Last update: 02/01/2023

The European Data Protection Board has published its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data as well as Recommendations 02/2020 on the European Essential Guarantees as an update of the previous Art. 29 Working Party WP 237 after the Schrems II judgment. You can also download an unofficial Redline for the latter Recommendations.

When conducting Transfer Impact Assessments (“TIAs“), please also pay attention to the Human Rights Reports available for the data importer’s jurisdiction:


Click on a ➕ country to see a preliminary, non-binding assessment of compliance with the “European Essential Guarantees” and ECtHR case law by an expert contributor. Thanks to their voluntary commitment, the EEGG (European Essential Guarantees Guide) is constantly growing and remains as up-to-date as possible.

Country🇪🇺 Adequacy🇬🇧 Adequacy🇨🇭 Adequacy🇲🇨 Adequacy🇷🇺 Adequacy
Roskomnadzor
🇷🇸 Adequacy
Poverenik
SCC/Model ClausesCoE 108
Data Protection
CoE 108+ (223)
Data Protection
CoE 185
Cybercrime
OECD Guidelines 2013
Protection of Privacy and Transborder Flows of Personal Data, 2013
RCEP MemberCPTPP SignatoryLocal Expert:Guarantee A: Is processing based on clear, precise and accessible rules (legal basis)?Guarantee B: Are necessity and proportionality with regard to legitimate objectives pursued demonstrated?Guarantee C: Is processing subject to an independent oversight mechanism?Guarantee D: Are effective remedies available to the individual?Additional Information
AndorraEuropeAD✔️
See here
✔️✔️✔️✔️✔️The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).S, R, E: 01/09/2008SS, R, E: 01/03/2017
United Arab EmiratesAsiaAE
Dubai International Financial Centre (DIFC)
as a potential future candidate (p. 52) for adequacy?
ADGM Standard Contractual Clauses under Article 42(2) of the Regulations to transfer personal data from the ADGM to a third party located in a third country or jurisdiction that does not provide an adequate level of protection.

DIFC Standard Contractual Clauses (DIFC SCCs) as a combination of the EU and the UK SCCs "for ease of use across as many jurisdictions as possible", providing additional safeguards in accordance with DP Law 2020, Article 27(2)(c) and as prescribed in Regulation 5 of the DIFC DP Regulations 2020.
Luna de Lange
AfghanistanAsia🇦🇫
Antigua and BarbudaNorth AmericaAG
AnguillaNorth AmericaAI
AlbaniaEuropeAL✔️✔️S, R, E: 01/06/2005S, R, E: 01/07/2004Emirjon Marku

Yes.

Article 35 of the Albania Constitution and articles 5 - 7 and 12 - 16 of the law no. 9887, dated 10.03.2008 “On personal data protection” as amended (“Data Protection Law” or “DPL”) provide for the obligation of the data controller to conduct processing activities, inter alia, based on clear, precise and accessible rules.

On the other hand, the interception of communications is specifically regulated under the provisions of the Albanian Criminal Procedure Code, in harmony with the provisions of legislation governing the telecommunication sector.

In any case, the criteria are inherent to the abovementioned provisions of the Albanian legislation.

Albanian legislation does not entitle public authorities to have access to data subjects’ personal data on a generalised basis (including the data sourced through electronic communications).

As such, the principles of article 5, and legal criteria set out under article 6, of DPL provide for several obligations which the public authorities should account to when processing one’s personal data.

Such principles, include, without limitation, the obligation of public authorities to process personal data (i) on a fair and lawful basis, (ii) in accordance with the relevant legitimate purposes and in a manner that is not incompatible therewith (i.e. purpose limitation), (iii) limitation of processing to what is necessary to the relevant purpose thereof (i.e. data minimisation), (iv) processing (i.e. including, storing) of personal data for no longer as it necessary for achievement of the purpose of the processing (i.e. storage limitation), etc.

According to articles 29 - 38/a of DPL, the competent authority for the supervision and monitoring of the personal data processing and the respecting of the individuals’ right for personal data protection and privacy is the Commissioner for Freedom of Information and Personal Data Protection (the “Commissioner”).

The Commissioner is an independent authority, appointed by the Albanian Parliament for a term of 5 years (renewable).

The Commissioner reports to the Albanian Parliament at least once a year and whenever deemed necessary by and/or is of interest of the latter.

The Commissioner might initiate administrative investigations at any time, irrespective of whether based on a complaint of a data subject or ex officio.

Articles 12 - 15 of DPL confer onto the data subjects the right of seek access to their personal data, the right to seek the blocking of further processing thereof, and the right to seek correction or erasure of their personal data that are, inter alia, untrue, incomplete or processed/collected in violation of the provisions of DPL.

According to article 16 of DPL, any individual is entitled to file complaint with the Office of the Commissioner.

According to article 32 of DPL, any data controller is obliged to cooperate with the Commissioner’s inspectors during the relevant administrative proceedings. To this effect, the Commissioner, in order to properly carry out its legal tasks and duties, it entitled to access the ICT systems used by any data controller personal data processing activities and/or for archiving purposes.

Moreover, any individual is entitled to seek before court the damage relief in relation to the unlawful processing activities of a data controller (art. 17 of DPL).

For further information please consult the Commissioner’s website: https://www.idp.al/?lang=en

ArmeniaEuropeAM✔️✔️S, R, E: 01/09/2012SS, R, E: 01/02/2007
AngolaAfricaAO✔️
See here
or here
Paulo Pedro
AntarcticaAQ
ArgentinaSouth AmericaAR✔️
See here
✔️✔️✔️
See here
✔️Disposición 60 - E/2016: Contrato modelo de transferencia internacional de datos personales con motivo de la cesión de datos personales (Anexo I) and Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios (Anexo II).
The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).
R (Accession), E: 01/06/2019SN/A
Please see the country report for Argentina as part of the study "State of Privacy" conducted by Privacy International.
American SamoaOceania/AustraliaAS
AustriaEuropeAT(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
See, SCC Generator
S, R, E: 01/07/1988SS, R, E: 01/10/2012✔️Thomas Schweiger
AustraliaOceania/AustraliaAU(✔️)
Before personal data are transferred,
it should be clarified whether Australian legislation
governs this matter, in particular whether personal data
of foreign nationals are covered or not.
✔️Australian Privacy Principle 8 - Cross-border disclosure of personal information (Sec. 8.16 et seqq.)✔️✔️✔️Kara Birch
ArubaNorth AmericaAW
AzerbaijanAsiaAZ✔️✔️S, R, E: 01/09/2010S, R, E: 01/07/2010
Bosnia and HerzegovinaEuropeBA✔️✔️S, R, E: 01/07/2006SAnisa Tomic, Attorney at Law, Partner, Maric & Co LLC Law Firm

In accordance with the Law on Criminal Procedure of FBiH and Law on Criminal Procedure of RS, the types of special investigative actions („measures“) and conditions of their application are regulated. These are actions that need to assist prosecutors to effectively reveal the perpetrators and the evidence of serious and complex crimes, especially organized crime. There are criminal offenses in whose execution included a larger number of people in different locations and which are carried out with the help of new communication technologies, so that it is not possible to prove the classic the means of proof (documents, material evidence, witnesses).

Special investigative actions may be ordered in case of criminal offenses punishable by at least three years of imprisonment or by a more severe sentence.

If evidence cannot be obtained in any another way or its obtaining would be accompanied by disproportional difficulties, special investigative measures may be ordered against a person where grounds for suspicion exsists that he or she has committed or has along with other persons taken part in committing or is participating in thecommission of an offense.

Measures referred above shall be ordered by the preliminary proceedings judge in an order upon the properly reasoned motion of the prosecutor containing: the data on the person against whom the measure is to be applied, the grounds for suspicion, the reasons for undertaking the measures and other important circumstances necessitating the application of the measures, the reference to the type of required measure and the method of its implementation and the extent and duration of the measure. The order shall contain the same data as those featured in the prosecutor’s motion as well as ascertainment of the duration of the measure ordered.

Exceptionally, if a written order cannot be received in due time and if there is danger in delay, the execution of a measure may commence on the basis of a verbal order pronounced by the preliminary proceeding judge.

The written order of the court must be obtained within 24 hours following the issue of the verbal order.

Special investigative measures are as follows:


a) Surveillance and technical recording of telecommunications, also called WIRETAPPING;

This measure may be ordered against persons against whom there are grounds for suspicion that he or she will deliver to the perpetrator or will receive from the perpetrator of the offenses information in relation to the offenses, or grounds for suspicion that the perpetrator uses a telecommunication device belonging to those persons. In practice this measure is very useful but it limits right to privacy not only for suspicious person, but indirectly, for any third party with whom the suspect makes contact by means of communication. Companies performing the transmission of information shall be bound to enable the prosecutor and police authorities to enforce these measures.

b) Access to computer systems and computer data comparison;

This measure would apply to the computer crimes such as double accountancy, correspondence and other. State investigative authority have access to computer systems and electronic transmission of data.

c) Supervision and technical recording of the premises;

d) Secret surveillance and technical recording of persons, means of transport and objects which are in relation to them;

This measure nowdays is often applied. If the judge approved this measure in the preliminary procedure in this case it can be evidence.

e) Use of undercover investigators and use of informant;

By compiling or transcribing the records without making references to the personal data therein about the undercover investigator and informant, or in another appropriate way, the prosecutor and the preliminary proceedings judge shall prevent unauthorized persons as well as the suspect and his defense attorney from establishing the identity of the undercover investigator and of informant.

f) Simulated purchase of certain objects and simulated bribery;

g) Supervised transport and delivery of the objects of a criminal offense.

 

Measures referred above under a), through d) and g) may last up to one (1) month, while on account of particularly important reasons the duration of such measures may upon a properly reasoned motion of the prosecutor be prolonged for a term of another month, provided that the measures referred under a), b) and c) may last up to six (6) months in total, while the measures referred under d) and g) may last up to three (3) months in total.

It is also worth to note that in accordance with the Criminal Code of Federation of Bosnia and Herzegovina (FBiH) and the Criminal Code of Republika Srpska (RS) it is regulated that whoever takes a photograph, film or other recording of another person in his personal premises without that person's consent, or who directly passes on or displays such a photograph to a third person or enables the third person in some other way to have a direct access to the photograph, shall be shall be punished by a fine or imprisonment for a term not exceeding three years. An official person, who perpetrates this criminal offence in the discharge of duty, shall be punished by imprisonment for a term between six months and five years.

Whoever photographs or films a child with an aim of developing photographs, audio-visual tapes or other pornographic materials or who possesses or imports or sells or deals in or projects such material, shall be punished by imprisonment for a term between one and five years. Items meant or used for the perpetration of this criminal offence shall be forfeited and items produced by the perpetration of the criminal offence shall be forfeited and destroyed.

An official or responsible person in the Federation who, without the consent of an individual (data subject) and contrary to the conditions stipulated by the law, collects, processes or uses personal data, or uses such data contrary to the statutory purpose of their collection, shall be punished by a fine or by imprisonment for a term not exceeding six months.

The general overarching national data protection law in Bosnia and Herzegovina (BH) is the Law of Personal Data Protection, published in the Official Gazette of BH (Official Gazette) as Nos. 49/06, 76/11, 89/11 (PDP law).

 

Data Controller means any public authority, natural or legal person, agency or any other body, which, independently or together with another party, manages, processes and determines the purpose and the manner of personal data processing on the basis of laws or regulations.

 

In accordance with the Article 22 of the PDP law, it is regulated that before collecting any personal data, the controller shall notify a data subject, unless the data subject has already been informed, on:

  1. the purpose of processing,
  2. controller, receiving authority or third party whom the data will be accessible,
  3. if forwarding of data for processing is legal obligation,
  4. consequences in the case that the data subject refuses to proceed so,
  5. the cases in which the data subject has right to refuse to provide personal data,
  6. if the personal data collection is voluntary,
  7. the right to access and the right to correct data referring to him/her.

 

If the controller failed to collect personal data from a data subject, it is required to notify the data subject without delay about the identity of the third party that provided the controller with the personal data, and provide information aforementioned in accordance with Article 22 of the PDP Law.

 

Some exceptions do apply. Namely,  the data controller shall not be obliged to provide information on processing of personal data or to enable access to personal data if that action could cause significant damage to legitimate interests of the following categories in Bosnia and Herzegovina:

  1. state security,
  2. defence,
  3. public security,
  4. prevention, investigation, detection of crimes and prosecution of perpetrators as well as violations of ethical regulations of the profession,
  5. important economic and financial interests, including monetary, budgetary and tax issues,
  6. inspection and duties related to control,
  7. protection of data subjects or rights and freedoms of other people.

 

These restrictions shall be allowed only to the extent required in a democratic society for any of the aforesaid purposes.

 

In accordance with the PDP law, main principles of personal data processing are regulated under the Article 4. 

Personal data protection rules and principles are:

  • to process personal data fairly and lawfully,
  • to process personal data collected for special, explicit, and lawful purposes in no manner contrary to the specified purpose,
  • to process personal data only to the extent and scope necessary for the fulfilment of the specified purpose,
  • to process only authentic and accurate personal data and update the data when necessary,
  • to erase or correct personal data that are incorrect and incomplete, given the purpose for which the data are collected or further processed,
  • to process personal data only within the period of time necessary for the fulfilment of the purpose of their processing,
  • to keep personal data in the format that allows identification of the data subject for no longer than required for the purpose for which the data are collected or further processed,
  • to ensure that personal data that were obtained for various purposes are not combined or merged.

The principle of legality of personal data processing implies the processing of personal data prescribed by law, which regulate a certain area, i.e. on the basis of and within the limits of laws and other regulations.

The Law of Personal Data Protection (PDP) regulates the processing of personal data which is any operation or set of operations performed on personal data, such as but not limited to:

  • Collection, recording, or organisation.
  • Storage, adaptation, or alteration.
  • Consultation or use.
  • Disclosure by transmission, or dissemination.
  • Alignment or combination, blocking, erasure, or destruction.

PDP law generally applies to the processing of personal data in the territory of Bosnia and Herzegovina (Article 2(1), PDP law). It also applies to processing outside of Bosnia and Herzegovina when a data controller engages a data processor outside of Bosnia and Herzegovina, to process data on behalf of the data controller (Article 12 and 18 PDP law).

Under the PDP law, a data controller or data processor processing data on behalf of a data controller may process personal data without the consent of a data subject if the processing is:

  • In accordance with a law or required to comply with the duties specified by a law.
  • Necessary for the data subject to enter into negotiations on a contractual relationship or to fulfil contractual obligations agreed on with the data controller.
  • Necessary to protect the vital interests of the data subject.
  • Required to complete a task carried out in the public interest.
  • Necessary for the protection of rights and interests exercised by the controller or user, if the processing does not contravene the rights of the data subject to the protection of personal privacy and personal life.
  • Necessary for carrying out legitimate activities of political parties, political movements, civic associations, trade union organisations, and religious communities.

 

Personal data are processed only to the extent necessary to fulfil a certain purpose. This principle means that if the law or by-laws adopted on the basis of law do not prescribe per se which personal data are processed, then the minimum personal data required to achieve the purpose of such processing is taken. Realization of the principles of justice and legality means adherence to material and formal legal regulations that are to be applied in a specific legal matter, e.g. insight and access to emails of data subjects.

Therefore, in case personal data processing is carried out by government authorities for intelligence purposes would be justifiable but only to the extent and scope necessary for the fulfilment of the specified lawful purpose and only within the period of time necessary for the fulfilment of the lawful specified purpose. The existence of reasonable suspicion against the data subjects, i.e. persons concerned for specific criminal act charges would be objective criteria used to determine which personal data of individuals are stored. 

 

Lawyer, defence counsel, notary public, doctor of medicine, doctor of dentistry, or other health professional, a psychologist, a guardian, a religious confessor, or another person who without authorization discloses a secret learned in the exercise of professional duties, shall be punished by imprisonment up to one year.

 

Disclosure of professional secrets is not criminal offense if someone discovers a secret in the general interest or the interest of another person which is more important than the interest of secrecy.

 

The PDP law permits the transfer of personal data outside of Bosnia-Herzegovina if adequate safety measures are ensured in the destination country. The adequacy of the safety measures is assessed on case by case basis by the Personal Data Protection Agency of BH (Agency), particularly with regard to:

  • The type of personal data.
  • The processing purposes and period.
  • The country to which data is transferred.
  • Related legislation of the country to which data is transferred.
  • Professional rules and standards and safety measures in force in the country to which data is transferred.

The Agency considers EU member states adequate for transferring personal data.

The Agency also allows data transfers to countries that do not meet adequacy requirement if:

  • The transfer is necessary to conclude or to exercise an agreement between the controller and a third party, and it is in the interest of the data subject.
  • A data controller from the destination country provides satisfactory level of guaranty for privacy protection.

In addition to meeting the foregoing requirements, transfers of data abroad require:

  • A data transfer agreement.
  • Certificate of Incorporation for Data Controller and Data Processor, which is a document issued by a competent authority in specific country that serves as evidence that a foreign data controller or data processor is duly registered as legal entity.
  • Notice to data subjects of the intention to transfer personal data outside of Bosnia-Herzegovina.

Materials received through the measures and notification of the measures undertaken:

 

Upon  the  completion  of  the  application  of  the  measures,  all  information,  data  and  objects  obtained  through  the  application  of  the  measures  as  well  as  a  report  must be submitted by police authorities to the prosecutor. The prosecutor shall be bound to provide  the preliminary proceedings judge with a written report on the measures undertaken. On the basis of  the submitted report the preliminary proceedings judge shall evaluate the compliance with judge's order. 

 

Should the prosecutor refrain from prosecution, or should the data and information obtained through  the  application  of  the  ordered  measures  not  be  needed  for  the  criminal  proceedings,  these data shall  be  destroyed under the supervision of the preliminary proceedings judge, of which event the judge shall make  separate records.

 

No data or information received through the undertaking of measures (Incidental Findings) shall be used as evidence if they are not related to a criminal offense  punishable by at least three years of imprisonment or by a more severe sentence. 

In accordance with the PDP law, the controller is not required to provide information to data subject on the processing of personal data in the following cases: 

 

  1. If processing personal data is exclusively for statistical, scientific-research or archival purposes;
  2. If the information or the fact that the data were stored is to be held in secret under the laws or with respect to their type, especially because of overriding legitimate interests of the third party;
  3. If processesing personal data is consented by the data subject.

 

 

The person against whom any of the aforementioned measures were undertaken, shall be notified of the undertaking of the measures, the reasons for their undertaking and information stating that the received materials did not constitute sufficient grounds for criminal prosecution and were thereafter destroyed.  

 

In case of personal data processing carried out by government authorities for intelligence purposes, the preliminary proceedings judge shall forthwith  and  following  the  undertaking  of  the  measures  inform  the  person  against  whom  the  measures  were  undertaken.  That  person  may  request  from  the  court  a  review  of  legality  of  the  order  and  of  the  method by which the order was enforced. Data and information received through the undertaking of the measures shall be stored and kept as long as the court file is being kept.

 

The PDP law grants data subjects the following rights, amongst others:

  • The right to be informed regarding:
    • the identity of any third party from whom the data controller collects the personal data of the data subject;
    • the status of the data controller's or processor's processing of the data subject's personal data;
    • the purpose of the data processing;
    • legal grounds for and duration of processing; and
    • any party who has or will receive the data subject's personal data and for what purpose.
  • The right to access from the data controller, once per year and free of charge, information on personal data processed relating to the data subject.
  • If the data subject finds or suspects that a data controller or processor violated the data subject's right or that there is a direct risk of a violation, the data subject has the right to file a complaint with the Personal Data Protection Agency of BH and request any of the following:
    • the controller or processor refrain from the wrongful activities and remedy the factual situation caused by the activities;
    • the controller or processor correct or supplement the personal data to make them authentic and accurate; and
    • the personal data be blocked or deleted.

According to the Article 24 PDP law, it is regulated that the Controller shall, at the request of the data subject, correct, delete or block data that were found to be incorrect or incorrectly listed or processed in any other manner that is contrary to law and rules relating to data processing. The controller shall, at the request of the data subject, inform the third party to whom the data were transferred.

Before start processing personal data, data controllers are required to submit to the Data Protection Agency of Bosnia and Herzegovina (DPA) the Notification/Request for Intention to Establish Personal Data Filing System along with prescribed documents. The DPA will make the assessment based on the documents and forms submitted and following their approval (Authorization) the processing of the personal data may start. The data controller is authorised to begin processing personal data only after the DPA approves the processing, or upon the expiration of two (2) months following the day the request has been received by the DPA. If upon the expiration of 2 months from the day the request was submitted, the DPA makes no decision whatsoever, the processing may also start.

 

Local notification/authorization regime is based on purposes.

 

Please note that Prior Notification to the DPA is required whenever the processing does not come directly from a law. Therefore, data controller would be required to notify DPA on its intent to process data and adopt Decision on Personal Data Processing for such purpose.

 

If the processing of personal data is based on the on particular law (such as Criminal Law, Employment Law, Tax Law etc.), Prior Notification to the DPA is not required. However, DPA's Authorization is still required.

