Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Serbian legal framework does not explicitly mention “spyware” as a term, so there is no neither explicit allowance nor explicit prohibition on the use of “spyware”. Consequently, there is no specific legal definition of “spyware” in the current legal framework of the Republic of Serbia.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
The Constitution of the Republic of Serbia guarantees the confidentiality of letters and other means of communication. It is prescribed that confidentiality of letters and other means of communication shall be inviolable. Derogation shall be allowed only for a specified period and based on decision of the court if necessary to conduct criminal proceedings or protect the safety of the Republic of Serbia, in a manner stipulated by the law.
3. What kind of data, if any, could be collected with spyware?
In Article 179 of the Code of Criminal Procedure entitled "Order on search of computer data" it is prescribed that the order issued by the judge contains a description of the data that needs to be searched and processed. The law does not specify exactly what the data can be, but from the general provisions it is clear that it is about the data needed to conduct a criminal investigation for specific criminal offenses prescribed by this law.
4. Has there been any official evaluation of the need for, or added value of, spyware?
According to official information, it is not.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Judiciary. The authorisation (deciding on) of the measures of targeted surveillance in criminal and intelligence investigations is exclusively within the jurisdiction of the court.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
The national oversight of the activities of the security services in the Republic of Serbia involves a combination of various mechanisms (judicial, parliamentary, executive, and expert).
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
This question is, so far, regulated in the Criminal Procedure Code under the Article 163 “Handling Collected Materials”:
Serbia
One of the fundamental principles of the Serbian Constitution is direct Implementation of guaranteed rights. Article 18 stipulates that human and minority rights guaranteed by the Constitution shall be implemented directly. The Constitution shall guarantee, and as such, directly implement human and minority rights guaranteed by the generally accepted rules of international law, ratified international treaties and laws. Provisions on human and minority rights shall be interpreted to the benefit of promoting values of a democratic society, pursuant to valid international standards in human and minority rights, as well as the practice of international institutions that supervise their implementation. Consequently, the European Convention on Human Rights and its Article 8 that provides a right to respect for one's " private and family life, his home and his correspondence” form an integral part of legal system of the Republic Serbia.
As above mentioned, the Serbian law does not explicitly mention “spayware”, but there are regulations governing surveillance and the use of monitoring tools in both criminal investigations and intelligence operations, in accordance with the Constitution of the Republic of Serbia. There are general rules on targeted surveillance that in practice could be apply on “spyware” as well. According to the Law on Security Information Agency (Article 13) special measures which deviate from inviolability of secrecy of letters and other means of communication are:
1) secret surveillance and recording of communications, regardless of the form and technical means used for it, or surveillance of electronic or any other address;
2) secret surveillance and recording of communications in public places and places with limited access or in premises;
3) statistical electronic surveillance of communications and information systems with aim to obtain data on communication or location of used mobile terminal equipment;
4) computer search of already processed personal and other data and their comparing with data acquired through the application of measures stipulated in points 1) - 3) of this paragraph. Secret surveillance and recording of locations, premises and objects, including devices for automatic data processing and equipment used or potentially used for storing of electronic records, may be approved with special measures from paragraph 1, points 1) and 2) of this Article.
Article 14 of the same Law stipulates that special measures may be prescribed against an individual, group or organization when there are grounds for suspicion that they are conducting or preparing acts directed against the security of the Republic of Serbia, and when the circumstances of the case indicate that those acts could not be otherwise detected, prevented or proved, or that it would cause extreme difficulties or substantial danger. While deliberating on prescribing and duration of special measures, it shall particularly be taken into a consideration whether the same result could be acquired in a manner less restrictive for citizens’ rights, in a volume necessary for fulfilling the purpose of limitation in a democratic society.
The use of “spyware” could be covered also by Special evidentiary actions (measures) defined in the Code of Criminal Procedure.
According to the Article 161 of the Code special evidentiary actions may be ordered against a person for whom there are grounds for suspicion that he/she has committed a criminal offence referred to in Article 162 of this Code, and evidence for criminal prosecution cannot be acquired in another manner, or their gathering would be significantly hampered. Special evidentiary actions may also exceptionally be ordered against a person for whom there are grounds for suspicion that he/she is preparing one of the criminal offences referred to in paragraph 1 of this Article, and the circumstances of the case indicate that the criminal offence could not be detected, prevented or proved in another way, or that it would cause disproportionate difficulties or a substantial danger.
In deciding on ordering and the duration of special evidentiary actions, the authority conducting proceedings shall especially consider whether the same result could be achieved in a manner less restrictive to citizens’ rights.
Depending on the grounds, reasons and types of surveillance measures, the court makes a decision based on the reasoned proposal of the public prosecutor or the director of the Security Information Agency.
- According to the Law on Security Information Agency (Article 15), if conditions stipulated by this Law are met, court may order the application of a special measure based on substantiated proposal of the Director of the Agency. Decision on this proposal shall be made by the President of the Higher Court in Belgrade, i.e. judge whom he shall delegate among judges from the Special department of that Court, which, according to the law, processes cases dealing with criminal offences relating to organized crime, corruption and other particularly severe criminal offences.
