligations for providers of public telecommunication networks and services can also be found in Section 13 of the Dutch Telecommunications Act.
Yes. In 2022, the Research and Data Centre of the Dutch Ministry of Justice and Security published an evaluation report on the Dutch hacking power for law enforcement authorities. It is an empirical study into the implementation of the hacking power (Article 126nba, 126uba, 126zpa DCCP). Between March 2019 and March 2021, the hacking power was issued in 26 criminal investigations. It has been used in criminal investigations into more serious forms of traditional crime such as (attempted) murder, cases involving narcotics, falsification of documents, money laundering, sexual offences, terrorism offences, and membership of a criminal organisation. The report clarified that the Dutch police used of a commercial tool in the ‘vast majority’ of cases. The name of the commercials tool(s) used is not public.
Intelligence and Security Services:
Yes. The entire Act on intelligence and security services was evaluated in 2020, including the hacking power in Article 45. However, its focus was not on ‘targeted surveillance’ but rather on the use of hacking at organisations and the acquisition of bulk datasets. Following reports from oversight bodies, it recommended improvements for the reconnaissance phase in the use of hacking powers and regulations for acquiring and processing bulk datasets. These regulations are, in part, implemented in the recent legislation focusing on ‘State actors with cyber programs’ (2024).
Yes. In 2022, the Research and Data Centre of the Dutch Ministry of Justice and Security published an evaluation report on the Dutch hacking power for law enforcement authorities. It is an empirical study into the implementation of the hacking power (Article 126nba, 126uba, 126zpa DCCP).
Between March 2019 and March 2021, the hacking power was issued in 26 criminal investigations. It has been used in criminal investigations into more serious forms of traditional crime such as (attempted) murder, cases involving narcotics, falsification of documents, money laundering, sexual offences, terrorism offences, and membership of a criminal organisation. The report clarified that the Dutch police used of a commercial tool in the ‘vast majority’ of cases. The name of the commercials tool(s) used is not public.
Intelligence and Security Services
Yes. The entire Act on intelligence and security services was evaluated in 2020, including the hacking power in Article 45. However, its focus was not on ‘targeted surveillance’ but rather on the use of hacking at organisations and the acquisition of bulk datasets. Following reports from oversight bodies, it recommended improvements for the reconnaissance phase in the use of hacking powers and regulations for acquiring and processing bulk datasets. These regulations are, in part, implemented in the recent legislation focusing on ‘State actors with cyber programs’ (2024).
Prior authorisation is required from a public prosecutor and examining judge of a Dutch court to use the investigative power in Article 126nba DCCP.
Intelligence and Security Services:
Yes, prior authorisation is required from the head of service of the General Intelligence and Security Service (AIVD) or the Military Intelligence and Security Service (MIVD). A minister must authorise the use of this investigative power in Article 45 Act on intelligence and security services. The Investigatory Powers Commission (TIB) conducts a review of the lawfulness of using this power prior to its use (i.e., the penetration of a computer system).
There are several oversight bodies involved. Judges can remedy the unlawful use of investigatory powers during trial. he Inspection Authority of the Ministry of Justice and Security has a special mandate to check (mostly procedures) the use of hacking as an investigative power. They report annually but have no binding remedial powers. They first published about the use of (commercial) hacking tools by the Dutch National Police (specifically, its ‘Digital Intrusion Team’). In 2022, the Procurator General of the Dutch Supreme Court and his office also published a report as part of the oversight function on the Dutch Public Prosecutors Office. The Procurator General’s office found that between 2019-2021, a ‘technical device’ was used in 36 cases. Commercial tools were used in 33 out of 36 cases. In all investigated cases, the use of hacking power was deemed proportionate. This oversight body has no remedial powers. The Data Protection Authority conducts oversight on the processing of personal data by the police. They did not publish any reports relating to the lawfulness of hacking as an investigative power. As an administrative body, they do have remedial powers.
Intelligence and security services:
The Dutch Review Committee on Intelligence and Security Services (CTIVD) is the oversight body for intelligence and security services. As mentioned, the Investigatory Powers Commission (TIB) conducts a prior review of the lawfulness of the hacking power. The TIB has binding powers: if it is not lawful, the investigatory power cannot be applied. The CTIVD conducts oversight during the application of hacking as an investigative power, i.e., to test the technical risks involved and which devices are targeted. It also publishes reports about the lawfulness of hacking as an investigative power, such as report no. 39 (2014), no. 53 (2017) and no. 70 (2019). However, as part of new legislation relating to ‘State actors with cyber programs’ in 2024, the CTIVD has limited binding powers in its oversight relating to hacking powers. Under this new legislation, intelligence and security services can appeal a decision of the TIB and CTIVD, and a judge can decide on this. There is no judgment available yet. Individuals who believe they have been treated unlawfully or unfairly by the intelligence and security services can file a complaint with the Minister of the Interior and Kingdom Relations or the Minister of Defence. If they are dissatisfied with how their complaint was handled, they can file a complaint with the CTIVD. Under certain circumstances, they can report the complaint to the CTIVD directly, such as when they cannot reasonably be expected to first file the complaint with the responsible minister. The complaints department can issue binding decisions after unlawful conduct by the intelligence and security services. This occurred in 2022, following complaints from an NGO about the unlawful processing and storage of bulk datasets. Five bulk datasets had to be destroyed. Decisions are published (anonymously) on the CTIVD website.
If the Cabinet is the object of a motion (or other expression) of no-confidence, it has to tender its resignation. In theory it might be possible that the Cabinet remains in charge, dissolves the Chamber and waits for the result of the election of the new Chamber, hoping for a positive outcome: a so-called ‘conflict dissolution’. However, since 1922 practice is that the Cabinet members tender their resignations on the eve of the elections (whether a periodic election or because of dissolution of the Chamber ). Some qualify the 1922 practice as a binding convention (customary constitutional law), but others believe this still is mere political practice. What surely is a binding convention – already established in the 19th century, is that a Cabinet that dissolved the Chamber and remains in charge, waiting for the election results, when again confronted with a motion of no-confidence has to tender its resignation. Of course, in this system the motion of no-confidence is not accompanied by a proposal for a new Cabinet/Prime Minister: what Cabinet will take office will be decided by the elections and subsequent formation.
It has to be stressed that 1939 was the last time an explicit motion of no-confidence against a Cabinet has been accepted by the Chamber, leading to the resignation of the Cabinet. As observed in Answer 8 there are other ways leading to a conclusion of no confidence.
Yes, a post-surveillance notification procedure exists in Dutch criminal procedural law. Informing the person involved in the application of a special investigative power is regulated in Article 126bb DCCP, which includes the use of hacking powers in Article 126nba, 126uba en 126zpa DCCP. The notification must take place as soon as possible but does not occur when this is ‘reasonably not possible’ or when individuals are automatically notified in pending criminal procedures. Individuals involved can also file a complaint with the Dutch Data Protection Authority.
Intelligence and security services:
Yes, a post-surveillance notification mechanism exists in Article 59(1) of the Act on Intelligence and Security Services. In principle, individuals involved in the application of an investigative power must be informed five years after the termination of the investigative power. Notification is not required when (a) sources of a service, including intelligence and security services of other countries, are disclosed; (b) relations with other countries and with international organisations are seriously harmed; or (c) a specific application of a method (modus operandi) or the identity of the person who assisted the service in applying the method is disclosed. The Dutch Review Committee on Intelligence and Security Services actively reviews these obligations, as shown in a recent publication in 2024. Individuals who are notified can file a complaint or seek compensation in civil proceedings at a court.