 

In another words, DPA's Authorization for processing of personal data is always required, while Prior Notification is required only when the processing purpose does not directly come from a specific law.

BarbadosNorth AmericaBB
BangladeshAsiaBD✔️
BelgiumEuropeBE(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
See, SCC Generator
S, R, E: 01/09/1993S✔️Thomas O. Dubuisson
Burkina FasoAfricaBFInvitation valid until 24 March 2022Invitation valid until 12 December 2024Moumouni Ouiminga
BulgariaEuropeBG(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
See, SCC Generator
S, R, E: 01/01/2003S, R
BahrainAsiaBH✔️

Ms. Tripti Dhar, Partner – Reina Legal

  • B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
  • Admitted to practice in India; enrolled with the Delhi Bar Council
  • Certified CIPP/E
  • Member of International Association of Privacy Professionals (IAPP)
  • DSCI Certified Privacy Professional (DCPP)
  • Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India
  • The nature of the offences which may give rise to an interception or surveillance order;

Article 26 of Constitution:

The freedom of postal, telegraphic, telephonic and electronic communication is safeguarded and its confidentiality is guaranteed. Communications shall not be censored or their confidentiality breached except in exigencies specified by law and in accordance with procedures and under guarantees prescribed by law.

Article 372 Amiri decree no. 15 of 1976 with respect to enactment of the Penal Code:

A fine not exceeding BD20 shall be penalty for any person who opens a letter or telegram against the will of the addressee or eavesdrop on a telephone conversation. An offender shall be liable for imprisonment for a period not exceeding 6 months or a fine not exceeding BD 50 if he divulges the contents of the letter, telegram, or telephone conversation to a person other than that to whom it has been intended and without the permission thereof should such action cause damage thereto

Article (4) of Law on Combating Cybercrime in the Kingdom of Bahrain:

Without prejudice to any more severe penalty in any other law, imprisonment with a fine not exceeding one hundred thousand Dinars or one of these penalties shall be punishable by wiretapping, intercepting or intercepting without legal justification using technical means, Transmitted from or to the IT system, including any emissions of electromagnetic waves from the IT system that carry such data. If an eavesdropping, capture or objection results in a disclosure of the transmission or part thereof without legal justification, that is not an aggravating circumstance.

 

  • A definition of the categories of people that might be subject to surveillance;

The existing laws in the region are silent on this subject.

 

  • A limit on the duration of the measure;

The existing laws in the region are silent on this subject.

 

  • The procedure to be followed for examining, using and storing the data obtained;

The existing laws in the region are silent on this subject.

 

  • The precautions to be taken when communicating the data to other parties; and

The existing laws in the region are silent on this subject.

 

  • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

The existing laws in the region are silent on this subject.

 

  • Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

The existing laws in the region are silent on this subject.

  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

The existing laws in the region are silent on this subject.

 

  • What objective criteria are used to determine which personal data of individuals are stored?

The existing laws in the region are silent on this subject.

 

  • Does national legislation require any relationship between the data which must be retained and a threat to public security?

The existing laws in the region are silent on this subject.

 

  • Does national legislation restrict the data retention in relation to …?
    • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
    • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?
  • Does national legislation provide for any exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)?
Please refer additional information.
  • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
  • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

The existing laws in the region are silent on above subjects.

  • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
  • Who should the individual address (see, Guarantee C)?
  • Does the court/control committee have access to all relevant information, including closed materials?
Please refer to additional information.
There exist Law No. 30 of 2018 Promulgating The Personal Data Protection Law and Law No. 60 of 2014 with respect to Information Technology Crimes, mentions the penalties of unlawful taping, capturing or intercepting, by technical means, any non-public transmission of information devices data to, from or within an information technology system. Due to unavailability of translation in English we have not captured the effect of both the laws.
BurundiAfricaBI
BeninAfricaBJ✔️
See here
or here
Invitation valid until 20 June 2024Julien Hounkpe, Bilingual Lawyer, PhD
Website: https://julienhounkpe.com
  • The nature of the offences which may give rise to an interception or surveillance order :

- national independence, territorial integrity and security as well as national defense;

- the prevention of terrorism;

- the prevention of attacks on the government;

- the major interests of foreign policy, the execution of international commitments of Benin and the prevention of any form of foreign interference;

- crime and organized crime;

- the fight against the proliferation of arms;

- economic, industrial and scientific interests.

(Intelligence Services Act in Benin Republic : Article 3)   

        

  • A definition of the categories of people that might be subject to surveillance :  

The surveillance measures are applicable to any person on whom there are serious reasons to collect information for intelligence purposes, except members of parliaments, judges, public prosecutors and barristers during the period of their mandate or professional activity, as well as people who, by virtue of their statute are likely to know of the indictment of the President of the Republic and members of the Government.

The exemption can be lifted by the National Commission for the Control of Surveillance Measures as part of legal proceedings or under conditions of absolute necessity.

(Intelligence Services Act in Benin Republic : Article 6)   

 

  • A limit on the duration of the measure :

The surveillance measures are granted for a maximum period of four (4) months by the National

Commission for the Control of Surveillance Measures. They shall stop at the end of this period. They are renewable under the same conditions of form and duration.

(Intelligence Services Act in Benin Republic : Article 17)   

 

  • The procedure to be followed for examining, using and storing the data obtained :

The authorization granted by the Head of Government to carry out surveillance measures is subject to the prior opinion of the National Commission for the Control of Surveillance Measures, except in the cases provided by the law.  

The Commission has twenty four (24) hours to respond to requests and seventy two (72) hours if a plenary session of the committee is necessary.

After authorization by the Head of Government, and with the exception of the emergency cases listed in the law, requests for the implementation of surveillance measures are expressed in writing and are motivated by the National Intelligence Coordinator.  

Each request must specify:

- the organization for which it is presented;

- the purpose (s) pursued;

- the reason (s) for the measure (s);

- the person (s) concerned.

If the identity of the person (s) concerned is not known, s/he may be designated by his technical identifier (s) or his/her function (s).

Requests for renewal of an authorization also specify the reasons why this renewal is justified.

(Intelligence Services Act in Benin Republic : Article 14, 15, 16)   

 

  • The precautions to be taken when communicating the data to other parties :

If a request for international mutual legal assistance, or if a national legal procedure concerns facts or acts committed by intelligence services and covered by the secrecy of national defense, the public prosecutor, under the authority of the minister in charge of justice, shall inform the National Intelligence Coordinator.

If this is the case, the Minister of justice shall inform the public prosecutor or the requesting international authority that its request cannot be granted, in whole or in part. This decision is notified to the judicial authority at the origin of the request and shall obstruct the execution of the request or the return of performance documents.

If this is not the case, the National Intelligence Coordinator shall propose total or partial lifting of the secrecy of national defense, relating to these acts and acts committed.

(Intelligence Services Act in Benin Republic : Article 25)   

 

  • The circumstances and substantive and procedural conditions relating to the access of the competent authorities :

The authorization and implementation of surveillance measures on national territory can only be decided if:

- they proceed from an authority legally empowered ;

- they result from a procedure in accordance with the law;

- they respect the missions entrusted to the competent services;

- they are justified by the threats, risks and challenges related to the fundamental interests of the Nation.

(Intelligence Services Act in Benin Republic : Article 4)   

 

  • Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

The agents committed for the collection of intelligence data must be sworn agents. They are  responsible for any deliberate infringement of the individual liberties and the rights to privacy if the violations go beyond the provisions of the law. 

(Intelligence Services Act in Benin Republic : Article 5)
  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

Rights to privacy, in particular the secrecy of correspondence, the protection of personal data and the inviolability of home, are guaranteed by law.

The public authority can only infringe on them in case of necessity, of public interest and within the limits fixed by law.  

(Intelligence Services Act in Benin Republic : Article 4)   

 

  • What objective criteria are used to determine which personal data of individuals are stored ?

Only information related to one of the following objectives can be retained :

- national independence, territorial integrity and security as well as national defense;

- the prevention of terrorism;

- the prevention of attacks on the government;

- the major interests of foreign policy, the execution of international commitments of Benin and the prevention of any form of foreign interference;

- crime and organized crime;

- the fight against the proliferation of arms;

- economic, industrial and scientific interests

(Intelligence Services Act in Benin Republic : Article 18)   

 

  • National legislation requires a relationship between the data which must be retained and a threat to public security

(Intelligence Services Act in Benin Republic : Article 3)   

 

  • National legislation does not restrict the data retention in relation to …
    • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime
    • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)

  • National legislation provides for exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)
(Intelligence Services Act in Benin Republic : Article 3)
  • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

The National Commission for the control of surveillance measures is an independent administrative authority.

It is composed of five (5) members :

- two (2) members of parliament designated for the duration of the legislature by the National Assembly, one (l) from the majority and one (l) from the minority;

- two (2) judges of the Supreme Court appointed by the President of the Supreme Court, one from the Administrative Chamber, the other from the Judicial Chamber;

- one (1) high ranking officer, still in function or not, appointed by the Head of Government because of his knowledge and experience in intelligence and State security

In the exercise of their functions, the members of the commission do not receive instructions from any authority.

(Intelligence Services Act in Benin Republic : Articles 7 and 8)   

 

  • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio ?

The authorization granted by the Head of Government to carry out surveillance measures is subject to the prior opinion of the National Commission for the Control of Surveillance Measures, except in the cases provided by the law.     

(Intelligence Services Act in Benin Republic : Articles 7 and 14)
  • National legislation provides for possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data.

Any citizen who suspects that he or she is subject of surveillance can submit a complaint to the National Commission for control of surveillance measures which shall carry out investigations

The Court of Appeal has jurisdiction in first instance to hear cases related the implementation of surveillances measures.  

The Supreme Court has jurisdiction in last resort.

(Intelligence Services Act in Benin Republic : Articles 32 and 33)   

 

  • Who should the individual address (see, Guarantee C) ?

An independent oversight committee.  

 

  • Does the court/control committee have access to all relevant information, including closed materials?

The requests and authorizations are recorded in the registers kept by the National Intelligence Coordinator and accessible to the National Commission for the Control of surveillance measures whenever necessary

(Intelligence Services Act in Benin Republic : Article 17)

Law No 217- 44 of 5 February 2018 on Intelligence Services in the Republic of Benin

 

Constitutional Court decision No DCC 18-013 of 01 February 2018 

(conformity of surveillance legislation with the Constitution)
BermudaNorth AmericaBM

Alexander McD White, Privacy Commissioner

Commissioner White is Bermuda’s first Privacy Commissioner, establishing the office and building the foundations for a successful data protection environment in the country. He is a licensed lawyer, a founding member of the International Association of Privacy Professionals' Privacy Bar Section Advisory Board, and founder of the IAPP State, Local, and Municipal (SLAM) Government Affinity Group. He served a three-year term on the U.S. Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee (DPIAC). Prior work includes service as State Deputy Chief Privacy Officer for the U.S. State of South Carolina and as a lawyer in the insurance industry. For more information, see: www.linkedin.com/in/a1exwhite

Note: This analysis of European Essential Guarantees is primarily based upon Bermuda’s Personal Information Protection Act (PIPA), which received Royal Assent in 2016. As a United Kingdom Overseas Territory, individuals in Bermuda are also protected by the European Convention on Human Rights.

The Personal Information Protection Act 2016 (PIPA) requires that processing of data be based on specific “conditions” (section 6) that largely align with the “legal bases” of the European Union’s General Data Protection Regulation. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights.

The Personal Information Protection Act 2016 (PIPA) contains certain “Minimum Requirements” that apply to all entities in Bermuda, even national security entities that are exempt from other PIPA requirements. These Minimum Requirements include “Fairness” (section 8) and “Proportionality” (section 11) that largely align with concepts of necessity and proportionality in European law and jurisprudence. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights.

Bermudians have numerous avenues by which to appeal to protect their rights. The Personal Information Protection Act 2016 (PIPA) creates the Office of the Privacy Commissioner, with powers to receive reports, investigate, and issue orders of any entity subject to PIPA. This includes national security entities, which must comply with PIPA’s “Minimum Requirements.” The Privacy Commissioner is an independent officer appointed by the Governor of Bermuda, not its political government, and “shall not be subject to direction of control of any other person or authority” (section 26). In addition, Bermuda’s Human Rights Commission receives complaints and investigates violations of Bermuda’s Human Rights Act, and individuals may protect their common law rights to privacy through Bermuda’s courts. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights.

Individuals have the ability to report violations to the Office of the Privacy Commissioner, who has statutory powers to investigate and issue orders. The Privacy Commissioner’s orders are subject to judicial review by the Supreme Court of Bermuda (PIPA section 45), and if the court finds violations of orders then both entities and individual actors personally may be held liable (PIPA section 47). Further, as a United Kingdom Overseas Territory, individuals in Bermuda may submit their case for review by the European Court of Human Rights.

For more information on the Office of the Privacy Commissioner, including copies of the Personal Information Protection Act 2016 and regulatory guidance, visit www.privacy.bm.

BruneiAsiaBNASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
✔️✔️
BoliviaSouth AmericaBO
BrazilSouth AmericaBR✔️The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).Invitation valid until 12 December 2024N/A
Please see the country report for Brazil as part of the study "State of Privacy" conducted by Privacy International.
BahamasNorth AmericaBS
BhutanAsiaBT
BotswanaAfricaBWSenwelo Modise is a practising attorney in Botswana and an information privacy professional proficient in the areas of data protection, cybersecurity law, telecommunications law, electronic transactions and digital forensics.
Twitter: @Modise_SK

In terms of Section 28 of the Cybercrime & Computer Related Crimes Act, 2018 empowers a police officer or any person authorized by the Commissioner may apply to a judicial officer ex-parte for an order permitting real time collection or recording of traffic data. An order may also be granted ex-parte compelling a service provider to effect such real time collection or recording of traffic data. The Directorate of Intelligence Security Services (DISS) may also intercept communications in terms of Section 22(4) of the Intelligence Security Services Act pursuant to a court order, the Act provides that the Directorate shall show cause to a judicial officer justifying the grant of the surveillance order.

It may be inferred from the Acts that the offences that may give rise to an interception order are cybercrimes and issues related to national security. The answers to all the questions in the criteria outlined below are in the negative. Thus, the interception of communications is not “foreseeable” in the sense of WP 237; there are no clear, precise and accessible rules. The intrusive act of interception is beyond getting a court order upon an ex-parte application generally not regulated. Section 31 of the Cybercrime & Computer Related Crimes Act provides for purpose limitation of the data collected in respect of an investigation under the Act but the manner in which the purpose limitation would be guaranteed is not stipulated.
  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
  • What objective criteria are used to determine which personal data of individuals are stored?
  • Does national legislation require any relationship between the data which must be retained and a threat to public security?
  • Does national legislation restrict the data retention in relation to …?
    • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
    • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?
  • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

The answer is in the negative to all questions. The law in Botswana makes no provision in this regard.
  • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
  • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?


A judicial officer oversees surveillance only in respect of the application made to get an order; it is then that the judicial officer considers the reasons justifying derogation from an individual’s fundamental right to privacy. In practice, the reasons advanced are usually unknown to those that the court orders are granted against and to the people especially that it is an ex-parte application.

  • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
  • Who should the individual address (see, Guarantee C)?
  • Does the court/control committee have access to all relevant information, including closed materials?

The answer is in the negative for all questions. The Data Protection Act, 2018 which affords a data subject the right to access, rectification and erasure was passed in 2018 but is not in force due to the fact that the supervisory authority, the Information and Data Protection Commission has not been constituted. We await an announcement of the commencement date.

Have a look at this article written by a former lecturer of mine at the University of Botswana:

Balancing the Right to Privacy and the Public Interest: Surveillance by the State of Private Communications for Law Enforcement in Botswana

 

Cybercrime & Computer Related Crimes Act:

https://www.bocra.org.bw/cybercrime-and-computer-related-crimes-act-2018

 

Data Protection Act:

https://www.bocra.org.bw/data-protection-act

 

Section 22 of the Intelligence Security Services Act:

  1. Powers of entry, search and seizure

            (1) Where the Director General believes, on reasonable grounds, that a warrant under this section is required to enable the Directorate to investigate any threat to national security or to perform any of its functions under this Act, the Director General shall apply to a senior magistrate or a judge of the High Court for a warrant in accordance with this section.

            (2) If the magistrate or judge to whom an application is made under subsection (1) is satisfied that there are reasonable grounds for suspecting that there is in the premises, place, vessel, boat, aircraft or other vehicle anything which is or contains evidence of the commission of any of the offences referred to in this Act, he or she may by warrant direct the Director General, or any officer or support staff authorised by the Director General under this Act, to enter and search such premises, place, vessel, boat, aircraft or other vehicle and seize and detain anything which the Director General, or the officer or support staff authorised by the Director General, has reason to believe is or contains evidence of any of the offences referred to in this Act.

            (3) Whenever the Director General, or an officer or support staff authorised by him or her under this Act, has reasonable cause to believe that there is in any premises, place, vessel, boat, aircraft or other vehicle any article or document-

            (a)       which is evidence of the commission of an offence referred to in this Act;

            (b)       in respect of which an offence has been, is being, or is about to be committed under this Act;

            (c)        is being conveyed, or is concealed or contained in any package in the premises, place, vessel, boat, aircraft or other vehicle, for the purpose of being conveyed,

then and in any such case, if the Director General, or the officer or support staff authorised by him or her under this Act considers that the special exigencies of the case so require, he or she may without a warrant enter the premises, place, vessel, boat, aircraft or other vehicle, and search, seize and detain such article, document or package.

            (4) The court mentioned in subsection (1) may, on application made by the Director General or an officer or support staff authorised by him or her to do so, issue a warrant under this section authorising the taking of such action as may be specified in the warrant in respect of anything so specified if the court considers it necessary for that action to be taken in order to obtain information which-

            (a)       is likely to be of substantial value to the Directorate in the discharge of its functions; and

            (b)       cannot be reasonably obtained through other means:

Provided that in the event the Directorate wishes to conduct an investigation of a personal or intrusive nature such as searches or interception of postal mail, electronic mail, computer or telephonic communications, the Director General or an officer or support staff authorised by him or her shall show cause to a court of Senior Magistrate or above or a Judge of the High Court and obtain an order in a secret hearing.

            (5) In the exercise of the powers of search, seizure and detention under this section, the Director General, or any other officer of the Directorate may use such reasonable force as is necessary in the circumstances, and may be accompanied or assisted by such other person as he or she considers appropriate to assist him or her to enter into or upon any premises, place, vessel, boat, aircraft or other vehicle, as the case may be.

            (6) A magistrate may, on the application, ex parte, of the Director General, by written notice require a person who is the subject of an investigation in respect of an offence alleged or suspected to have been committed by him or her to surrender to the Director General any travel document in his or her possession.

            (7) If a person on whom a notice under subsection (6) has been served fails to comply with the notice, he or she may be arrested and taken before a magistrate.

            (8) Where a person is taken before a magistrate under subsection (7), the magistrate shall, unless such person complies with the notice under subsection (6) or satisfies the magistrate that he or she does not possess a travel document, by warrant commit him or her to prison where he or she shall be safely kept until he or she complies with the notice.

            (9) A person who has surrendered a travel document under this section may at any time make a written application to the Director General for its return, and every such application shall contain a statement of the grounds on which it is made.

            (10) The Director General may, within 14 days of receipt of the application referred to in subsection (9)-

            (a)       grant the application either without conditions or subject to such conditions as to the further surrender of the travel document and the appearance of the applicant at any time and place in Botswana as may be specified by the Director General in a written notice served personally on the applicant; or

            (b)       refuse the application.

            (11) A person aggrieved by the refusal of the Director General to return his or her travel document to him or her may appeal to a magistrate.
BelarusEuropeBY✔️Alexey Koziuk, Sabina Tereshko
BelizeNorth AmericaBZ
CanadaNorth AmericaCA(✔️)
For commercial organisations, see here
✔️
Only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA.
✔️✔️✔️
See here
or here
✔️
Commercial organisations
✔️✔️Jennifer Sellars, J.D., CIPP/C, CIPM
Twitter: @ModernPrivacy
  • The nature of the offences which may give rise to an interception or surveillance order;

Any “Offence” of the Criminal Code as detailed in section 183[1]. There are 85 listed offences from the Criminal Code which range from high treason, terrorism related, weapons trafficking, bribery, breach of trust, child pornography, keeping a gaming or betting house, murder, sexual assault, robbery, identity theft, and unauthorized use of a computer.

The Criminal Code also lists certain offences of the following Acts:

Bankruptcy and Insolvency Act

Cannabis Act

Competition Act

Controlled Drugs and Substances Act

Copyright Act,

Corruption of Foreign Public Officials Act

Customs Act

Excise Act, 2001

Export and Import Permits Act

Immigration and Refugee Protection Act

Security of Information Act

Trademarks Act

S. 487.014 of the Criminal Code, also allows, without a court order, a law enforcement official “to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.” This means that so long as no other law prohibits such a disclosure, the information may be provided to law enforcement without a court order.