If the Court adopts proposal for prescribing of a special measure, it shall issue an order. The order prescribing a special measure shall include title of the special measure, data available on an individual, group or organization against which it shall be applied, reasons stating that conditions (from Article 14 of this Law) are met, manner of application, extent and duration of the special measure. Special measure may be in effect for three months, and due to necessity of detection, prevention or collection of evidence, it may be prolonged not more than three times, each time for three months period. Application of the special measure shall be discontinued when reasons for its application cease to exist.
- According to the Criminal Procedure Code, if the conditions stipulated by this Law are fulfilled, acting on a reasoned request by the public prosecutor, the court may order supervision and recording of communications conducted by telephone or other technical means or surveillance of the electronic or other address of a suspect and the seizure of letters and other parcels.
The special evidentiary action shall be ordered by the judge for preliminary proceedings by a reasoned order. The order shall contain available data on the person against whom the covert interception of communication is being ordered, legal designation of the criminal offence, designation of a known telephone number or address of the suspect or telephone number or address for which grounds exist for suspicion that the suspect is using, the reasons on which the suspicion is founded, manner of conduct, scope and duration of the special evidentiary action.
The order shall be executed by the police, Security Information Agency or Military Security Agency. Daily reports shall be made on the conduct of the covert interception of communication and together with the collected recordings of communications, letters or other parcels shall be sent to the suspect or sent by the suspect, delivered to the judge for preliminary proceedings and the public prosecutor at their request.
The same procedure is prescribed for another Special Evidentiary Actions that can be related to spyware and that is Computer Data Search. If the conditions of this Code are fulfilled, acting on a reasoned motion by the public prosecutor the court may order computer searches of already processed personal data and other data and their comparison with data relating to the suspect and the criminal offence.
This special evidentiary action shall be ordered by the judge for preliminary proceedings by a reasoned order. The order shall contain data on the suspect, the statutory title of the criminal offence, description of the data it is necessary to search and process by computer, designation of the state authority which is required to conduct the search of the requested data, scope and duration of the special evidentiary action.
This order shall be executed by the police, Security Information Agency, Military Security Agency, customs service, tax administration or other services or other public authority, or a legal person vested with public authority on the basis of the law.
As regards the judicial oversight the Constitutional Court of Serbia can review the constitutionality of laws and regulations, including those related to the security services. Thus, if a citizen believes their rights have been violated by the actions of the security services, they can challenge these actions submitting constitutional complaint. Individuals can also seek redress through regular courts if they believe that their rights have been violated by the security services. Judicial decisions have binding remedial powers.
According to the Law on Security Information Agency (Article 17- Work Control), the Director of the Agency shall be under obligation to submit a work report of the Agency and on the security status of the Republic of Serbia to the National Assembly and the Government of the Republic of Serbia twice a year. In performing activities from its field of work, the Agency shall be obliged to comply with basic principles and guidelines of the Government, which refer to security-intelligence policy of the Republic of Serbia (Article 18.)
As regards the parliamentary oversight, the National Assembly has a special Security Services Control Committee which according to the Rules of Procedure of the National Assembly shall:
-supervise the constitutionality and legality of the work of security services;
-supervise conformity of the work of security services with the National Security Strategy, the Defence Strategy and the Security and Intelligence Policy of the Republic of Serbia;
-supervise preservation of political, ideological and interest neutrality in the work of the security services;
-supervise the legality of the application of special procedures and measures for secret collection of data;
-consider proposal of budget resources necessary for the work of security services and supervise the legality of budget and other resources spending;
-consider and adopt reports on the work of the security services;
-consider Bills, other regulations and general acts from the scope of work of the services;
-launch initiatives and submit Bills from the scope of work of the services;
-consider proposals, petitions and complaints of citizens addressed to the National Assembly regarding the work of the security services and propose measures to resolve them, and notifies the applicant thereof;
-determine facts on identified illegal acts or irregularities found in the work of the security services and their personnel and deliver conclusions thereon;
-inform the National Assembly on its conclusions and proposals.
The executive branch, particularly the Ministry of the Interior and the Ministry of Defence, oversees various security services. These ministries have administrative and operational oversight responsibilities.
It should be mentioned as well the expert oversight through the work of the Commissioner for Information of Public Importance and Personal Data Protection. This body oversees compliance with laws related to information and data protection. While not exclusively focused on security services, it can address issues related to personal data handling by these agencies.
If the public prosecutor does not initiate criminal proceedings within six months of the date of first examining the materials collected by applying special evidentiary actions or if he/she declares that he/she shall not use them in the proceedings or that he/she shall not request the conduct of proceedings against the suspect, the judge for preliminary proceedings shall issue a ruling on the destruction of the collected materials.
The judge for preliminary proceedings may inform the person against whom a special evidentiary action was conducted about the issuance of the ruling referred to in paragraph 1 of this Article, if during the conduct of the action his/her identity was established and if it would not threaten the possibility of conducting criminal proceedings.
The materials shall be destroyed under the supervision of the judge for preliminary proceedings who shall make a record thereof.
If during the performance of the special evidentiary actions it was acted in contravention of the provisions of this Code or an order of the authority conducting proceedings, the court’s decision may not be based on the data collected and the collected material shall be treated as unlawful evidence.