The Canadian Security Intelligence Service[2]  (CSIS) may apply to a judge for a warrant is they believe that information is required to investigate a threat to the security of Canada[3].

Communications Security Establishment Canada[4] (CSEC) is exempted for prosecution under Part VI of the Criminal Code so long as the Minister of National Defence (who is an elected politician[5]) authorized any intercept of private communications[6].  The CSEC may collect “foreign intelligence” by intercepting private communication.

  • A definition of the categories of people that might be subject to surveillance;

Anyone participating in private communications with a person who is in Canada[7]


  • A limit on the duration of the measure; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances and substantive and procedural conditions relating to the access of the competent authorities.
    Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

I could not find national legislation that addresses the above topics.

CSIS warrants are not required to be disclosed, there is an absence of publicly information that indicates what the limitations are.

_______

[1] https://laws-lois.justice.gc.ca/eng/acts/C-46/page-41.html#h-118716

[2] https://www.canada.ca/en/security-intelligence-service.html

[3] CSIS Act. Section 21, https://laws-lois.justice.gc.ca/eng/acts/C-23/page-9.html#h-1193870

[4] https://www.cse-cst.gc.ca/en

[5] https://www.canada.ca/en/government/ministers/harjit-singh-sajjan.html

[6] National Defence Act

[7] See the definition of “Private Communication” under section 183 of the Criminal Code

  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
    What objective criteria are used to determine which personal data of individuals are stored? Does national legislation require any relationship between the data which must be retained and a threat to public security?
S. 7(3)(c.1) of the Personal Information Protection and Electronic Documents Act, provides that an organization “may disclose personal information without the knowledge or consent of the individual” where the disclosure is made to a government actor that has made a request for the information, and has indicated that
    • (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
    • (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,
    • (iii) the disclosure is requested for the purpose of administering any law of Canada or a province, or
    • (iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;”


    Information collection by authority of CSIS Act, is limited to information “strictly necessary” that “intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada“[8]

    • Does national legislation restrict the data retention in relation to …?
      • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
      • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

    For Information collection by authority of CSIS Act, the judicial authorization issued under section 11.13  or 21 of the Act is required to address destruction or retention of a dataset.

    • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

    There is no specific national legislation that protections citizens from requests for disclosure from governmental bodies in general. However, the Supreme Court of Canada has confirmed that Solicitor-Client privilege is a Constitutional Right[9] under section 7 of the Charter[10] and the right to privacy under section 8 of the Charter.

    For Canadian datasets collected by authority of the CSIS Act, information that is protected by solicitor-client privilege must be deleted[11].

    _______

    [8] Canadian Security Intelligence Service Act (R.S.C., 1985, c. C-23), Art.12.1

    [9] Canada (Privacy Comissioner) v. Blood Tribe Department of Health, 2008 SCC 44 (CanLII), [2008] 2 SCR 574

    [10] https://laws-lois.justice.gc.ca/eng/Const/page-15.html

    [11] Canadian Security Intelligence Service Act (R.S.C., 1985, c. C-23), Art. 11.1 (1) b

    • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

     At the moment there is no National body overseeing surveillance measures. Recently, the federal government has introduced Bill C-59[12], which would introduce a new regulatory body, the National Security and Intelligence Review Agency. This regulatory body would oversee the work of all national security agencies. The three major surveillance organizations in Canada are the RCMP, the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE).

     

    • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

    Surveillance collected by a warrant obtained through the criminal must be disclosed to the person surveilled after the expiry of the authorization.

    Surveillance obtained through the CSIS is not required to ever be disclosed to the person surveilled. Unless a person is ultimately charged, they would never know they were subject to surveillance.

    _______

    [12] https://www.parl.ca/LegisInfo/BillDetails.aspx?Language=E&billId=9057418

    • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data? Who should the individual address (see, Guarantee C)? Does the court/control committee have access to all relevant information, including closed materials?

    Section 8 of the Charter of Rights protects Canadians and individuals present in Canada unreasonable search or seizure. If this has been violated, individuals must pursue their claim through the provincial courts through the civil liability legal regime. The most notable case was of Maher Arar who commenced his claim in the Province of Ontario[13] and eventually received an apology and compensation in the amount of $10.5 million from the federal government[14].

    Section 37 and 38 of the Canada Evidence Act permits a Canadian Minister to object to  disclosure of information before a court if relase of information would encroach on a specified public interest, would be injurious to international relations, national defence or national security.[15]

    _______

    [13] https://www.falconers.ca/wp-content/uploads/2016/09/Ara-Statement-of-Claim.pdf

    [14] https://archive.vn/20070128130429/http://cnews.canoe.ca/CNEWS/War_Terror/2007/01/26/3453332-cp.html, accessed July 14, 2020.

    [15] https://laws-lois.justice.gc.ca/eng/acts/C-5/page-6.html#h-137843

    R. v. Rogers Communications, 2016 ONSC 70

    Commission of Inquiry Into the Actions of Canadian Officials in Relation to Maher Arar - Archived website versions: https://www.canada.ca/en/privy-council/services/commissions-inquiry/arar.html

    Canadian Security Intelligence Service Act: https://laws-lois.justice.gc.ca/eng/acts/C-23/

    Canadian Charter of Rights and Freedoms: https://laws-lois.justice.gc.ca/eng/Const/page-15.html

    Criminal Code of Canada: https://laws-lois.justice.gc.ca/eng/acts/C-46/index.html

    Cocos [Keeling] IslandsOceania/AustraliaCC
    Congo [DRC]AfricaCD
    Central African RepublicAfricaCF
    Congo [Republic]AfricaCG
    SwitzerlandEuropeCH✔️
    See here
    ✔️✔️✔️✔️✔️The FDPIC recognises the 2021 SCCs of the European Union under the GDPR, including all modules, with the reservation that they will be adapted and/or supplemented as necessary in specific cases. Comprehensive guidance available.S, R, E: 01/02/1998S✔️Esther Zysset, PhD
    https://publicsector.ch

    Preliminary remarks:

    • Currently, Switzerland benefits from an adequacy decision by the EU Commission pursuant to Article 45 GDPR. It is up for review in 2020 and a decision is expected in the coming weeks as of the publication of this contribution (17 July 2020).

    • This contribution focuses on interception and surveillance regimes based on national law, specifically the following:
      • Federal Act on the Surveillance of Post and Telecommunications (SPTA, SR 780.1) (Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs, BÜPF, Loi fédérale sur la surveillance de la correspondance par poste et télécommunication, LSCPT) and Ordinances
      • Swiss Code of Criminal Procedure (Criminal Procedure Code, CrimPC, SR 312)
      • Federal Act on the Intelligence Service (Intelligence Service Act, IntelSA, SR 121) (Bundesgesetz über den Nachrichtendienst, NDG, Loi fédérale sur le renseignement, LRens) and Ordinances

    • Switzerland, although not a member of the EU, is part of Schengen cooperation, and as such the Schengen regulatory framework may apply to certain access requests. It will not be discussed here.

     

    Nature of the offences which may give rise to an interception or surveillance order:

    • Criminal proceedings: National law sets out a (long) list of offences that may justify interception or surveillance orders within criminal proceedings (Articles 269 et seq. CrimPC), provided that a) a strong suspicion exists, b) the seriousness of the offence justifies the measure and c) the investigation so far has provided unfruitful or would be hampered unreasonably without the measure in question.

    • As an exception to the above, metadata relating to telecommunications or postal communication may be requested where there is a strong suspicion that any felony or misdemeanour has been committed (Article 273 CrimPC – this is also possible where the suspicion relates to the simple contravention of “misuse of a telecommunications installation” pursuant to Article 179septies of the Criminal Code)

    • Surveillance measures may also be ordered pursuant to requests for mutual legal assistance, to search for missing persons, to trace persons on whom a custodial sentence or custodial measure has been imposed or for intelligence purposes (Article 1 SPTA).

    • For intelligence purposes, the Intelligence Service Act sets out a list of threats allowing access to information and data, namely specific threats to internal or external security from terrorist activities, espionage, ABC weapons’ proliferation or illegal trade in radioactive substances, war material and other armaments or an attack on critical infrastructure (Articles 26, 27 and 19 para. 2 IntelSA). Furthermore, and less clearly defined, such measures may be ordered in cases of specific threats to important national interests set out by law (i.e. basic constitutional order, Swiss foreign policy or the protection of Switzerland as a “location for employment, business and finance”, Articles 27, 19 and 3 IntelSA). For the more specific case of data gathering through surveillance measures requiring authorisation, the Federal Intelligence Service must demonstrate, in addition to the abovementioned threat, that the seriousness of the threat justifies the measure and that investigations so far have been unsuccessful or would otherwise be without prospect of success or hampered unreasonably (Article 27 IntelSA).

     

    Categories of people that might be subject to surveillance;

    • Within criminal proceedings, surveillance may be ordered against the accused or against a third party, provided that there is reason to believe, based on specific information, that the accused uses the postal address or the telecommunications service of the third party or that the third party receives communications on behalf of the accused or passes on communications from the accused to a third person (Article 270 CrimPC). Other types of surveillance using technical devices (i.e. outside of post and telecommunications) may only be used against the accused person (Article 281 CrimPC)

    • For intelligence purposes, third parties may be monitored if there is reason to believe that the person from whom it is intended to gather the information is using premises, vehicles or storage facilities belonging to the third party or the third party’s addresses, computers or telecommunication connection points in order to transmit, receive or store information (Article 28 IntelSA)

     

    Duration of the measure:

    • In the course of criminal proceedings, real-time surveillance can be ordered for renewable periods of maximum three months’ each (Article 274 para. 5 CrimPC). Retroactive surveillance (metadata) can be requested for a six-month period starting from the date of the surveillance order (Article 273 para. 3 CrimPC).

    • For intelligence purposes, real-time surveillance may also be ordered for renewable periods of maximum three months’ each (Article 29 para. 6 IntelSA).

     

    Provisions surrounding access to and use of the data:

    • Both for criminal proceedings and intelligence purposes, the relevant legislation contains detailed provisions on the handling of and access to data gathered by the authorities and stored in the relevant databases (SPTA and Ordinance on the Processing System for the Surveillance of Post and Telecommunications, SR 780.12, IntelSA and Ordinance on the Information Systems of the Federal Intelligence Service, SR 121.2).

     

    Proportionality regarding number of persons who can access stored data:

    • The relevant legislation relating to surveillance of post and telecommunications contains abstract provisions on the granting of access rights by the body in charge of surveillance, as well as a grid with possible roles and access rights depending on the function of the person requesting access (Articles 7 and 8 as well as Annex of the Ordinance on the Processing System for the Surveillance of Post and Telecommunications, SR 780.12). Access should occur only insofar necessary for the fulfilment of statutory duties. Whether access is limited to what is strictly necessary therefore depends on the ad hoc decisions of the competent body.

    • As regards intelligence purposes, the relevant legislation contains various provisions setting out the principle of cooperation – and thus also sharing of information - of the Federal Intelligence Service with other specifically named public bodies (Articles 60-62 IntelSA and Ordinance on the Federal Intelligence Service, SR 121.1). As multiple bodies may receive information from the Federal Intelligence Service, the relevant provisions aim to provide the purposes or conditions of cooperation as well as illustrate which types of information may be shared, so as to ensure proportionality (cf. a long list of purposes for which data may be shared with national authorities in Annex 3 of the Ordinance on the Federal Intelligence Service, SR 121.1)
    • The general duty of telecommunication service providers and postal service providers to retain communications metadata (or “secondary data”) for six months is a blanket duty that does not depend on any ad hoc criteria (Articles 19 para. 4 and 26 para. 5 SPTA, further additional information relating to the subscriber pursuant to Articles 21 para. 2 and 22 para. 2 SPTA). Limitation occurs only insofar as the duty to retain data is limited to 6 months.

    • The law foresees a standard set of attributes that are to be monitored for each type of surveillance. Proportionality is ensured through the conditions to which a surveillance order in criminal proceedings is subject. Access to data by means of real-time surveillance in the context of criminal proceedings is contingent upon several conditions as mentioned under A above.

    • Access to information for intelligence purposes is granted under similar conditions, cf. also the answers under A above. Access to surveillance data in an intelligence context is contingent upon the existence of a specific threat.

    • Data which may be accessed is restricted to a given time period as regards real-time surveillance and retroactive surveillance. In addition to the defined surveillance types, telecommunication service providers or other digital actors (most importantly the “providers of derived communications services”, i.e. services that are based on the services provided by telecommunication service providers) may be requested to give the (any) metadata available to them relating to the person under surveillance. There are restrictions regarding the types of persons which may be subject to surveillance measures (see question A above) and there are exceptions for data relating to persons subject to professional secrecy obligations (Article 271 CrimPC and Article 21 IntelSA).
    • Surveillance measures in the context of criminal proceedings must be authorised by the competent court for compulsory measures (Article 272 CrimPC), an independent judiciary body at cantonal (regional) level. Surveillance measures within the ambit of the Federal Intelligence Service are subject to the authorisation of the Federal Administrative Court and clearance from the Head of the relevant (Defence) department (Article 27 paras. 2 and 3 IntelSA). Composition of judicial bodies is governed by Article 6 of the European Convention on Human Rights and Articles 29a and 30 of the Swiss Federal Constitution which both foresee an independent and impartial tribunal constituted by law.

    • Surveillance measures within criminal proceedings may be ordered provisionally by the public prosecutor, the request for authorisation must be submitted within 24 hours and the competent court must rule within 5 days of receiving the request (Article 274 CrimPC).

    • For intelligence purposes, the ordinary procedure requires an application to the Federal Administrative Court before the measure is ordered. The Federal Administrative Court rules within five days (Article 29 IntelSA). Once court authorisation is granted, the Head of department decides whether to grant clearance to conduct surveillance or not (Article 30 IntelSA). In urgent cases, surveillance measures can be ordered by the Federal Intelligence Service immediately, but the Federal Administrative Court and the Head of department must be informed at the same time. Either may terminate the measure with immediate effect. The substantiated application must be filed within 24 hours of ordering the urgent measure (Article 31 IntelSA)

    As regards data collected through surveillance measures in criminal proceedings, the access to personal data is governed:

    • During proceedings, by the applicable Code of Criminal Procedure (CrimPC) which sets out the right to access both the files and personal data (Articles 97-98 and 101 CrimPC, see Article 10 para. 1 a SPTA)

    • After the end of the proceedings, by the relevant data protection legislation applicable to the public body last in charge of data processing (either the Federal Data Protection Act FDPA, SR 235.1, or the relevant cantonal law). All Swiss data protection laws set out basic rights of access and rectification and under certain circumstances also erasure of personal data.

    • A request relating to personal data is to be addressed in the first instance to the public body acting as a controller, i.e. the body in charge of the proceedings (Article 10 para. 3 SPTA). For requests made both during and after the proceedings, legal remedies are available to the affected person (namely appeal to a criminal court under the CrimPC [Article 393 CrimPC], appeal to the Federal Administrative Court for decisions rendered by public bodies at federal level [Article 33 para. 1 FDPA and Articles 31-33 of the Federal Act on the Federal Administrative Court, SR 173.32]).

    • Information access requests relating to data collected by the Federal Intelligence Service may be addressed to the Federal Intelligence Service; the latter however is given multiple grounds on which it may defer providing information (Article 63 IntelSA). The applicant may request the Federal Data Protection Commissioner (Article 64 IntelSA), then in second instance also the Federal Administrative Court (Article 65 IntelSA) to review the lawfulness of the data processing and whether overriding interests in preserving secrecy justify the deferral (Article 63 para. 3 IntelSA). Notifications by the Federal Data Protection Commissioner and the Federal Administrative Court are made using standard wording. There is no further appeal against the decision of the Federal Administrative Court (Article 66 para. 2 IntelSA) due to the political nature of the activity of the Federal Intelligence Service

      English versions of the main acts cited above can be found here:

      Federal Supreme Court decision of March 2nd, 2018 (in German), finding that the blanket duty to store telecommunications metadata for a duration of six months as per the SPTA does not violate Article 8 of the European Convention on Human Rights nor the corresponding provision of the Swiss federal constitution (Article 13):

      Côte d'Ivoire (Ivory Coast)AfricaCICharles Nguessan
      Cook IslandsOceania/AustraliaCK
      ChileSouth AmericaCL
      See here
      The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).✔️✔️N/A
      Please see the country report for Chile as part of the study "State of Privacy" conducted by Privacy International.
      CameroonAfricaCMDanielle Moukouri Djengue
      ChinaAsiaCNThe Cyberspace Administration of China (CAC) has published its Draft "Data Exit Security Assessment Measures" (数据出境安全评估办法), available here (unofficial translation available here). These measures are relevant under China's Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL).
      In addition, the CAC issued Draft Provisions on Standard Contracts for Cross-border Transfer of Personal Information on 30 June 2022, which contain some similiarities (see, Art. 4) with transfer impact assessments under the EU Commission's SCCs.
      ✔️N/A
      Please note that according to a recent legal study published by the European Data Protection Board "on Government access to data in third countries", the researchers found that "[...] the Chinese legal system does not provide sufficient safeguards for foreigners’ data comparable to those found in the EU".
      ColombiaSouth AmericaCO
      Potential future candidate (p. 52) for adequacy?
      The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).Invitation valid until 12 September 2020✔️N/A
      Please see the country report for Colombia as part of the study "State of Privacy" conducted by Privacy International.
      Costa RicaNorth AmericaCR✔️
      See here
      or here
      The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).Alethya Howells
      CubaNorth AmericaCU
      Christmas IslandOceania/AustraliaCX
      CyprusAsiaCY(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/06/2002S, RMaria Raphael
      Czech RepublicEuropeCZ(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/11/2001S✔️Luděk Nezmar
      GermanyEuropeDE(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/10/1985S✔️
      DjiboutiAfricaDJ
      DenmarkEuropeDK(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/02/1990✔️
      DominicaNorth AmericaDM
      Dominican RepublicNorth AmericaDOCarlos J. Tapia Barredo
      • The nature of the offences which may give rise to an interception or surveillance order;
      • A definition of the categories of people that might be subject to surveillance:
        NO.
      • A limit on the duration of the measure:
        NO.
      • The procedure to be followed for examining, using and storing the data obtained:
        NO.
      • The precautions to be taken when communicating the data to other parties:
        NO.
      • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.
      • Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.
      • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
      No, it does not impose such conditions and data handlers may handle all data, necessary or not.
      • What objective criteria are used to determine which personal data of individuals are stored?
      There are none.
      • Does national legislation require any relationship between the data which must be retained and a threat to public security?
      If any data obtained is considered to be a threat or a possible threat, the data handler must share the information with the pertinent authority
      • Does national legislation restrict the data retention in relation to …?
        • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
      All data can be accessed by authorities and judges have been keen on granting access to them when requested.
        • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
      In practice yes, but national legislation does not expressly restrict this.

      • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?
      Yes. Most notably when there is evidence of a crime, possibility of a crime, and Money Laundering Law. Dominican Republic has very strict money laundering laws and it goes beyond and professional secrecy. The law obliges you to notify authorities even if you think the money is not legal, and provide all data and paper you have on the subject.
      • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
      A judge, however there has been no, to my knowledge at least, case involving overseeing of surveillance measure. There is no government agency dedicated to this, sadly.
      • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?
      NO.
      • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
      First the individual must send a letter to the data handler and then request a judge to issue an order.
      • Who should the individual address (see, Guarantee C)?
      A judge.
      • Does the court/control committee have access to all relevant information, including closed materials?
      Yes.
      Dominican Republic has very poor data protection legislation. However, due to certain requirements of the GDPR for data transfer, and all jurisdictions of the area approving significant data protection legislation, there is currently a committee from Congress discussing a new data protection legislation which will not only increase scrutiny to data handlers, provide further protection to users, but also create an authority specifically for Data Protection.
      AlgeriaAfricaDZ
      EcuadorSouth AmericaECRafael Serrano
      • The nature of the offences which may give rise to an interception or surveillance order.

      Ecuadorian legislation establishes that interception or surveillance measures may be carried out as a priority in the case of offenses considered as serious in accordance with the Convention against Transnational Organized Crime. Nevertheless, the Public Prosecutor's Office may request a judge to order an interception or surveillance measure for any offence established in the Criminal Code. The petition must be duly motivated. Furthermore, according to the National Security Act, in cases of undercover investigation related to national security situations, interception or surveillance measures can be performed upon obtaining judicial authorization or court order.

       

      • A definition of the categories of people that might be subject to surveillance.

      There is no definition nor limitation regarding a category of people.

       

      • A limit on the duration of the measure.

      The Criminal Code established a 90-day measure duration. This term can be renewed once for an equal period.

      For national security matters, the National Security Law establishes a 60-day measure duration. This term can be renewed once for an equal period. 

       

      • The procedure to be followed for examining, using and storing the data obtained.

      The Criminal Code establishes that the Prosecutor must request the intervention measure to the judge. This petition must be duly motivated with relevant evidence related with the purpose of the investigation. The judge will determine the period for the interception; this must not exceed 90 days. The Prosecutor may request an extension for a similar period. Data and information obtained during the interception may be used in the procedure against the alleged offender. The data and information must remain secure and confidential.  Only the transcription of the conversations or parts that are considered useful or relevant for the criminal investigation, will be included in the criminal procedure. 

      Meanwhile, the National Security Act establishes that the information that is not related or will not be used  in a criminal procedure must be destroyed or deleted with the court`s authorization.

       

      • The precautions to be taken when communicating the data to other parties

      There is no technical description regarding the precautions to be taken when communicating the data to other parties. Nevertheless, the National Security Law establishes that the access to reserved information shall be authorized by both the National Secretariat of Intelligence and officials from related agencies. Furthermore, the Criminal Code establishes that all digital content (including recordings and videos) must be in compliance with the chain of custody procedures.

      • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

      According to the Criminal Code, the Prosecutor must file a petition duly motivated to the judge, requesting any interception or surveillance measure. The motivation of the petition must determine the need of the interception measure with the purpose of the investigation. Meanwhile, the National Security Law establishes that the National Intelligence Secretariat must file a petition to the President of the National Court for the implementation of interception and surveillance measures. Access to reserved information will only be granted to officials of the National Intelligence Secretariat and related authorities, including police or army members related to the investigation. 

       

      • Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.
      The law does not determine the number of persons who can access the stored data. Only the parties to the criminal investigation and the judge will have access to this data.
      • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

      The Criminal Code allows the recording of all communications and information. Nonetheless, the use of these communications and information, is limited to the scope of the criminal investigation. The person may request all the recordings, when he or she deems it appropriate.  

      Meanwhile, the National Security Law does not establish any objective limitation to the strictly necessary. Nevertheless, the President of the National Court may limit or prohibit the interception or surveillance if the interception or surveillance measures violates or  affects constitutional rights. Information collected and not considered as necessary for the criminal procedure must be destroyed or erased, previous authorization and in presence of the President of the National Court. 

       

      • What objective criteria are used to determine which personal data of individuals are stored?

      The Criminal Code and the National Security Law establishes that the data which must be stored is that which would give rise to the initiation of a criminal procedure. The information must be destroyed or erased if it not required or used in the criminal procedure.

       

      • Does national legislation require any relationship between the data which must be retained and a threat to public security?

      Yes, the National Security Law establishes that the data which must be retained has to be related or would give rise to a criminal procedure (if the data is related to a threat to national security).

       

      • Does national legislation restrict the data retention in relation to …?
        • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?

      The National Security Law prohibits data and information treatment based or selected by a persons religion, ethnicity, sexual orientation, political views, trade union, cultural, labor organizations or any other information that could result on discrimination.

       

        • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?

      There is no time restriction or limitation. Depending on the third person, it may be subject to a particular regulation (i.e. Witnesses protection regulation).

       

      • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?
      The Criminal Code prohibits the interception of communications related to professional and religious secrecy.
      • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

      A judge is responsible for overseeing the surveillance measures. The judge is an independent authority and may refuse the interception or surveillance if these measures, if they violate constitutional rights or if they are not considered relevant for the criminal investigation.  

      For national security measure, the President of the National Court is the competent judge to authorize or override these measures

       

      • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?]
      The oversight of the interception and surveillance measure will require the judge approval prior to the collection of data. Nevertheless, the judge may override the measure if it is not considered as necessary.
      • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

      Yes, Ecuadorian legislation recognizes the constitutional guarantee of habeas data. With this constitutional guarantee, the data subject may request the rectification or deletion of his personal data.

       

      • Who should the individual address (see, Guarantee C)?

      The individual can file a habeas data to any judge.

       

      • Does the court/control committee have access to all relevant information, including closed materials?]
      Yes, the judge has access to all relevant information, including closed materials. The so-called “third parties” rule does not apply in Ecuador. The judge is not considered as a “third party,” the judge must have access to closed materials.
      EstoniaEuropeEE(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/03/2002S, R✔️Jamile Hamideh
      EgyptAfricaEGN/A
      Please see the country report for Egypt as part of the study "State of Privacy" conducted by Privacy International.
      Western SaharaAfricaEH
      EritreaAfricaER
      SpainEuropeES(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator.
      The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).
      S, R, E: 01/10/1985S✔️Manuel David Martín Rodríguez
      EthiopiaAfricaET
      FinlandEuropeFI(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/04/1992S, R✔️Jamile Hamideh
      FijiOceania/AustraliaFJ
      Falkland Islands [Islas Malvinas]South AmericaFK
      MicronesiaOceania/AustraliaFM
      Faroe IslandsEuropeFO✔️
      See here
      ✔️✔️✔️✔️
      FranceEuropeFR(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/10/1985S✔️
      GabonAfricaGA✔️
      See here
      or here
      United Kingdom (UK)EuropeGB✔️
      See here for the GDPR
      and here for the EU Law Enforcement Directive
      ✔️
      As of 31/01/2020
      ✔️✔️✔️For the time being, you can continue to use the former EU Standard Contractual Clauses for "restricted transfers" from the UK. The ICO has prepared UK versions (with guidance).
      The ICO consulted on their draft international data transfer agreement (IDTA) and guidance, which will replace the Standard Contractual Clauses.

      Note: The new 2021 EU Standard Contractual Clauses do not constitute retained EU law in the UK (pursuant to the European Union (Withdrawal) Act 2018). They are not recognized under the UK GDPR.
      S, R, E: 01/12/1987SS, R, E: 01/09/2011✔️Mahdi Assan, Website | DP Tracker (a compilation of EU and UK data protection cases) | Twitter | LinkedIn

      Preliminary Remarks:

      The majority of UK State surveillance law is contained in the Investigatory Powers Act 2016 (IPA 2016). Among the powers that the Act makes provision for includes the retention of communications data and the acquisition of communications data. Further rules and procedures can also be found in the Communications Data Code of Practice and the Bulk Acquisition of Communications Data Code of Practice, both of which were issued by the Home Office in 2018 under the IPA 2016.

      In relation to the retention of communications data, the Secretary of State may require a telecommunications operator to retain communications data by providing that operator with a retention notice (s.87(1) IPA 2016). The Home Office, liaising with various public authorities (including the SIAs), is responsible for issuing retention notices. Telecommunications operators subject to a retention notice must keep the existence and the content of such a notice secret unless permission is given otherwise by the Secretary of State (ss.95(2) and (3) IPA 2016).

      In relation to the acquisition of communications data, public authorities can obtain authorisation for the acquisition of communications data from telecommunications operators (ss.60A and 61 IPA 2016). This power may also be exercised in bulk form (s.158 IPA 2016). The existence and contents of an acquisition notice must be kept secret unless permission is given otherwise by the public authority serving the notice or the Secretary of State (ss.82(1) and (3) and 174(1) and (2) IPA 2016).

      “Communications data” essentially means metadata, i.e., the ‘who, what, where and how’ of a communication (s.261(5) IPA 2016).

      “SIAs” means the security and intelligence agencies, which includes the Government Communications Headquarters (GCHQ, for which see s.3 of the Intelligence Services Act 1994), MI5 (see s.1 of the Security Service Act 1989) and MI6 (see s.1 of the Intelligence Services Act 1994).

       

      The nature of the offences which may give rise to an interception or surveillance order:

       

      Retention of Communications Data

      A retention notice may be served on a telecommunications operator on any of the following grounds (s.87(1) IPA 2016):
      • In the interests of national security.
      • For the purpose of preventing or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose (s.263(1) IPA 2016).
      • In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
      • In the interests of public safety.
      • For the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
      • To assist investigations into alleged miscarriages of justice.

      Acquisition of Communications Data

      In its targeted form, an acquisition notice may be served on a telecommunications operator on any of the following grounds (ss.60A(7) and 61(7) IPA 2016):
      • In the interests of national security.
      • For the purpose of preventing or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conducted by a large number of persons in pursuit of a common purpose (s.263(1) IPA 2016).
      • In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
      • In the interests of public safety.
      • For the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
      • To assist investigations into alleged miscarriages of justice.
      • Where a person (P) has died or is unable to identify themselves because of a physical or mental condition, so as to assist in identifying P or to obtain information about P’s next of kin or other persons connected with P or about the reasons for P’s death or condition.
      In its bulk form, an acquisition notice may be served on a telecommunications operator on any of the following grounds (s.158(2) IPA 2016):
      • In the interests of national security.
      • For the purpose of preventing death or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose (s.263(1) IPA 2016).
      • In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
      A definition of the categories of people that might be subject to surveillance:
      A “telecommunications operator” includes a wide range of entities responsible for providing a system facilitating the transmission of communications by means involving the use of electrical or electromagnetic energy (ss.261(10), (11) and (13) IPA 2016). This includes not only public networks but also private networks, such as:
      • Providers of web-based email
      • Providers of messaging applications
      • Providers of cloud-based services
      • Commercial entities providing communication services ancillary to the provision of another service, such as hotels, airport lounges and public transport operators
      A limit on the duration of the measure:
      • Under a retention notice, the communications data may only be retained for up to 12 months (s.87(3) IPA 2016).
      • A targeted acquisition notice lasts up 1 month, subject to renewal (s.65(1) IPA 2016).
      • A bulk acquisition notice lasts up to 6 months, subject to renewal (s.162 IPA 2016)
      The procedure to be followed for examining, using and storing the data obtained:
      Under a retention notice, a telecommunications operator must (s.92(1) IPA 2016):
      • Secure that the retained data is of the same integrity, and subject to at least the same security and protection, as other data held on the same system
      • Secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel
      • Protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised, or unlawful retention, processing, access, or disclosure
      • In addition, operators must ensure that data are destroyed where the retention period no longer applies and there are no other legal obligations requiring the retention of the data (s.92(2) IPA 2016).
      Under a targeted acquisition notice:
      • The communications data may only be obtained for the purpose of a specific investigation or to test, maintain or develop equipment, systems or other capabilities relating to the availability of obtaining communications data (ss.60A(1)(b) and 61(1)(b) IPA 2016).
      Under a bulk acquisition notice:
      • The communications data obtained may only be retained for a duration necessary for, essentially, the grounds on which the notice was issued (s.171 IPA 2016).
      • The examination of communications data sought must be necessary for specified operational purposes (s.158(1)(c)(i) IPA 2016).
      • Arrangements must be in place to ensure that the communications data are stored in a secure manner (s.171(4) IPA 2016).
      The precautions to be taken when communicating the data to other parties:
      • Under a bulk acquisition notice, the number of a persons to whom the communications data are disclosed and the extent to which any of the data is disclosed or otherwise made available must be kept to the minimum necessary for, essentially, the grounds on which the notice was issued (ss.171(2)(a) and (b) IPA 2016).

      Retention of Communications Data

      Before issuing a retention notice, the Secretary of State must consider that it is both necessary and proportionate to issue the notice on one of the relevant statutory grounds (see Guarantee A for the statutory grounds) (s.87(1) IPA 2016).
      In addition, the Secretary of State must consider the following factors (s.88(1) IPA 2016):
      • The likely benefits of serving the notice
      • The telecommunications service to which the notice relates
      • The appropriateness of limiting the data to be retained by reference to location or descriptions of persons to whom telecommunications services are provided
      • The likely number of users (if known) to which the notice relates
      • The technical feasibility of complying with the notice
      • The likely cost of complying with the notice
      • Any other effect of the notice on the telecommunications operator
      The Secretary of State must also have regard to (s.2(2) IPA 2016):
      • Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means
      • The public interest in the integrity and security of telecommunication systems
      • Any other aspects of the public interest in the protection of privacy
      Before serving a notice, reasonable steps must be taken by the Secretary of State to consult the telecommunications operator on which a retention notice may be served (s.88(2) IPA 2016).
      The Secretary of State may require the retention of internet connection records, which effectively identify the service that a person has accessed online (s.62(7) IPA 2016). This includes a persons’ web browsing history, however the data that can be retained is limited to that before the first slash of a URL, i.e., ‘thecybersolicitor.com’ and not ‘www.thecybersolicitor.com/your-privacy/’.

       

      Targeted Acquisition of Communications Data

      The issuing of an acquisition notice on a telecommunications operator must be both necessary and proportionate in relation to the statutory grounds on which it is being issued (see Guarantee A for the statutory grounds) (ss.60A(1)(a) and (c) and 61(1)(a) and (c) IPA 2016).
      The telecommunications operator will only be required to obtain and disclose to public authorities the amount of data needed to comply with the acquisition notice that is served on it (s.66(2) IPA 2016).
      A telecommunications operator will not be required to take steps to comply with an acquisition notice that are not reasonably practicable for it to take (s.66(3) IPA 2016).
      Public authorities may only acquire internet communication records where those records are used to:
      • Identify those who are using a service on the internet only where the service and the time of use are already known (s.62(3) IPA 2016)
      • Identify the internet communications service being used by a known person or apparatus, including when and how it is used (ss.62(4)(b)(i) and 62(5)(c)(i) IPA 2016)
      • Identify the internet service being used, including when and how, by a known person or apparatus (ss.62(4)(b)(iii) and 62(5)(c)(iii) IPA 2016)
      • Obtain access to, or run, a computer file program by a known person or apparatus involving, wholly or mainly, the making available or acquisition of material the possession of which is a crime (ss.62(4)(b)(ii) and 62(5)(c)(ii) IPA 2016)
      Public authorities must also have regard to (s.2(2) IPA 2016):
      • Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means
      • The public interest in the integrity and security of telecommunication systems
      • Any other aspects of the public interest in the protection of privacy

       

      Bulk Acquisition of Communications Data

      The issuing of a bulk acquisition notice on a telecommunications operator must be both necessary and proportionate in relation to the statutory grounds on which is being issued (see Guarantee A for the statutory grounds) (ss.158(1)(a) and (b) IPA 2016).
      Bulk acquisition of communications data must also satisfy three other conditions:
      • The examination of the communications data sought must be necessary for specified operational purposes (s.158(1)(c)(i) IPA 2016)
      • The examination of the communications data sought for the operational purpose(s) must be necessary on the relevant statutory grounds (s.158(1)(c)(ii) IPA 2016)
      • There must be arrangements in place consisting of safeguards relating to the retention and disclosure of the communications data sought (s.158(1)(d) IPA 2016).
      A telecommunications operator served with a bulk acquisition notice will not be required to undertake steps to comply with the notice that are not reasonably practicable for it to take (s.170(3) IPA 2016).
      The Secretary of State must also have regard to (s.2(2) IPA 2016):
      • Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means
      • The public interest in the integrity and security of telecommunication systems
      • Any other aspects of the public interest in the protection of privacy

       

      Does national legislation provide for any exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)?
      Public authorities must have regard to whether the level of protection to be applied in relation to the obtaining of information by virtue of a retention or acquisition notice is higher because of the particular sensitivity of that information. This includes items subject to legal privilege of which may require the level of protection applied to be higher (ss.2(2)(b) and (5)(a) IPA 2016).

      Retention of Communications Data

      Ex ante oversight:
      • Before a retention notice can be issued, it must be reviewed by a Judicial Commissioner. The Judicial Commissioner must confirm that the notice is necessary and proportionate in relation to the statutory ground on which it is being issued (s.89(1) IPA 2016).
      • The Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review (s.89(2)(a) IPA 2016) and consider with a sufficient degree of care their general duties in relation to privacy (ss.89(2)(b) and 2 IPA 2016).
      Ex post oversight:
      • The Investigatory Powers Commissioner is responsible for keeping under review the exercise by public authorities of statutory functions relating to the use of surveillance powers (s.229(1) IPA 2016). The operation of safeguards to protect privacy must also be monitored by the Commissioner (s.229(5) IPA 2016). This can be done by way of audit, inspection and investigation and the Commissioner, with the Judicial Commissioners, may use its powers to carry out such activities (s.235(1) IPA 2016).
      • A telecommunications operator can refer back a retention notice to the Secretary of State for review (s.90(1) IPA 2016). This right expires after 28 days starting on the day that the notice was given (reg 2(1) of Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018). This right can be exercised where the obligations required under a notice are unreasonable (reg 2(2) of Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018).

       

      Targeted Acquisition of Communications Data

      Ex ante oversight:
      • Certain public authorities may only obtain an acquisition authorisation from the Investigatory Powers Commissioner, including local authorities (ss.70(2A) and 73(1) IPA 2016). The Commissioner delegates these authorisation duties to the Office for Communications Data Authorisations (OCDA). The OCDA will need to consider the necessity and proportionality of the acquisition authorisation in relation to the statutory grounds on which the notice is being issued (s.60A(1) IPA 2016).
      • Authorisations can also be given by a designated senior officer within the public authority itself when the authorisation is sought on certain statutory grounds (s.70(5A) IPA 2016). The designated senior officer will have to consider the necessity and proportionality of the acquisition authorisation in relation to the statutory grounds on which it is being issued (s.61(1) IPA 2016).
      Ex post oversight:
      • The Investigatory Powers Commissioner is responsible for keeping under review the exercise by public authorities of statutory functions relating to the use of surveillance powers (s.229(1) IPA 2016). The operation of safeguards to protect privacy must also be monitored by the Commissioner (s.229(5) IPA 2016). This can be done by way of audit, inspection and investigation and the Commissioner, with the Judicial Commissioners, may use its powers to carry out such activities (s.235(1) IPA 2016).

       

      Bulk Acquisition of Communications Data

      Ex ante oversight:
      • Before an acquisition notice can be issued, it must be review by a Judicial Commissioner (s.159(1) IPA 2016). The Judicial Commissioner must confirm that the notice is necessary and proportionate in relation to the statutory ground on which it is being issued (ss.159(1)(a) and (b) IPA 2016). The Judicial Commissioner must also ensure that the examination of the communications data is limited to the operational purposes and is necessary in relation to the statutory ground on which it is being issued (ss.159(1)(c)(i) and (ii) IPA 2016).
      • The Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review (s.159(2)(a) IPA 2016) and consider with a sufficient degree of care their general duties in relation to privacy (ss.159(2)(b) and 2 IPA 2016).
      Ex post oversight:
      • The Investigatory Powers Commissioner is responsible for keeping under review the exercise by public authorities of statutory functions relating to the use of surveillance powers (s.229(1) IPA 2016). The operation of safeguards to protect privacy must also be monitored by the Commissioner (s.229(5) IPA 2016). This can be done by way of audit, inspection and investigation and the Commissioner, with the Judicial Commissioners, may use its powers to carry out such activities (s.235(1) IPA 2016).

      The Data Protection Act 2018

      • The SIAs are subject to the obligations under the Data Protection Act 2018 (DPA 2018) where the processing of personal data is carried out by automated means or where the personal data form part of, or are intended to form part of, a filing system (s.82(1) DPA 2018).
      • Among these obligations include complying with data subject rights, including the right of access (ss.94 and 95 DPA 2018), and the right to rectification and erasure (s.100 DPA 2018).
      • However, the SIAs may be exempt from complying with data subject rights if the personal data are required for the purpose of safeguarding national security (s.110(1) DPA 2018) or if the personal data are processed for the purpose of preventing and detecting crime or the apprehending and prosecuting of offenders (Schedule 11, 2 DPA 2018).

       

      Investigatory Powers Tribunal

      • The Investigatory Powers Tribunal (IPT) has special jurisdiction to hear cases against the SIAs, and certain other public authorities, to determine whether such authorities have complied with the Human Rights Act 1998 (which transposes the European Convention on Human Rights (ECHR) into UK domestic law) (s.65(2)(a) Regulation of Investigatory Powers Act 2000 (RIPA)).
      • Any person who claims that a UK public authority has infringed their rights may bring proceedings against that authority to the IPT (s.7(1)(a) Human Rights Act 1998).
      • An individual may claim to be a victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures (Human Rights Watch Inc & Others v Secretary of State for the Foreign and Commonwealth Affairs Office & Others (2016)).
      • However, the UK is not obliged to respect a person’s right to privacy under the ECHR when that person is situated outside of the territory of the UK in respect of electronic communications which pass through the UK and are obtained by an SIA (Human Rights Watch Inc & Others v Secretary of State for the Foreign and Commonwealth Affairs Office & Others (2016)).
      • The IPT is empowered to make orders quashing or cancelling a warrant or authorisation if it finds against a public authority (s.67(7)(a) RIPA).
      • The IPT has the power to hear closed hearings whereby SIAs can submit evidence regarding their operations that would be too sensitive or confidential to discuss in open court (Liberty & Others v GCHQ & Others (2014)).
      • The IPT may require the assistance of the Investigatory Powers Commissioner or the Judicial Commissioners to investigate claims brought to it as well as require public authorities to disclose all such documents and information as may be required to vet a claim brought to it (ss.68(2) and (6) RIPA).
      • The UK High Court has the jurisdiction to hear appeals against the rulings of the IPT where the appeal is based on an error of law made by the Tribunal in its decision (R (Privacy International) v Investigatory Powers Tribunal & Others (2019)).

      See Report of the Bulk Powers Review (2016) for a detailed description of the operational utility of the bulk powers contained under the IPA 2016, including the bulk acquisition of communications data.

      See R (Liberty) v Secretary of State for the Home Department (2018), in which the High Court held that where public authorities are seeking to serve a retention notice on a telecommunications operator for the purpose of preventing or detecting crime, that purpose should be specifically limited to ‘serious’ crime. The IPA 2016 was amended in 2018 to comply with this part of the judgment (see Data Retention and Acquisition Regulations 2018). However, the Court did find that the other aspects of the retention provisions, including the requirement for a notice to be necessary and proportionate subject to review by a Judicial Commissioner, was held to be compliant with EU law (in particular the Watson Case).

      See R (Liberty) v Secretary of State for the Home Department (2019), in which the High Court held that the bulk powers under the IPA 2016 were, on their face, compliant with the requirements under the ECHR and the caselaw of the European Court of Human Rights.

      --------

      Comment by Christopher Schmidt:
      Please observe that EU law on the protection of personal data (see, Article 70 of the Withdrawal Agreement) shall apply in the UK for personal data collected before 01/01/2021 and processed in the UK on the basis of the Withdrawal Agreement even after the end of the transition period (31/12/2020) pursuant to Article 71(1)(b) of the Withdrawal Agreement (commonly referred to as 'Frozen GDPR').
      GrenadaNorth AmericaGD
      GeorgiaAsiaGE✔️✔️S, R, E: 01/04/2006Sophio Kurtauli

      There are two types of secret surveillance in Georgia: Counterintelligence and secret investigative actions. Let’s review legal framework:

      1. Law of Georgia “On Counter-intelligence Activities” that is major legal act to detect and prevent terrorist acts and foreign intelligence, to prevent threat against national security of Georgia. They have lots of measures to perform their duties. One of them is electronic surveillance which means secret surveillance and recording of telephone communications, removing and fixing information from the communication channel (connection to the means of communication, computer networks, line communications and stationery equipment), from the computer system (both directly and remotely) and for this purpose the installation of appropriate software in the computer system, determining the geolocation in real time. The government of Georgia approves special authorities who perform counterintelligence services. Electronic surveillance could be implemented by court order. Only Supreme Court of Georgia is authorized to issue order. I can say there is not limit of duration because when electronic surveillance starts it continues for the period necessary to achieve its objectives, but not more than 90 days. But this term is continuable no more than 12 months each time. The quantity is not limited. In urgent need when the delay may result in the destruction of important, factual data necessary for the purposes of counterintelligence or to make it impossible to obtain such data, the head of the Special Service shall have the right to decide whether to initiate an electronic surveillance measure without the judge's order. In such a case, the authorized representative of the head of the special service shall immediately notify the court and, within 24 hours of the start of the electronic surveillance measure, apply to him/her with a relevant petition. The Special Service processes information and saves only necessary one, other information is eliminated. Access to information is restricted and allowed only for limited persons, when security measures are met. The information shall be saved no more than 10 days. Court have opportunity to control surveillance authorization. The official authority who is entitled for surveillance is Legal Entity Georgian Operational-Technical Agency;

      2. “Criminal Procedure Code of Georgia” in article 1431 defines types of secret investigative actions that could be a) secret eavesdropping and recording of phone conversations; b) removal and recording of information from a communications channel (by connecting to the communication facilities, computer networks, line communications and station devices), computer system (both directly and remotely) and installation of respective software in the computer system for this purpose; c) monitoring of post and telegraphic communications (except for a diplomatic post); d) secret video and audio recording, film and photo shooting; e) electronic surveillance through technical means, which do not endanger human life, health or the environment. It is admissible to carry out several investigative actions at the same time.

      The nature of the offences could be an intentionally serious and/or particularly serious offence or offences defined article by article (see article 1433, p.2, sub-paragraph “a”). The people that might be subject to surveillance could be person against whom a secret investigative action is to be carried out, has committed any of the offences defined already (person directly related to the offence), or a person receives or transmits information that is intended for, or is provided by, a person directly related to the offence, or a person directly related to the offence uses the communication means of the person (see article 1433, p.2, sub-paragraph “b”).

      The prosecutor is entitled to apply to court with reasonable motion and court is authorized to define period of time to conduct secret investigative action (Article 1433, p. 10, sub-paragraph “d”). There is one exception then prosecutor is entitled to conduct secret investigative action without court ruling in the case of urgent necessity, when a delay may cause destruction of the facts important for the case (investigation), or make it impossible to obtain those data, but he/she is obliged to limit this action in time that doesn’t exceed 48 hours. Also, prosecutor is obliged to apply to first instance court no more than 24 hours after beginning secret investigative process and ask for recognition of lawfulness (article 1433, p. 6). Another exception goes to duration of time that might not be clear and precise because the total period of time to conduct secret investigative action could be 6 months (article 1433, p. 12). There is balance when General Prosecutor of Georgia is authorized to extend secret investigative action once no longer than 3 months.

      Some about procedure, after court ruling of authorization or refusing or recognition of lawfulness one copy of ruling is sent to State Inspector Office of Georgia (hereinafter – SIOG, remark: that is authorized to control data protection in the country) by using electronic control program and after submission from SIOG is possible to begin action. Court ruling determines authorized agency that conducts secret investigative action and authorized agency that is introduced and transmitted secret investigative materials. Only investigators, prosecutors and judges may, before the completion of secret investigative actions, examine the information obtained as a result of those actions (provided that such information is substantially related to the issue that they are to review) (article 1439).

      The procedure for destruction is quite detailed and determined in article 1438. The information obtained as a result of secret investigative actions shall, by decision of the prosecutor, be immediately destroyed after the termination or completion of such actions, unless the information is of any value to the investigation. The authorized officials for destruction are: prosecutor/supervisor prosecutor in the presence of a judge. A record of the destruction of materials signed by the relevant prosecutors and judges, shall be handed over to the SIOG and shall be included in the court's registry of secret investigative actions.

      If materials will be recognized as inadmissible evidence shall be immediately destroyed six months after the court of the final instance renders a ruling on the case. Until destruction, these materials shall be kept in a special depository of a court. No one may access these materials, or make copies of them or use them, except for the parties who use them for the purpose of exercising their procedural powers. The materials obtained as a result of secret investigative actions that are attached to a case as material evidence shall,

      be kept in the court for the period of keeping this criminal case. After the expiration of this period, the above materials shall be immediately destroyed. An administration of the court that kept the material before its destruction shall be responsible for adequate keeping of the material obtained as a result of secret investigative actions.

      These measures aren’t enough to say that Georgia has clear precise and accessible rules because there is opportunity from State Intelligence Service always and anytime control and listen who they want.

      1. Law of Georgia “On Electronic Communications” in article 8 1 paragraph 1 declares that the authorized authority has the right to have inpatient or semi-inpatient technical capacity for real-time communication of data transmitted through the infrastructure of the electronic communication company and its identification data. The authorized authority mentioned here is Legal Entity Georgian Operational-Technical Agency.
      Taking account all mentioned above there are lot of questions regarding clear, precise and accessible rules. That’s why Constitutional Court of Georgia hearing the class action lawsuit of 326 Plaintiffs if above mentioned provisions are constitutional to article 16 (now article 12 Right to free personal development) and article 20 (now article Rights to personal and family privacy, personal space and privacy of communication) of The Constitution of Georgia.

      There is general rule in law of Georgian on Counter-intelligence activities that all measures they carry out depend on strict protection of human rights and freedoms and the rights of legal persons, and respect for human dignity. Counter-intelligence agency has very special and important role in any country to detect and prevent terrorist acts and foreign intelligence, to prevent threat against national security. Their activities are secret so its very difficult to control proportionality or legitimate objectives do meet the expectations or not.

      The principles of carrying out secret investigative actions according to Criminal Procedure Code of Georgia are the following: a) Determinacy - there is a list of criminal offences there should be initiated secret investigative actions (article 1433, section 2, sub-section “a”), b) Legitimate goal -  to achieve a legitimate goal in a democratic society, in particular, to ensure national or public security, to prevent riots or crime, to protect the country's economic interests and the rights and freedoms of other persons. Secret investigative actions are necessary in a democratic society if they are carried out due to urgent public needs and if they constitute an adequate and proportional means for the achieving a legitimate goal; c) necessity - Secret investigative actions may be carried out only when the evidence essential to the investigation cannot be obtained through other means or it requires unreasonably great effort; d) Proportionality - The scope (intensity) of the secret investigative action must be proportionate to the legitimate goal of the secret investigative action.

      There are special laws providing obligations for professionals to save professional secrecy:

      1. Lawyers have permanent obligation to secure professional secrecy according to law of Georgia on Lawyers article 7, p. 1, sub-p “a” and it is not limited in time;

      2. The health care provider is obliged to protect the confidentiality of the information about the patient during and after the patient's death according to Law of Georgia On Patient Rights article 27;

      3. According to Law of Georgia “On Freedom of Speech and Expression” the source of professional secrecy is protected by absolute privilege

      The independent oversight mechanism is still under question (see, my Answer in Guarantee A about Constitutional lawsuit) because Legal Entity Georgian Operational-Technical Agency has technical capacity for real-time communication. Court and SIOG have opportunity to control in electronic registry if the measures were done properly.

      According to Criminal Procedure Code of Georgia the Supreme Court of Georgia shall prepare a registry of secret investigative actions, which shall include statistical information on secret investigative actions, in particular: information on motions filed with the courts for the conduct of secret investigative actions, and on ruling rendered by courts on those motions, as well as information on the destruction of materials obtained as a result of operative-investigative actions that did not concern criminal activities of the given person but which, include details on that or another person's private life and that has been destroyed in accordance with Article 6(4) of the Law of Georgia on Operative-Investigative Activities.

      According to Georgian Law on “State Inspector Office in Georgia” SIOG has obligation to control activities regarding secret investigative actions determined in Criminal Procedure Code of Georgia (chapter IV).
      The individual is guaranteed by legal remedies to access his/her personal information, to obtain information on his/her personal data processed, request their correction, updating, addition, blocking, deletion and destruction. But this is not absolute right and might be restricted according to article 24 of Law of Georgia “On Personal Data Protection”. The individual applies to the authority who processes her/his information and requests correction, updating, addition, blocking, deletion and destruction. If this authority denies his/her request individual has right to apply to the SIOG that researches legal grounds and decides the case. If the latter rejects individual’s request he/she has right to apply to court. Generally, if materials (see, my answer in Guarantee A) are closed no one has right to access to it, because these materials are destructed by special committee (for secret investigative actions destruction procedure is provided in article 143 8 of Criminal Procedure Code of Georgia). But in some cases, it might be different when it comes to state secrecy or other relevant information. One more but, there isn’t clear provision in law that destructed materials aren’t reachable for anybody.Links:
      1. The Constitution of Georgia - https://matsne.gov.ge/en/document/view/30346?publication=35
      2. Criminal Procedure Code of Georgia (Old version) - https://matsne.gov.ge/ka/document/download/90034/64/en/pdf
      3. Law of Georgia On electronic Communications (Old version) - https://matsne.gov.ge/en/document/download/29620/26/en/pdf
      4. Law of Georgia „On Personal Data Protection“ - https://matsne.gov.ge/en/document/download/1561437/5/en/pdf
      5. Law of Georgia “ON COUNTER-INTELLIGENCE ACTIVITIES” (Old version) - https://matsne.gov.ge/en/document/download/27364/4/en/pdf
      French Guiana (French Overseas Department and Region)South AmericaGF(EU member state)✔️✔️✔️
      GuernseyEuropeGG✔️
      See here
      ✔️✔️✔️✔️Guernsey's Office of the Data Protection Authority has published guidance (including an Addendum for the EU Commission’s Standard Contractual Clauses) for transferring people’s data outside the Bailiwick.
      GhanaAfricaGHDesmond Israel
      GibraltarEuropeGI✔️✔️
      As of 31/01/2020
      Please note that, on 1st January 2021, the EU GDPR was superseded by the Gibraltar General Data Protection Regulation. The legislation however remains largely the same, and therefore, the general principles relating to the EU GDPR as may be referenced within this Guidance Note, continue to apply to the current regime. Guidance on International Transfer by the Gibraltar Regulatory Authority can be found here.
      GreenlandNorth AmericaGL
      GambiaAfricaGM
      GuineaAfricaGN
      Guadeloupe (French Overseas Department and Region)North AmericaGP(EU member state)✔️✔️✔️
      Equatorial GuineaAfricaGQ
      GreeceEuropeGR(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
      See, SCC Generator
      S, R, E: 01/12/1995S✔️Magdalini Skondra, CIPP/E, Lawyer at the Supreme Court of GreeceA. As regards to the area of Police marking elements, e.g. fingerprints, photographs, DNA, blood and other human body fluids examination (applicable laws p.d. 342/1977, CPP, p.d. 178/2014, J.M.D. 3021/2005):

      There are many different laws applicable. Older laws (such as p.d. 342/77 about fingerprints and photographs of arrested people) apply to every offence and every arrested person. In case of a conviction the retention period is 90 years after the person’s birth, or until death, if sooner than 90 years. There is no erasure even in case of a decision declaring the defendant innocent if the innocence relies on his/her practical repentance.  There are some measures and procedure steps’ requirements regarding the collection, storage and communicating of the data, as well as a prohibition of confidentiality breach. Among third parties that are allowed to access the data collected, surprisingly private companies are included, as long as the data refer to an employee or candidate employee, and the public prosecutor allows their access. To the best of my knowledge, this provision is due to the period this law came into force and hopefully is currently not applied.

      Things look much better regarding the recently renewed Code of Penal Procedure, that enforces the immediate destruction of evidence such as DNA, in case of innocence, or the retention under strict rules of access in a special registry, inspected by a public prosecutor. Any DNA file must be destroyed at the time of death of the referred person. The right to obtain a defendant’ s DNA sample only applies in most severe offences.

       As far as fingerprints collected in the course of passports’ issuance, Greece follows the EU Regulation 2225/2004, but Homo Digitalis complaints about police’ s unlawful practice of retention in its central database of all fingerprints collected for purposes of passport issuance. There is no legal basis for such retention, since the law and the EU regulation, provides for fingerprint storage only on the encrypted machine-readable biographical data page of the passport. 

      B) Public surveillance measures (through drones, CCTV, BWCs and other technologies) L.3917/2011 (art.14), L.2725/1999 (art41D p.14-15), L2800/2000 (art25 police drones), p.d. 75/2020.

      The main law that provides for video surveillance in public spaces is 3917/2011. Art. 14 p.5 provides that it might be allowed to implement such surveillance only for the specific, exhaustively listed in it, serious offences, through means and under guarantees provided by a presidential decree that was never signed, until recently: on September 10 2020, the Greek Republic issued the presidential Decree 75/2020 for the execution of art. 14.  The first draft of the Decree, was vastly amended, in accordance to the Hellenic DPA Opinion, that had found it to be unconstitutional and totally incompatible with the GDPR and the L.4624/2019 that implemented the EU 2016/680 Directive. The later p.d. provides for the circumstances under which the Hellenic Police, the Coast Guard and the Fire Brigade are allowed to install and operate sound and/or video recording systems, including body worn cameras and drones,  in public places. The provisions of the p.d. are clear enough and accessible to anyone through the national official journal. As for the precision element: Article 5 provides that it is required to have sufficient evidence that the specific offences referred to in art. 3 are taking place or are about to take place in the specific space. The existence of sufficient evidence should be reasoned with reference to facts such as, in particular, statistical or empirical data, studies, reports testimonies, information on frequency, type and  specific characteristics of the crimes committed in a specific area, as well as for, on the basis of the above elements, probable spread or transfer of crime to another public space.   The p.d. provides that a data protection impact assessment should be carried out before the installation decision, but also before the operation decision, of any surveillance system. The p.d. provides for several technical and organizational measures that should be implemented, such as strict access rights, log file retention and encrypted connection.

      A recent amendment of L.2800/2000 added art. 25, that provides for the use of police drones for collection and processing of images. There is absolutely no other provision than a rather indefinite reference allowing such a processing “according the law”. Homo Digitalis sent the Minister an open letter about this issue too.

      There is another case where the police may currently use smartphone cameras, or other technical equipment to collect image, audio and video footage: art. 41D of L.2725/1999, as it was recently amended provides that: in case of sport events and after a public prosecutor’s authorization, police officers may use such means, for the confrontation of acts of violence and criminal offenses on the occasion of sporting events and for the purposes of prevention, investigation, detection, prosecution of criminal offenses, imposition and execution of criminal sanctions or restrictive conditions. For the lawful collection and processing of the above data, the previous relevant notification of the fans is necessary by any appropriate means, in particular with a clear indication on the ticket, with announcements on fixed or mobile plates, with announcements from loudspeakers or with a relevant announcement in the Media. The physical or digital carrier in which the evidence is embedded is a legal means of proof, which can be used in the context of criminal proceedings and the execution of criminal sanctions and restrictive conditions. The content of the material or digital carrier is permanently deleted or the material or digital carrier is completely destroyed after thirty (30) days from the collection and processing of personal data (unless it actually provides evidence of criminal offence).

      C) Undercover/secret police investigations such as video/audio recordings of activities (not communications) PCC art. 254, 255:

      The totally renewed in late 2019 Code of Penal Procedure provided specific guarantees for secret investigative acts such as video/audio recordings of activities: such recording is strictly prohibited if the activity is taking place inside a house. It can take place only by a competent public prosecutor order for specific and exhaustively listed serious crimes, and only when there are serious indications of guilt of the person(s) under surveillance. Additionally, there must be no other appropriate way to detect or prevent the specific crime.

      D) Retention periods of criminal convictions CPP art. 573.
      Criminal convictions are archived and stored only by the competent public prosecutor, until the 80th year of the convicted person. There are strict provisions of confidentiality and access controls. There is a provision of remedy / challenging procedure of the registry, as well as a provision of an updating procedure every six months.

      E) L.4624/2019 implementing EU Directive 2016/680.
      One might think that all the issues older legislation raises are resolved by the newer national law that implements the LED. But this is not exactly the case. There are serious issues raised by this law, such as time limits: art. 5 of the LED provides that time limits are to be established for the erasure of personal data, and that a periodic review procedure of the need for the storage of personal data must be in place. Art.73 of L.4624/2019 does not provide for time limits, nor for periodic reviews by Greek law enforcement authorities.

      In addition, while the provision of article 10 GDPR is providing authorization to the national legislator to take the necessary measures for the provision of adequate guarantees for the processing of personal data relating to criminal convictions and offenses, the Greek law did not introduce such a provision. According to the Greek DPA’s opinion on this law, “it becomes rather impossible to implement the provision of Article 10 of the GDPR” in Greece.

      • In general, most of the laws examined above, impose a limitation to what is “strictly necessary
      • Objective criteria are used in some cases to determine which personal data of individuals are stored, such as the conviction of the data subject and the nature of the offence.
      • All the legislation examined requires a relationship between the data which must be retained and a threat to public security.
      • In general, the national legislation restricts the data retention in relation to data pertaining to a particular time period and a group of persons likely to be involved, in one way or another, in a serious crime. Time limits though, are rather extremely long. The national legislation provides for an exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers). In L. 4624/2019 that implements the LED, a distinction is made between different categories of data (such as (a) persons for whom there are good reasons to are believed to have committed a criminal offense; (b) persons for whom there are good reasons to are believed to be committing a criminal offense; (c) persons convicted of a criminal offense· (d) victims of a criminal offense or persons for which certain facts create the belief that they may be victims of offense; and (e) other persons, such as witnesses, informants or liaisons or associates of persons referred to in cases a to d), but without any provision for vulnerable groups, such as e.g. children, and without affecting the data protection principles (e.g. retention in different files, effect on retention time, destruction under different conditions, etc.).
      • As regards to p.d. 75/2020 on police surveillance systems in public spaces: the p.d. provides that any surveillance system should monitor only the areas that are predefined, that zoom features and voice recordings should not in general be used (unless under specific circumstances such as when there are no other means to investigate a crime) and only when a public prosecutor has allowed the use of such means in a specific case. It also provides for short time retention periods (mostly up to 15 days). There are though some provisions for further storing of the data collected “when there are justified suspicions on the data subject of the preparation or the future commission of criminal offenses referred in par. 1”. The justified suspicions of preparation or future commission of the above criminal offenses can be extracted through testimonies or any kind of relevant information, from the movements and contacts of the individual, as well as from the nature, severity and number of crimes for which the data subject has been previously convicted or prosecuted. For data retention in this case the controller must issue a reasoned decision, which is subject to periodic revaluation every two years.
      • In general, most of the examined penal legislation provides for overseeing procedures from the public prosecutor. In Greece, the public prosecutor is equally a judge. There are though cases where there is a provision of internal auditing (regarding the fingerprints registry). The later provides of no sufficient impartiality and independence, as the police auditors are directly subject to their minister. The oversight must -according the law- take place both regularly and irregularly (without previous notice).
      • L. 4624/2019 that implemented EU Directive 2016/680 and measures implementing the GDPR, excludes all courts of the Hellenic DPA competence but with a different language than the LED and the GDPR uses. This raises uncertainties as to when and if the DPA is competent to perform its tasks over courts, even when not acting in their judicial capacity. No internal auditing body is provided for either. In addition, art. 10 p.5 of the law, excludes all “classified” information from the DPA’ s competence, leaving out of control secret services’ activities.
      • P.D. 75/2020 The responsibility for monitoring compliance with personal data legislation lies with the data protection authority.
      • 4624/2019 that implements EU Directive 2016/680 provides for the possibility for an individual to pursue legal remedies to have access to personal data relating to him or her, and to obtain the rectification or erasure of such data. Though, as the Greek DPA has stated, no provision has been taken for the rights of minors but also in any appropriate and effective measures or criteria for compliance of the controller and the processor with its provisions which must include specific guarantees for personal data concerning vulnerable persons, such as children
      • The individual should address the competent authority who is the controller of his/her data or the court. The Greek Police has recently appointed a DPO, whose name and contact details have been published. (The Greek law L.4624/2019 implementing the LED, gives Greek national authorities the option not to publish the contact details of their data protection officer nor to communicate these details to the Greek supervisory authority).
      • The court can have access to all relevant information.
      • P.D. 75/2020 on police surveillance through video devices in public spaces provides that the decision on the installation and operation of police surveillance systems in public spaces can be challenged before the Greek State Council. The data subject can also lodge a complaint with the local data protection authority, but only if the controller refuses, or delays more than 30 days, to reply to a data subject access request. There is another limitation on the data subject access right, though. Art. 9 provides that the victim and the defendant can apply for access to the data only if they prove that this access is necessary for the establishment, exercise or defence of legal claims.
      The recent Greek data protection law (L.4624/2019) has raised serious concerns due to its vagueness and some of its provisions that appear to be incompatible with the GDPR and the LED. Some of these issues are presented in the Greek DPA’ s opinion. Due to all the above issues, on October 24, 2019, Homo Digitalis lodged a complaint to the European Commission for non-compliance with EU law, regarding the provisions of the Law 4624/2019 on personal data and namely with the provisions of Directive 2016/680 and Regulation 2016/679 (Reference No CHAP(2019)03059).
      South Georgia and the South Sandwich IslandsSouth AmericaGS
      GuatemalaNorth AmericaGT
      GuamOceania/AustraliaGU
      Guinea-BissauAfricaGW
      GuyanaSouth AmericaGY
      Gaza StripAsiaGZ
      Hong KongAsiaHKJasmine Yung, Trainee Solicitor, Hong Kong Law Firm, is a privacy professional with experience in privacy law enforcement, compliance investigation, policy research, speech writing, international liaison and promotion. Interested in how technologies impact privacy and our lives. Prior to pursuing a legal career, Jasmine has worked in Hong Kong’s Office of the Privacy Commissioner for Personal Data for 6 years.

      The main legislation in Hong Kong is Interception of Communications and Surveillance Ordinance (Cap. 589, Laws of Hong Kong) (ICSO).

      The nature of the offences which may give rise to an interception or surveillance order:

      • An interception or covert surveillance order may be granted for the purposes of preventing or detecting serious crime, or protecting public security.
      • In relation to an interception order, serious crime means an offense punishable by a maximum penalty that is or includes a term of imprisonment of not less than 7 years. In relation to a covert surveillance order, serious crime means an offense punishable by a maximum penalty that is or includes (i) a term of imprisonment of not less than 3 years; or (ii) a fine of not less than HK $1,000,000.

       

      A definition of the categories of people that might be subject to surveillance:

      • Any person reasonably suspected to have been, is, or is likely to be, involved in the particular serious crime to be prevented or detected.
      • Any person reasonably suspected to have been, is, or is likely to be, involved in any activity which constitutes or would constitute the particular threat to public security.

       

      A limit on the duration of the measure:

      • Judge’s authorisation: An officer of a department may apply to a panel judge for the issue of the judge’s authorisation for any interception or Type 1 surveillance[i] to be carried out by or on behalf of any of the officers of the department. The judge’s authorisation is not to be longer than the period of 3 months beginning with the time when it takes effect. The judge’s authorisation may be renewed more than once, and each renewal may not to be longer than 3 months from when it takes effect.

      • Executive authorisation: An officer of a department may apply to an authorizing officer of the department for the issue of an executive authorization for any Type 2 surveillance[ii] to be carried out by or on behalf of any of the officers of the department. The executive authorization is not to be longer than 3 months from when it takes effect. The executive authorization may be renewed more than once, and each renewal may not more than 3 months from which it takes effect.

      • Emergency authorisation: An officer of a department may apply to the head of the department for the issue of an emergency authorisation for any interception or Type 1 surveillance to be carried out by or on behalf of any of the officers of the department, if he considers that there is immediate need for the interception or Type 1 surveillance to be carried out by reason of an imminent risk of—

        (i) death or serious bodily harm of any person;
        (ii) substantial damage to property;
        (iii) serious threat to public security; or
        (iv) loss of vital evidence; and

        having regard to all the circumstances of the case, it is not reasonably practicable to apply for the issue of the judge’s authorization for the interception or Type 1 surveillance. Emergency authorisation is only effective for 48 hours beginning with the time when it is issued and cannot be renewed. 


        The procedure to be followed for examining, using and storing the data obtained; The precautions to be taken when communicating the data to other parties; Whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued:

        • The head of department is required to make arrangements to ensure that any interception or surveillance product obtained is safeguarded, and all practicable steps are taken to ensure that the product is protected against unauthorized or accidental access, processing, erasure or other use.

        • The following should be limited to the minimum that is necessary for the relevant purpose of the authorisation:

          (i) the extent to which the interception or surveillance product is disclosed;
          (ii) the number of persons to whom any of the interception or surveillance product is disclosed;
          (iii) the extent to which the interception or surveillance product is copied; and
          (iv) the number of copies made of any of the interception or surveillance product.

        • The interception or surveillance product should be destroyed as soon as its retention is not necessary for the relevant purpose of the authorisation, unless the product is required to be produced to the Commissioner on Interception of Communications and Surveillance.

           

          The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

          • As regards circumstances and substantive conditions, the conditions for issuing or renewing of authorization for interception or covert surveillance orders are that:
            • the purpose sought to be furthered by carrying out the interception or covert surveillance concerned is that of preventing or detecting serious crime, or protecting public security;

            • there is reasonable suspicion that any person has been, is, or is likely to be, involved in the particular serious crime to be prevented or detected; or any activity which constitutes or would constitute the particular threat to public security; and

            • the interception or covert surveillance is necessary for, and proportionate to, the purpose sought to be furthered by carrying it out, upon—
              (i) balancing the relevant factors against the intrusiveness of the interception or covert surveillance on any person who is to be the subject of or may be affected by the interception or covert surveillance;
              (ii) considering whether the purpose sought to be furthered by carrying out the interception or covert surveillance can reasonably be furthered by other less intrusive means; and
              (iii) considering such other matters that are relevant in the circumstances.

              “Relevant factors” mean —

              • the immediacy and gravity of the particular serious crime to be prevented or detected, or the particular threat to public security; and

              • the likely value and relevance, in relation to the purpose sought to be furthered by carrying out the interception or covert surveillance, of the information likely to be obtained by carrying it out.

               

              • As regards procedural conditions:
                • The panel judge shall not issue or renew the judge’s authorization for interception or Type 1 surveillance unless the judge is satisfied that the above circumstances and substantive conditions are met. The application or issue or renewal is to be made in writing. The application should be supported by an affidavit of the applicant, setting out details of the proposed duration of the order, the identity of person subject to the order, the grounds for reasonable suspicion against the person, particulars of premises for the order, benefits likely to be obtained by the order and an assessment of impact on any person other than the subject, reason why surveillance or interception cannot be furthered by other less intrusive means.

                • The authorising officer shall not issue or renew the executive authorization for Type 2 surveillance unless the officer is satisfied that the above circumstances and substantive conditions are met. The application should be in writing and the applicant must provide a statement in writing setting out the above details (e.g. proposed duration of the order).

                • The head of department shall not issue the emergency authorization for interception or Type 1 surveillance unless the head is satisfied that the above circumstances and substantive conditions are met. The application should be in writing and the applicant must provide a statement in writing setting out the above details (e.g. proposed duration of the order).


              __________

               

              [i] “Type 1 surveillance” means any covert surveillance other than Type 2 surveillance.

              [ii] “Type 2 surveillance” means any covert surveillance that—

              1. is carried out with the use of a listening device or an optical surveillance device by any person for the purpose of listening to, monitoring or recording words spoken or activity carried out by any other person, if the person using the device—
                (i) is a person by whom the other person intends, or should reasonably expect, the words or activity to be heard or seen; or
                (ii) listens to, monitors or records the words or activity with the consent, express or implied, of a person described in subparagraph (i); or

              2. is carried out with the use of an optical surveillance device or a tracking device, if the use of the device does not involve—
                (i) entry onto any premises without permission; or
                (ii) interference with the interior of any conveyance or object, or electronic interference with the device, without permission.
              • Under the ICSO, it is noted that any interception or Type 1/Type 2 surveillance may only be carried out with prescribed authorisation, subject to the above substantive and procedural conditions above. Applicants need to adhere to strict procedures when making an application, and must demonstrate reasonable grounds of suspicion for preventing or detecting serious crime or that there is threat to public security, why the same purpose cannot be achieved by less intrusive means, the specific premises or person proposed to be subject to the order.

              • There is a limit in duration for each authorisation, whilst any renewal is subject to scrutiny of whether certain specific substantive conditions are met.

              • Each prescribed authorization is issued with specific terms and conditions which may vary case by case. There is authorisation of (i) specific address/premises; (ii) person specified for the order. However, the applicant could be given broad authorisation for (a) the installation, use and maintenance of any devices required to be used in order to intercept any of the communications authorized to be intercepted under the prescribed authorization; and (b) the incidental interception of any communication which necessarily arises from the interception of communications authorized to be carried out under the prescribed authorization.

              • Protected surveillance or interception product is generally required to be destroyed once the retention purposes expired. Once the product is obtained, the departments are obliged to put in place safegaurds to limit the extent to which it is disclosed, number of copies made, extent to which it is copied, number of persons to whom the product is disclosed.

              • If the officer of a department discovers that there is any material inaccuracy to the information provided in the application for issue/renewal of authorisation or there is a material change in circumstances since the application for issue/renewal of the authorisation, the officer must report to the relevant authority granting the authorisation. If the relevant authority considers that the substantive conditions are no longer met, then it should revoke the authorization.

              • Surveilance or interception may be restricted if a person who is the subject of the subject of the interception or covert surveillance has been arrested. The officer shall, as soon as reasonably practicable after he becomes aware of the matter, provide to the relevant authority by whom the prescribed authorization has been issued or renewed a report assessing the effect of the arrest on the likelihood that any information which may be subject to legal professional privilege will be obtained by continuing the interception or covert surveillance. Depending on the circumstances, the relevant authority may revoke or vary or specify new terms and conditions for the authorization.

              • There is an exception provided for persons under obligation of professional secrecy, i.e. lawyers. Unless exceptional circumstances exist, a prescribed authorisation may not authorise the interception of communications in the office or other relevant premises, or a residence, of a lawyer; or any telecommunications service used at an office or other relevant premises, or a residence, of a lawyer, or any telecommunications service known or reasonably expected to be known by the applicant to be ordinarily used by a lawyer for the purpose of providing legal advice to clients. No covert surveillance may be carried out in respect of oral or written communications taking place at an office or other relevant premises, or a residence, of a lawyer. Exceptional circumstances exist if the relevant authority is satisfied that there are reasonable grounds to believe that the lawyer is a party to any activity which constitutes or would constitute a serious crime or a threat to public security; or any of the communications concerned is for the furtherance of a criminal purpose.

              • Any information that is subject to legal professional privilege is to be remain privileged even if it is obtained by prescribed authorization.
              • As noted above, there is different relevant authority depending on which kinds of authorisation is sought for the interception or Type 1 or 2 surveillance. The relevant authority is required to consider a same set of substantive conditions before issuing or renewing the authorisation. This ensures the consistency of standards of approval.

              • The Commissioner on Interception of Communications and Surveillance is an independent oversight authority, appointed by the Chief Executive on the recommendation of the Chief Justice[iii]. He is responsible for overseeing the compliance by departments and their officers with the relevant requirements under the ICSO. The ICSO stipulates that the Commissioner, in performing his functions under the ISCO, is not to be regarded as court.

              • The Commissioner shall, for each report period (12 months), submit a report to the Chief Executive. The report should set out, e.g. the numbers of authorisations granted, the major categories of offences for the investigation of which prescribed authorizations have been issued or renewed during the report period, the number of persons arrested during the report period as a result of or further to any interception or covert surveillance, summary of reviews conducted by the Commissioner, the number and broad nature of any cases of irregularities or errors identified in the reviews during the report period, an assessment on the overall compliance with the relevant requirements during the report period, etc.

              • The Commissioner may, in the course of performing any of his functions, makes recommendations to the head of departments to change any arrangements of the departments to better carry out the objects of the ICSO. The head of departments shall submit to the Commissioner a report with details of any measures taken by the department (including any disciplinary action taken in respect of any officer) to implement the recommendations, as soon as reasonably practicable after the recommendations have been made or within the period prescribed by the Commissioner.

              • Apart from the Commissioner, there is also general obligations on the departments to report on non-compliance. Where the head of any department considers that there may have been any case of failure by the department or any of its officers to comply with any relevant requirement, he shall submit to the Commissioner a report with details of the case (including any disciplinary action taken in respect of any officer). If the head of any department considers that there may have been a failure to comply with a relevant requirement in a case handled by the department; but the failure is not due to the fault of the department or any of its officers, the head must also submit to the Commissioner a report with details of the failure. 

              __________

               

              [iii] https://www.sciocs.gov.hk/en/ordinance.htm

              • There appears to be no specific remedies for individuals to have access to personal data relating to him or her or to obtain rectification or erasure of such data under the ICSO. However, as noted above, if the officer of a department discovers that there is any material inaccuracy to the information provided in the application for issue/renewal of authorisation or there is a material change in circumstances since the application for issue/renewal of the authorisation, the officer must report to the relevant authority granting the authorisation. If the relevant authority considers that the substantive conditions are no longer met, then it should revoke the authorization.

              • The legal remedies for individuals under the ICSO mainly concerns unauthorised surveillance or interception.

              • If an individual suspects that (a) that any communication transmitted to or by him has been intercepted by an officer of a department; or (b) that he is the subject of any covert surveillance that has been carried out by an officer of a department, he may apply in writing to the Commissioner for an examination. If, on an examination, the Commissioner, determines that the interception or covert surveillance alleged has been carried out by an officer of a department without the authority of a prescribed authorization, the Commissioner shall as soon as reasonably practicable give notice to the applicant:

                (a) stating that he has found the case in the applicant’s favour and indicating whether the case is one of interception or covert surveillance, the date on which the interception or covert surveillance began and the duration of the interception or covert surveillance; and

                (b) inviting the applicant to confirm whether the applicant wishes to seek an order for the payment of compensation under the application, and if so, to make written submissions to him for that purpose.

                The compensation ordered to be paid to the applicant may include compensation for injury to feelings.

              • The Commissioner has broad powers to obtain information under the ICSO. He may —
                (a) require any public officer or any other person to answer any question, and to provide any information, document or other matter (including any protected product, whether or not it contains any information that is or may be subject to legal professional privilege) in his possession or control to the Commissioner, within the time and in the manner specified by the Commissioner when making the requirement; and

                (b) require any officer of a department to prepare any report on any case of interception or covert surveillance handled by the department, or on any class of such cases, within the time and in the manner specified by the Commissioner when making the requirement.

              • However, it should be noted that for the purposes of an examination, the applicant is not entitled to have access to any information, document or other matter (including any protected surveilance or interception product, whether or not it contains any information that is or may be subject to legal professional privilege) compiled by, or made available to, the Commissioner in connection with the examination.

              • After the examination, the Commissioner shall notify the head of the department concerned of the determination, including any order or findings he has made in the examination. Upon receipt of the notification, the head of the department shall submit to the Commissioner a report with details of any measures taken by the department (including any disciplinary action taken in respect of any officer) to address any issues arising from the determination, as soon as reasonably practicable after the notification or, within the period prescribed by the Commissioner. The Commissioner may, before or after the head of the department has submitted a report to him, refer the determination and any other matters he thinks fit to the Chief Executive, the Secretary for Justice or any panel judge or any or all of them
              • For full text of Interception of Communications and Surveillance Ordinance (Cap. 589), please see: https://www.elegislation.gov.hk/hk/cap589!en
                 
              • The Secretary for Security has issued a Code of Practice (issued in 2016) to provide practical guidance to officers of the law enforcement agencies in respect of matters provided for in ICSO. Please see: https://www.sb.gov.hk/eng/special/sciocs/2016/ICSO%20CoP%20-%20June%202016%20(E).pdf
                 
              • Under Article 43(6) of The Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region promulgated on 30 June 2020, the Police Force of Hong Kong, when investigating serious crimes in relation to cases concerning offence endangering national security, may apply for interception of communications and conducting covert surveillance.

              • Article 43(6) of the National Security Law stipulates that (English translation obtained from XINHUANET at http://www.xinhuanet.com/english/2020-07/01/c_139178753.htm):

                Article 43  When handling cases concerning offence endangering national security, the department for safeguarding national security of the Police Force of the Hong Kong Special Administrative Region may take measures that law enforcement authorities, including the Hong Kong Police Force, are allowed to apply under the laws in force in the Hong Kong Special Administrative Region in investigating serious crimes, and may also take the following measures:



                (6) upon approval of the Chief Executive, carrying out interception of communications and conducting covert surveillance on a person who is suspected, on reasonable grounds, of having involved in the commission of an offence endangering national security...

                According to Schedule 6 to the Implementation Rules for Art. 43, a police officer responsible for enforcing the National Security Law may apply for the prescribed authorization for conducting interception or covert surviellance. The conditions for the authorisation are that the purposes for authorisation should be for preventing or detecting offences endangering national security or protecting national security, there should be reasonable suspicion that any person has been, is or is likely to be involved in offences or activities endangering national security. The interception or covert surveillance should be necessary to, and proportionate to the purposes sought. The police force is required to submit a written application to Hong Kong’s Chief Executive/a directorate officer authorised by the Chief Executive for approval. There is specified duration for the authorisation, provisions for safegaurds against interception or surveillance products, and exception is provided for legal professional privilege product.

                Schedule 6 to the Implementation Rules for Art. 43 appears to be modelled on the ICSO.

                For full text of the Implementation Rules, please see: https://www.gld.gov.hk/egazette/pdf/20202449e/es220202449139.pdf
              Heard Island and McDonald Islands (Australian External Territory)AfricaHM
              HondurasHN
              CroatiaEuropeHR(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/10/2005S, R
              HaitiHT
              HungaryHU(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/02/1998S✔️
              IndonesiaIDASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
              Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
              ✔️N/A
              Please see the country report for Indonesia as part of the study "State of Privacy" conducted by Privacy International.
              IrelandIE(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/08/1990S✔️
              IsraelAsiaIL✔️
              See here
              ✔️✔️✔️
              See here
              or here
              ✔️✔️Nir Feinberg
              Isle of ManIM✔️
              See here
              ✔️✔️✔️✔️
              IndiaIN

              Ms. Tripti Dhar, Partner – Reina Legal

              • B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
              • Admitted to practice in India; enrolled with the Delhi Bar Council
              • Certified CIPP/E
              • Member of International Association of Privacy Professionals (IAPP)
              • DSCI Certified Privacy Professional (DCPP)
              • Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India
              • The nature of the offences which may give rise to an interception or surveillance order;

              Section 69 of the Information Technology Act, 2000 confers power on the central government or the state government to issue direction for interception, monitoring or decryption of any information through any computer resource to protect sovereignty or integrity of India, defence of India security of state, friendly relations with foreign states, or public order or preventing incitement to commission of any cognizable offence or for investigation of any offence.

               

              • A definition of the categories of people that might be subject to surveillance;

              The existing laws in the region are silent on this subject.

               

              • A limit on the duration of the measure;

              Rule 11 of  Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes maximum time of interception as 60 days and on renewal not to exceed 180 days

               

              • The procedure to be followed for examining, using and storing the data obtained;

              Rule 3 of  Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes that such interception requires prior approval from the competent authority i.e. Secretary in Ministry of Home Affairs, in case of Central Government and Secretary in charge of Home department in case of State Government (except. in emergency cases where separate procedure is provided).

               

              • The precautions to be taken when communicating the data to other parties;

              Rule 20 of  Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes that the The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure the unauthorised interception of information does not take place and extreme secrecy is maintained and utmost care and precaution shall be taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary and no other person of the intermediary or person in-charge of computer resources shall have access to such intercepted or monitored or decrypted information.

               

              • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

              Rule 6 of the said rules provides for Interception or monitoring or decryption of information by a State beyond its jurisdiction Rule 21 of the said rules places the obligation on intermediaries to ensure their employees maintain secrecy and confidentiality of intercepted communications and Rule 25 prohibits its disclosure except to the officer of authorized agency who" can use such information only for specified uses pursuant to direction of competent authority. Rule 23 prescribes destruction of intercepted communications after these are not required for law enforcement purposes.

               

              • The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

              Similarly, the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 were passed for governing activities of monitoring and collection of traffic data. Rule 3 of the said rules mandate prior permission of competent authority i.e. Secretary to the Government of India in Department of Information Technology under Ministry of Communications and Information Technology to conduct monitoring or collection of traffic data for cyber security reasons, inter alia, forecasting of imminent cyber incidents, tracking of persons and computer resource breaching cyber security. Competent authority can authorize any agency for the said purposes. In order to prevent unauthorized monitoring and maintenance of secrecy of information collected intermediaries are made liable for their employees by Rules 5, 6 and 11 of the said rules.

               

              The Retd. Justice K S Puttaswamy Case (2017 SCC OnLine SC 996) established the ‘proportionality and legitimacy’ test – which is a four-fold test that needs to be fulfilled before state intervention in the right to privacy:

              • The state action must be sanctioned by law.
              • In a democratic society there must be a legitimate aim for action.
              • Action must be proportionate to the need for such interference.
              And it must be subject to procedural guarantees against abuse of the power to interfere.
              • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
              • What objective criteria are used to determine which personal data of individuals are stored?
              • Does national legislation require any relationship between the data which must be retained and a threat to public security?
              • Does national legislation restrict the data retention in relation to …?
                • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
              • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?
              The existing laws in the region are silent on this subject.
              • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
              • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?]

              Competent Authorities: Under Rule 2(d) of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 the Secretary in the Ministry of Home Affairs, in case of the Central Government; or the Secretary in charge of the Home Department, in case of a State Government or Union territory, as the case may be;

              Any officer not below the rank of Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary in this behalf, may authorize the interception of communications in case of an emergency. 

              Review committee: Under the Indian Telegraph Act 1885 and the Rules issued thereunder (Rule 419A), a Central Any direction issued by the competent authority under Rule 3 of of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 shall contain reasons for such direction and a copy of such direction shall be forwarded to the Review Committee within a period of seven working days.
              • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
              • Who should the individual address (see, Guarantee C)?
              • Does the court/control committee have access to all relevant information, including closed materials?]

              There is no legislation in place however the Personal Data Protection Bill, 2019 provides for correction, completion, updating and erasure of personal data and also envisages to establish regulating authority. The bill is yet to come into effect.

              Since right to privacy was recognised by Apex court in case of Retd. Justice K.S. Puttaswamy v. Union of India (2017 SCC OnLine SC 996). It signifies that one can always file writ for legal remedy.
              The Personal Data Protection Bill, 2019 is introduced in parliament and is currently under review by Joint Parliamentary committee. The bill provides for protection of personal data of individuals.
              _________________
              Please note that according to a recent legal study published by the European Data Protection Board "on Government access to data in third countries", the researchers found that "[...] the Indian government has a track record of infringing both rights [to privacy and personal data protection] extensively", while the "regulations foresee widespread exemptions for governmental access to personal data".

              Please see the country report for India as part of the study "State of Privacy" conducted by Privacy International.
              British Indian Ocean Territory (British Overseas Territory)AfricaIO
              IraqIQ
              IranIR
              IcelandIS(EEA member state)✔️✔️✔️✔️S, R, E: 01/07/1991S✔️
              ItalyIT(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/07/1997S✔️Filippo Bianchini
              JerseyEuropeJE✔️
              See here
              ✔️✔️✔️✔️
              JamaicaNorth AmericaJM
              JordanAsiaJON/A
              Please see the country report for Jordan as part of the study "State of Privacy" conducted by Privacy International.
              JapanAsiaJP✔️
              See here
              ✔️
              Only covers private sector organisations.
              ✔️
              See here
              or here
              ✔️✔️✔️✔️Takaya Terakawa, CIPP/E, CIPM, Tehnica Zen (CEO)
              Takaya is a certified privacy professional as well as a data governance consultant in Japan. Takaya runs his own enterprise, Technica Zen, and provides consultation and training services to companies. Takaya is a child online safety advocate and Head of Cybersafety.org Japan, an NPO established by recognized cybersecurity U.S. attorney, Parry Aftab.

              Japanese rule reflects the OECD guideline. It incorporates the concepts included in the OECD guidelines such as collection limitation and purpose specification.

              The personal information protecting rules for administrative organs is specified in the “Act on the Protection of Personal Information Held by Administrative Organs” (“APPI-AO”), and for incorporated administrative agencies is specified in the “Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.” (“APPI-IAA”).

              Both administrative organs and incorporated administrative agencies must follow the rules below to the extend necessary for conducting processes under its jurisdiction provided by laws and regulations. The rules include:

              • Restriction on the Retention of Personal Information;
              • Clear Indication of the Purpose of Use;
              • Maintaining Accuracy;
              • Security Measures; and
              • Restriction of Use and Provision of Personal Information.

              Regarding the criteria given in the Art. 29 Working Party's Working Paper 237, you cannot find any information in those Acts since these rules relating to handling personal information focuses on general topics and do not pick up the surveillance specifically.

              Japan has “Telecommunications Business Act”, but this only applies to private organizations.

              As mentioned in the “Guarantee A”, rules for governmental organizations includes OECD guideline principles clearly.

              • Restriction on the Retention of Personal Information (Art. 3 APPI-AO, Art. 3 APPI-IAA)
                • may retain Personal Information only when retaining the information is necessary for conducting processes under its jurisdiction provided by laws and regulations, and must specify the purpose of use of Personal Information as much as possible when retaining this information
                • must not retain Personal Information beyond the extent necessary for the purpose of use specified
              It does not include any objective criteria nor restrictions when it comes to collecting and storing personal information.

              No independent organization supervises governmental organizations in Japan. Responsible minister manages administrative organs and incorporated administrative agencies.

              The Minister of Internal Affairs and Communications may collect reports on the status of enforcement of “Act on the Protection of Personal Information Held by Administrative Organs” from the heads of Administrative Organs.

              The Minister of Internal Affairs and Communications may collect reports on the status of enforcement of “Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.” from the incorporated administrative agencies, etc.
              Individuals are granted for requesting for disclosure, correction, and suspension of use of their personal information held by government. If the request is not accepted, individuals are entitled to appeal for review of any inaction related to the request.

              The Japanese APPI applies to private organizations. Since the PPC is defined in the APPI, the power of the PPC is also restricted to private organizations. (See Art. 2 (5) APPI and Art. 61 APPI) The only exception when the PPC may monitor governmental organizations is when governmental organizations handle “Anonymized Personal Information”, which is pseudonymized governmental data.

              When you see Japanese personal information protecting acts, you will notice that the assumption is “government will not do harms”. Although Japan does have acts for governmental organizations, the oversight mechanism is unclear.
              KenyaAfricaKEN/A
              Please see the country report for Kenya as part of the study "State of Privacy" conducted by Privacy International.
              KyrgyzstanAsiaKG
              CambodiaAsiaKHASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
              Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
              ✔️
              KiribatiOceania/AustraliaKI
              ComorosAfricaKM
              Saint Kitts and NevisNorth AmericaKN
              North KoreaAsiaKP
              South KoreaAsiaKR✔️
              See here
              ✔️
              See here
              or here
              ✔️✔️
              KuwaitAsiaKW

              Ms. Tripti Dhar, Partner – Reina Legal

              • B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
              • Admitted to practice in India; enrolled with the Delhi Bar Council
              • Certified CIPP/E
              • Member of International Association of Privacy Professionals (IAPP)
              • DSCI Certified Privacy Professional (DCPP)
              • Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India
              • The nature of the offences which may give rise to an interception or surveillance order;

              According to Article 1 of Law No. 61 of 2015 each camera and security surveillance device is used to capture, transfer, and record the image, in order to monitor and observe the security situation.

               

              • A definition of the categories of people that might be subject to surveillance;

              The existing laws in the region are silent on this subject.

               

              • A limit on the duration of the measure;

              Article 5 of Law No. 61 of 2015 prescribes a period to keep to recordings of the survelliance for a period of 120 days and shall destroy the recordings immediately after the expiry of that period.

               

              • The procedure to be followed for examining, using and storing the data obtained;

              The existing laws in the region are silent on this subject.

               

              • The precautions to be taken when communicating the data to other parties; and the circumstances and substantive and procedural conditions relating to the access of the competent authorities.

              Article 6 of Law No. 61 of 2015 prohibits the extradition or transfer, store, send or publish any of the recordings referred to, except with the written consent of the competent point of the investigation or the competent court.

               

              • The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.
              The existing laws in the region are silent on this subject.
              • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

              The existing laws in the region are silent on this subject.

               

              • What objective criteria are used to determine which personal data of individuals are stored?

              Article 3 of Law No. 61 of 2015

              Prescribed by the minister of technical specifications for the cameras and surveillance equipment and security according to what is locally and internationally certified, and identifies the competent authority places and points status and number in the facilities.

               

              • Does national legislation require any relationship between the data which must be retained and a threat to public security?
              • Does national legislation restrict the data retention in relation to …?
                • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?

              Article 9 of Law No. 61 of 2015

              Prohibiting the installation of cameras and security surveillance in the stomach places to live or to sleep or physical therapy rooms or dressing and restrooms, health institutes and women's salons women or any positions contrary to put cameras where with personal privacy and shows in the Regulations rooms, may be a decision of the Minister to add other possibility

               

              • Does national legislation provide for any exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)?]

              Article 6 of Law No. 61 of 2015

              Without prejudice to the provisions of Article (5) prohibits the extradition or transfer, store, send or publish any of the recordings referred to, except with the written consent of the competent point of the investigation or the competent court.
              • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

              According to Article 1 of Law No. 61 of 2015, the competent authority is the designation specified by the Minister of Interior.

               

              • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

              Article 7 of Law No. 61 of 2015

              Owners of facilities and those responsible for managing maintenance of cameras and security surveillance and updated periodically and continuously, to ensure a good performance for its purposes, and the continuity of compliance with the technical specifications.

              Article 8 of Law No. 61 of 2015

              The employees who are appointed by the competent minister to adjust the violations set forth in this law, the status of law enforcement officers, and to them in order to fulfill their entry facilities and inspect and adjust the material irregularities and the subject of the offense and the liberalization of the necessary records and forwarded to the relevant point of the investigation.

              Article 10 of Law No. 61 of 2015

              In terms of the investigation or the court may consider registrations made by surveillance cameras and security devices, as a guide.

              The onus is more on the owners of the facility. Actions are taken once a violation occurs.
              • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
              • Who should the individual address (see, Guarantee C)?
              • Does the court/control committee have access to all relevant information, including closed materials?

              According to Article 36 of Law No. 20 of 2014, 

              A) Individuals are allowed to request the bodies authorized by law, governmental bodies, agencies, public institutions, companies, non-governmental bodied or employees to delete or amend any of their personal data or information which the bodies keep in their records or electronic processing systems if they were found to be invalid or non-conforming with reality. The Individuals may also request such information to be replaced according to the amendments thereto.

              B) The Executive By-law of this law sets forth the procedures and controls that must be followed regarding the requests submitted by individuals for the deletion or amendment of their personal data registered at one of the aforementioned bodies.
              The information provided above is from unofficial English translation.
              Cayman IslandsNorth AmericaKY
              KazakhstanEuropeKZ✔️
              See here
              or here
              LaosAsiaLAASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
              Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
              ✔️
              LebanonAsiaLBN/A
              Please see the country report for Lebanon as part of the study "State of Privacy" conducted by Privacy International.
              Saint LuciaNorth AmericaLC
              LiechtensteinEuropeLI(EEA member state)✔️✔️✔️✔️✔️S, R, E: 01/09/2004S
              Sri LankaAfricaLKSamantha de Soysa
              LiberiaAfricaLR
              LesothoAfricaLS
              LithuaniaEuropeLT(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/10/2001S, R✔️
              LuxembourgEuropeLU(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/06/1988S✔️Nicolas Hamblenne
              LatviaEuropeLV(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/09/2001S✔️
              LibyaAfricaLY
              MoroccoAfricaMA
              See here
              ✔️R (Accession), E: 01/09/2019N/A
              Please see the country report for Morocco as part of the study "State of Privacy" conducted by Privacy International.
              MonacoEuropeMC✔️✔️✔️✔️S, R, E: 01/04/2009SOlivier Guillo
              MoldovaEuropeMD✔️✔️S, R, E: 01/06/2008Veronica Mocanu
              MontenegroEuropeME✔️✔️S, R, E: 06/06/2006Mina Crnogorac
              MadagascarAfricaMG
              Marshall IslandsOceania/AustraliaMH
              MaliAfricaML✔️
              See here
              or here
              Myanmar [Burma]AsiaMMASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
              Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
              ✔️
              MongoliaAsiaMN✔️
              See here
              or here
              MacauAsiaMO
              Northern Mariana IslandsOceania/AustraliaMP
              Martinique (French Overseas Department and Region)North AmericaMQ(EU member state)✔️✔️✔️
              MauritaniaAfricaMR
              MontserratNorth AmericaMS
              MaltaEuropeMT(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/06/2003S, RFarman Ali Shah Sayed
              MauritiusAfricaMU✔️✔️R (Accession), E: 01/10/2016S, RDeepshi Hujoory, LLB(Hons), CIPP/E, CIPT

              I would refer to four pieces of legislation in Mauritius to elaborate on the nature of offences which may give rise to a surveillance or interception order:

              • The Information and Communication Technologies Act 2001 (“ICTA”) provides for the following in Section 32:
              • A public operator - that is, a person licensed under the ICTA, who owns or operates a public information and communication network, or who offers an information or communication service to the public - may intercept or withhold any message passing over the network, if the operator has reason to believe the message will fall under any three of the below categories:
              • The message is indecent or abusive.
              • The message is in any way in contravention of the ICTA.
              • The message is of a nature likely to endanger or compromise State's defence, or public safety or public order.
              • The operator withholding the message is then bound by the ICTA to refer the message to the Information and Communication Technologies Authority (“ICT Authority”).
              • The Police or the Independent Commission Against Corruption (“ICAC”) may apply to a Judge in Chambers for an order authorising a public operator to intercept, withhold, or disclose the message to the Police or the ICAC. Such an order would only be made by the Judge where the latter is satisfied that the data is material to any criminal proceedings in Mauritius.

              Link to the ICTA: https://www.icta.mu/docs/laws/ict_act.pdf

              • The Computer Misuse and Cybercrime Act 2003 allows for real time collection of traffic data transmitted over an information and communications network by an investigatory authority under Section 15. This would be permissible only when a Judge in Chambers would issue such an order, further to application by the authority, where the latter has reasonable grounds to believe that any data would be relevant for the purposes of investigation and prosecution of an offence under this act.

              Link to act: http://www.ncb.mu/English/Documents/Legislations/COMPUTER_MISUSE.pdf

              • The Constitution of Mauritius, which is the supreme law of Mauritius, guarantees protection of fundamental rights and freedoms of the individual, for instance, protection for privacy of home and other property, as well as protection of freedom of expression. There was an issue regarding phone tapping being practised in Mauritius, which was raised by an opposition Member of Parliament [source: a local news article published in 2016, https://defimedia.info/phone-tapping-are-you-being-listened]. Reference was made in the debate to the aforesaid provisions of the ICTA, under which such a practice could only be permitted by a Judge’s order, and to exceptions under Section 12 of our Constitution which provides that freedom of expression could be curbed, inter alia:
              • In the interests of defence, public safety, public order, public morality or public health; or
              • For the purpose of protecting the reputations, rights and freedoms of other persons; or
              • For the imposition of restrictions upon public officers.

              Link to the Constitution: http://mauritiusassembly.govmu.org/English/constitution/Pages/constitution2016.pdf

              • The Data Protection Act 2017 (“DPA”), enacted with the aim of uplifting and aligning local data protection laws with international best practices and the GDPR, tries to strike a balance between concerns of the Government and fundamental rights of individuals, mostly privacy rights. Section 44 of the DPA allows for exceptions to the act for:
              • The protection of national security, defence or public security.
              • The prevention, investigation, detection or prosecution of an offence.
              • An objective of general public interest, including an economic or financial interest of the state.
              • The protection of judicial independence and judicial proceedings.
              • The protection of a data subject or the rights and freedoms of others.
              • The issue of any licence, permit or authorisation during the COVID-19 period. (This sub-part was added in May 2020, via the COVID-19 Bill, to reflect measures taken by the Government during the lockdown period, for instance, allowing only those employees who possess a Work Access Permit to access their work premises. These permits were to be authorised by the Monitoring Committee – COVID 19, set up by Government.)

               

              Section 44 of the DPA goes even further and exempts processing of personal data from all provisions of the DPA where, in the opinion of the Prime Minister of Mauritius (“PM”), same would be required for the purpose of safeguarding national security, defence or public security. In such a case, a certificate under the hand of the PM would be needed to constitute conclusive evidence of such an exemption.

              Link to the DPA: http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Act-2017-.aspx

               

              It can only be inferred that the categories of people that might be subject to surveillance are those who are suspected of being in contravention with the laws, or who are parties to criminal proceedings. However, it can also be inferred that anyone from the general public of Mauritius could be subject to surveillance if it concerns protection of national security, defence or public security. This is currently the case with the Safe City Project of the actual Government, whereby some 4000 video surveillance cameras, equipped with facial recognition, have been installed in public areas for the prevention of crime, and to aid in identifying and retracing criminals. Another example is the Online Content Filtering system put in place by the ICT Authority which filters attempts to access Child Sexual Abuse (“CSA”) sites by Mauritian Users and blocks those websites since year 2011 to date.

               

              While the Safe City Project and the CSA filtering are here to stay, other cases of surveillance and inception orders would last once the investigation is complete and/ or the person is prosecuted for the offence committed. The ICTA specifies that an order of the Judge shall remain valid for a period not exceeding 60 days.

               

              There are, in my opinion, grey areas with respect to detailed procedures to be followed in spite of the listed duties of Police Force detailed in the Police Act, especially when we are moving towards a highly digitalised environment. For the Safe City Project for instance, the then Leader of the Opposition raised concerns on how to prevent abuse, misuse, surveillance of all types against civil servants, how data access is going to be and how secure the system would be, amongst others. The then Minister of Defence replied that the system was secure and would be solely under the control of trained Police Officers. Furthermore, he also highlighted that the Commissioner of Police, together with the Data Protection Commissioner were working towards the formulation of a Code of Practice to be issued by the Government for filling in the procedural void.

              The legislative framework of Mauritius does bind collection, processing or storage of personal data with respect to interception or surveillance by the Government or Government Bodies to what is strictly necessary by specifying and limiting the scenarios in which these can be done. The main reasons are, as listed in detail above, for the protection of national security, defence or public security and for the purposes of investigation, prosecution or prevention of offences. As regards to what personal data may be stored, this would be subject to the reasons for which such surveillance or interception order is required; for example, an interception or preservation order falling under the ambit of part III the Cybercrime Act would include storage of traffic data and subscriber information, while interception under Section 32 of the ICTA only finds the latter describing the message which should be collected and stored, irrespective of what personal data the message could carry, as long as the message can reasonably be termed as indecent, abusive or likely to endanger public order and safety, amongst other reasons listed above. However, since legislative provisions do go hand in hand with one another, the principles relating to processing personal data, inter alia, to only collect data for legitimate purposes and to only collect data which is adequate, relevant and necessary for the purposes of processing, as listed in Section 21 of the DPA, should normally be followed while proceeding as per what other Mauritian laws lay down.

               

              Concerning the Safe City Project, the question of data retention was raised by the then Leader of the Opposition as to how long the data captured would be stored. The vague response provided by the Government was “…for a reasonable time, depending on the circumstances.” We would most certainly require further precise information on this, either via the aforementioned Code of Practice to be issued, or via another specific law to be passed for this project, as requested by the Data Protection Commissioner to the Government. It is to be noted nonetheless that the DPA, in its Section 21(e) provides that data should not be stored for any longer than necessary for the purposes for which the data was processed. The ICTA talks more specifically about data which has been collected for the purposes of criminal investigations in its Section 17 and thereby does not allow for data to be used for any other purpose other than that for which it was originally sought unless the Court or a Judge ordered otherwise, or it has become necessary to do so in the public interest, or for the further prevention of offences and losses.

               

              I would also highlight a recent local news article [source: https://www.lexpress.mu/article/377987/donnees-personnelles-mra-tenue-detruire-toutes-informations-fournies-pendant] which documented views of the ex-Chairman of the ICTA with regard to retention of personal data collected during the lockdown period. In Mauritius, lockdown started in March and ended on the 30th of May. In this period, Government Authorities were bound to collect personal data while processing applications for Work Access Permits or other applications under the Government Wages Assistance Scheme and the Self-Employed Assistance Scheme, all of which were measures set up to sustain the business sector amidst this period of crisis. The ex-Chairman highlighted that Government Authorities and the Police are all obliged under the DPA to delete all personal data collected for these purposes since they will no longer be necessary after the lockdown period.

              Under both the ICTA and the Cybercrime Act, the independent oversight mechanism rests on entrusting control to a judge at the first stage of surveillance, i.e. real time interception and collection of data may only be done by order of a Judge in Chambers, after the latter is satisfied that such an action is necessary for the investigation or prosecution of an offence. I would also highlight that the independence of the Mauritian legal system lies in the doctrine of separation of powers, upon which our constitution is based, where the Judiciary is separate and independent from two other organs of the State, which are the Executive and the Legislature.

               

              Moreover, we have a Data Protection Office in Mauritius, which is a public office established under Section 4 of the DPA to act with complete independence and impartiality, and not to be subject to the control of any other person or authority. Currently, the head of the Data Protection Office - the Data Protection Commissioner, has been holding office since August 2007 irrespective of the composition of either the Executive or the Legislature. Under Section 44 of the DPA, the Data Protection Commissioner is empowered to apply for a Judge’s order to protect the rights of individuals where the data protection laws have been breached, but apart from that, I opine that the Commissioner could, on his/ her own, act as an independent oversight mechanism. Our Data Protection Act does not specifically mention at which stage of processing should the Data Protection Commissioner be involved for an independent oversight; instead, Section 5 of the DPA lists down the functions of the Commissioner, which I would interpret as broad enough to encompass a constant monitoring process – “The Commissioner shall […] monitor developments in data processing and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals.” Furthermore, if we take as example the aforesaid case of the Safe City Project, as mentioned by the then Minister Mentor in the National Assembly, the Data Protection Commissioner was involved in the matter, to provide advice as well as in the exercise of issuing of a Code of Practice, before the system became operational.

              Sections 37 and 38 of the DPA list down the rights of data subjects, namely, the right of access and the right of rectification, erasure or restriction of processing. In the event, these rights are not respected, data subjects have a possibility to lodge a complaint with the Data Protection Commissioner. The latter is empowered under Section 6 of the DPA to:

              • investigate the complaint,
              • conduct a hearing,
              • make orders for the person involved to produce materials relevant for the investigation, and
              • make a decision relative to an amicable resolution by the parties concerned.

               

              If required, in the event the DPA has been breached and rights of data subjects have not been respected, as aforementioned under Guarantee C, the Commissioner may apply for a Judge’s order.
              Hansard of the National Assembly of Mauritius dated 21 Mat 2019 – Safe City Project, available at http://mauritiusassembly.govmu.org/English/hansard/Documents/2019/hansard0819.pdf
              MaldivesAsiaMV
              MalawiAfricaMW
              MexicoNorth AmericaMX
              Potential future candidate (p. 52) for adequacy?
              ✔️✔️The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).R (Accession), E: 01/10/2018✔️✔️N/A
              Please see the country report for Mexico as part of the study "State of Privacy" conducted by Privacy International.
              MalaysiaAsiaMY✔️
              See here
              or here
              ASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
              Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
              ✔️✔️George Mathews
              MozambiqueAfricaMZ
              NamibiaAfricaNA
              New Caledonia (French special collectivity)Oceania/AustraliaNC
              NigerAfricaNE✔️
              Norfolk IslandOceania/AustraliaNF
              NigeriaAfricaNG✔️Invitation valid until 06 July 2022Ridwan Oloyede, Partner (Privacy & Data Protection) Tech Hive Advisory

              The nature of the offences which may give rise to an interception or surveillance order:

              Section 29 of the Terrorism Prevention Amendment Act provides that the “relevant law enforcement agency with the approval of the Attorney - General of the Federation may, with the approval of the Coordinator on National Security for the purpose of the prevention of terrorist acts or to enhance the detection of offences related to the preparation of a terrorist act or the prosecution of offenders under” the Act can apply to a judge for an “interception of communication order”. The Cybercrimes Act do not have a similar provision, but it establishes basis for interception, which includes investigation of crimes under the Act.

               

              A definition of the categories of people that might be subject to surveillance:

              The Terrorism Prevention Amendment Act, the Cybercrimes Act and the Lawful Interception of Communications Regulations, 2019 allows interception of communications of an individual for the purposes of investigation of crimes, in the national security, interest of public safety and emergency and for giving effect to any international mutual agreement Nigeria is a party to.

               

              A limit on the duration of the measure:

              Section 14 of the Lawful Interception of Communications Regulations, 2019 provides that a warrant to intercept communication shall be granted for an initial period of 3 months, a lesser period or renewed for a maximum period of 3 month or a lesser period.

              Section 6 of the Lawful Interception of Communication Regulation provides that intercepted communication shall only be stored for the duration of the investigation, and should be destroyed upon completion. The provision of the Regulation did not specify a timeline, but grants the Nigerian Communication Commission and law enforcement agencies the information from telecommunication companies. Further, Section 29(3) of the Terrorism Prevention Act, 2013 provides that an order made under the Section “shall specify the maximum period for which a communications service provider may be required to retain communications data”. Section 6(3) of the Lawful Interception of Communications Regulation provides that intercepted communications “may be” stored for 3 years and destroyed thereafter.

               

              The procedure to be followed for examining, using and storing the data obtained:

              The provision of the Regulation did not specify a timeline, but grants the Nigerian Communication Commission and law enforcement agencies the power to request for information from telecommunication companies.

              Interception can be by warrant or without a warrant. An exparte application is made to the Judge in compliance with the relevant law. Section 38(4) of the Cybercrimes Act, 2015 provides that information obtained should only be used by the law enforcement agency for only legitimate purpose under the law. Further, Section 38(5) of the Cybercrimes Act prescribes that the law enforcement agency exercising this function should safeguard the confidentiality of  the  data  retained, processed or retrieved  for the purpose of law enforcement“. In addition, Section 6(3) of the Lawful Interception of Communications Regulation provides that intercepted communication shall be stored confidentially for the “purpose of investigation and prosecution in criminal proceedings in accordance with these Regulations“.

              Section 18 (1) of the Lawful Interception of Communication Regulation imposes a duty of secrecy on the Agency and officials involved in the interception. The secrecy can only be waived subject to the derogations which are; if it is required for investigations of crime, required as an evidence before a court of law, if any person or any other person “who of necessity requires it in the performance of his or her function under these Regulations“.

               

              The precautions to be taken when communicating the data to other parties:

              Section 10(1) (c) of the Lawful; Interception Communications Regulations mandates licensees to provide safeguards for data during transmission. Similarly, Section 38(5) of the Cybercrimes Act prescribed confidentiality duty on law enforcement agencies.

              Section 6(c) of the Guidelines for the Provision of Internet Service (the NCC Guidelines) by the Nigerian Communications Commission (NCC) requires internet Service Providers (ISPs) to provide information that may be requested by the Commission or any legal authority with respect to a user or the content of their communication.

               

              The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

              Interception can also be carried out in the absence of a warrant. According to Section 12 (4) of the :Lawful Interception of Communication Regulation, an authorised law enforcement Agency may initiate interception without a warrant where there is a risk of immediate danger of death or serious injury to any person, the activities threatens national security, or the activities has a characteristics of organised crime. Section 25 (1) of Terrorism Prevention Amendment Act specifies where there is a verifiable urgency, or a life is threatened, or prevention of crime. In both instances, a warrant must be sought within 48 hours.

              The Guidelines above do not provide for any substantive or procedural conditions for access.

               

              Is the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued?

              The laws have an expectation of confidentiality and limited use to legitimate purpose. However, the practices are largely obscured by lack of transparency.

              In general, do the national laws impose such a limitation to what is “strictly necessary”?

              Section 7(3) of the Lawful Interception Communications Regulation provides that a warrant can only be given for if it is in the interest of National Security, for prevention of crime, for protecting and safeguarding the economic wellbeing of Nigerians, in the interest of public emergency or safety, or giving effect to any international mutual assistance which Nigeria is a party. Similar conditions are found under Section 45 (3) of the Cybercrimes Act.

              Further, Section 38(5) of the Cybercrimes Act and Section 2(e) of the Lawful Interception of Communication provides that anyone exercising the function under the law shall have recourse to the safeguard for right to privacy provided in the Nigerian Constitution.

              Lastly, Section 37 of the Nigerian Constitution guarantees broadly the right to “privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected“. However, Section 45(1) provides derogations which include the interest of defence, public safety, public order, public morality or public health; or for the purpose of protecting the rights and freedom of other persons.

               

              What objective criteria are used to determine which personal data of individuals are stored?

              Section 7(1)(b) of the Lawful Interception Regulation restricts the data to what is disclosed, in the warrant of such intercepted communication.

              There are no clear-cut processes or criteria to be observed before personal data of individuals are stored in any of these legislations.

               

              Does national legislation require any relationship between the data which must be retained and a threat to public security?

              Public security is one of the conditions allowed for interception of communication.

               

              Does national legislation restrict the data retention in relation to …?

              • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
              • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

              The law did not make any clear distinction on the basis highlighted above. Section 29 (4) of the Terrorism Prevention Amendment Act 2013 allows data intercepted outside the country is valid for evidence before the Nigerian Court. Section 6 of the Lawful Interception of Communication Regulation provides a period of 3 years to store data and which it must be destroyed thereafter.

              Also, a warrant lawfully sought provides and limits the scope of the power that can be exercised under it. There are no clear systems of transparency that are built into these laws to ensure accountability.

               

              Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

              Yes. Section 16 of the Freedom of Information Act provides that a public institution may deny an application for information that is subject to legal practitioner-client privilege, health workers-client privilege, journalism confidentiality privilege and any other professional privilege protected by another Law.

              Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

              The Cybercrimes Act, the Terrorism Prevention Amendment Act and the Lawful Communications Interception Regulation provides that an application for surveillance should be brought before a Judge.

               

              At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

              It is initiated at the first stage. However, surveillance done without warrant still has to be brought under the review of a judge within 48 hours under Section 12(4) of the Lawful Interception of Communication Regulation. Further surveillance done without obtaining the warrant is considered unlawful.

              Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

              The Nigeria Data Protection Regulation provides for rights of data subjects. Article 3.1 (1) provides the right to access personal information held about them. Such data should be provided in an intelligible form and within one month of such request. Article 3.1 (11) of the Regulation also provides both right to rectification of data held about a data subject. Similarly, the Regulation contemplates the right to erasure.
              Section 9 (6)(a) & (b) of the Credit Reporting Act provides for both right to access and rectification of personal information respectively.

               

              Who should the individual address (see, Guarantee C)?

              The National Information Technology Development Agency and the Central Bank of Nigeria. The data subjects also have the right to lodge a complaint before a court of law.

               

              Does the court/control committee have access to all relevant information, including closed materials?

              This laws are silent on access to all relevant information. However, Section 29(4) of Terrorism Prevention Amendment Act provides that all materials are considered valid as evidence before the court. Section 17 of the Lawful Interception of Communications Regulation provides that “the use of any information obtained pursuant to these Regulations as evidence in any prosecution, is subject to the consent of the presiding Judge in an application that such evidence be tendered by the party seeking to rely on it“.

              To fully understand the extent of surveillance in Nigeria, it can only be appreciated through the Budgetary allocation for the function. Between 2014 – 2017, the country through the three Intelligence Agencies spent a combined sum of N127,987,715,414 ($418,260,507.89) on surveillance equipment and capacity development. This is in addition to the fact that Nigeria does not have a comprehensive and specific primary legislation on data protection.

              1. Status of Surveillance in Nigeria: Refocusing the Search Beams. Policy Brief 009. Prepared by Tomiwa Ilori for Paradigm Initiative.
              2. Stakeholder Report Universal Periodic Review 31st Session - Nigeria The Right to Privacy in Nigeria.
              3. Tightening the Noose on Freedom of Expression 2018 Status of Internet Freedom in Nigeria.
              4. Freedom on the net Report, 2018.
              5. Constitution of the Federal Republic of Nigeia, 1999.
              6. Credit Reporting Act 2017.
              7. Terrorism Prevention Amendment Act, 2013.
              8. Lawful Interception of Communications Regulations, 2019.
              9. Cybercrimes (Orevention and Prohibition) Act, 2015.
              10. Freedom of Information Act, 2011.
              NicaraguaNorth AmericaNI
              NetherlandsEuropeNL(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/12/1993S✔️
              NorwayEuropeNO(EEA member state)✔️✔️✔️✔️✔️S, R, E: 01/10/1985S✔️

              Lars Vinden - Privacy Lawyer

              Yes. The legal basis for intercepting communications is found in the Criminal Procedure Act chapter 16 a section 216 a, whereas the basis for other seizures and surrender orders are given in chapter 16 and chapter 16 b to 16 d. Further rules for lawful intercept is provided in the he Lawful Intercept Regulation. The Police Security Service has additional legal bases for collecting data in the Police Act section 17d.

               

              General procedural rules for processing the data is found in the Police Register Act.
              Yes, the rules may be regarded as necessary and proportional. Interceptions of communications, seizures and surrender orders shall as a general rule be issued by the courts, or in exceptional circumstances be reviewed by courts as part of on-going investigation of a limited number of criminal acts that for the most part may lead to imprisonment of 10 years or more, and the information must be relevant to the on-going investigation (see for instance the Criminal Procedure Act section 216 a). There are restrictions for information that is subject to a statutory duty of confidentiality, see the Criminal Procedure Act section 204.

              Yes. Ex ante oversight is conducted by the general courts that authorises surveillance measures (see Criminal Procedure Act chapter 16 to 16 d). Ex post / ex officio oversight is conducted by:

              Yes. The right to be notified of surveillance measures are provided in the Criminal Procedure Act section 216 j and the Lawful Intercept Regulation chapter 3. Further individuals rights, such as the right to access, rectification or eraser is provided by the Police Register Act chapter 8.

              The courts and oversight committees (see Guarantee C above) have full access to information to verify that any surveillance have been conducted in accordance with the law.

              Public reports from the oversight committees are available at https://eos-utvalget.no and https://www.kk-utvalget.no/rapporter.473489.no.html (Norwegian only).

               

              Please note that there are various legislative initiatives that may affect the “essential guarantees”, most notably a new intelligence surveillance act and the government is also considering implementing a data retention act that somewhat mirrors EU’s repealed data retention directive (but with the aims of adding essential guarantees making the mandatory retention lawful).
              NepalAsiaNP
              NauruOceania/AustraliaNR
              NiueOceania/AustraliaNU
              New ZealandOceania/AustraliaNZ✔️
              See here
              ✔️✔️✔️✔️
              See here
              or here
              ✔️Information Privacy Principle 12: Comprehensive guidance by New Zealand's Privacy Commissioner (including templates and a Model Contract Clauses Agreement Builder)Invitation valid until 24 September 2025✔️✔️✔️
              OmanAsiaOM

              Ms. Tripti Dhar, Partner – Reina Legal

              • B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
              • Admitted to practice in India; enrolled with the Delhi Bar Council
              • Certified CIPP/E
              • Member of International Association of Privacy Professionals (IAPP)
              • DSCI Certified Privacy Professional (DCPP)
              • Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India
              • The nature of the offences which may give rise to an interception or surveillance order;

              According to Article 30 of Royal Decree No. (101/96) Promulgating the Basic Statute of the State, the freedom of correspondence by post, telegraph, telephone conversations, and other means of communication is protected and its confidentiality is guaranteed. It is not permissible to monitor, search, disclose the confidentiality of, delay, or confiscate the same, except in cases specified by the Law and in accordance with the procedures stated therein.

               

              • A definition of the categories of people that might be subject to surveillance;

              The existing laws in the region are silent on this subject.

               

              • A limit on the duration of the measure;

              The permission specified in Article 90 of the Penal Procedure Law promulgated by Royal Decree 97/1999, as amended (“CPL”) may only be issued by the Public Prosecutor, who would only permit audio or video recording of an individual if there is sufficient evidence of a an offence or misdemeanor punishable by imprisonment for a period exceeding three months. Once granted, the permission is valid for a renewable period not exceeding 30 days, during which the audio or video evidence must be obtained.

               

              • The procedure to be followed for examining, using and storing the data obtained;

              The existing laws in the region are silent on this subject.

               

              • The precautions to be taken when communicating the data to other parties; and

              The existing laws in the region are silent on this subject.

               

              • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

              The existing laws in the region are silent on this subject.

               

              • The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.
              The existing laws in the region are silent on this subject.
              • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

              The existing laws in the region are silent on this subject.

               

              • What objective criteria are used to determine which personal data of individuals are stored?

              The existing laws in the region are silent on this subject.

               

              • Does national legislation require any relationship between the data which must be retained and a threat to public security?
              • Does national legislation restrict the data retention in relation to …?
                • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
              • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?]
              According to Article 49 of Royal Decree 69/2008 - The Electronic Transactions Law, when the personal data are supposed to be transferred outside Oman, regard shall be had to the security of such information, in particular: (a) Nature of personal data, (b) Source of information and data, (c) Purpose for which the data are to be processed and duration of process, (d) The country of destination where the data were transferred, its international obligation, and the law applicable, (e) Any related rules applied in that country, (f) The security measures taken to secure that data in that country.
              • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
              • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?]
              The permission specified in Article 90 of the Penal Procedure Law promulgated by Royal Decree 97/1999, as amended (“CPL”) may only be issued by the Public Prosecutor, who would only permit audio or video recording of an individual if there is sufficient evidence of a an offence or misdemeanor punishable by imprisonment for a period exceeding three months.
              • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
              • Who should the individual address (see, Guarantee C)?
              • Does the court/control committee have access to all relevant information, including closed materials?]
              According to Article 46 of Royal Decree 69/2008, the authentication service provider shall, upon the request of the person from whom data is collected, enable that person to have access to or update those personal data.
              PanamaNorth AmericaPAThe Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).Marycarmen González M.
              PeruSouth AmericaPE✔️
              See here
              or here
              The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).✔️
              French Polynesia (French Overseas Collectivity)Oceania/AustraliaPF
              Papua New GuineaOceania/AustraliaPG
              PhilippinesAsiaPHASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
              Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
              ✔️N/A
              Please see the country report for the Philippines as part of the study "State of Privacy" conducted by Privacy International.
              PakistanAsiaPKN/A
              Please see the country report for Pakistan as part of the study "State of Privacy" conducted by Privacy International.
              PolandEuropePL(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/09/2002S, R✔️
              Saint Pierre and Miquelon (French Overseas Collectivity)North AmericaPM
              Pitcairn IslandsOceania/AustraliaPN
              Puerto RicoNorth AmericaPRAlejandro Mercado, Esq.
              Palestinian TerritoriesAsiaPS
              PortugalEuropePT(EU member state)✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator.
              The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).
              S, R, E: 01/01/1994S✔️
              PalauOceania/AustraliaPW
              ParaguaySouth AmericaPYN/A
              Please see the country report for Paraguay as part of the study "State of Privacy" conducted by Privacy International.
              QatarAsiaQA✔️
              See here
              or here
              The Qatar Financial Centre has recognized a number of countries as providing adequacy (see, List of Adequate Jurisdictions). For jurisdictions not providing adequate protection, the Qatar Financial Centre has published four sets of SCCs (available here) similar to the 2021 SCCs by the EU Commission.

              Ms. Tripti Dhar, Partner – Reina Legal

              • B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
              • Admitted to practice in India; enrolled with the Delhi Bar Council
              • Certified CIPP/E
              • Member of International Association of Privacy Professionals (IAPP)
              • DSCI Certified Privacy Professional (DCPP)
              • Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India
              • The nature of the offences which may give rise to an interception or surveillance order;

              Law No. 9 of 2011 (Law No. 9 of 2011 regulating the use of Security and Surveillance CCTV Camera and devices) mandates that surveillance cameras be installed in residential compounds, hospitals, malls, banks, hotels, warehouses and other locations, and is enforced by the MOI's Security Systems Department (SSD). However, these systems are prohibited in private areas like bedrooms, treatment or patient rooms in hospitals, changing rooms and toilets.

              Article 19 of Law No. 3 of 2004 on Combating Terrorism grants the authorities extensive powers to conduct surveillance by any means for 90 days prior to any judicial review and to seize any forms of communication whenever this is useful in “uncovering the truth” regarding “terrorist crimes”.

              • A definition of the categories of people that might be subject to surveillance;

              The existing laws in the region are silent on this subject.

               

              • A limit on the duration of the measure;

              Article 6 of Law No. 9 of 2011, the Facilities shall keep the recordings for a period of one hundred and twenty (120) days, shall not make any adjustments thereto and shall hand them over to the Competent Department upon request. The Competent Department shall destroy the recordings immediately after the end of that period.

               

              • The procedure to be followed for examining, using and storing the data obtained;

              The existing laws in the region are silent on this subject.

               

              • The precautions to be taken when communicating the data to other parties; and the circumstances and substantive and procedural conditions relating to the access of the competent authorities.

              According to Article 7 of Law No. 9 of 2011, save as with the approval of the Competent Authority, the transfer, save, sending or publishingof any of the recorded data, shall be prohibited.

               

              • The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.
              The existing laws in the region are silent on this subject.
              • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

              The existing laws in the region are silent on this subject.

               

              • What objective criteria are used to determine which personal data of individuals are stored?

              Article 6 of Law No. 9 of 2011, the Facilities shall keep the recordings for a period of one hundred and twenty (120) days, shall not make any adjustments thereto and shall hand them over to the Competent Department upon request. The Competent Department shall destroy the recordings immediately after the end of that period.

               

              • Does national legislation require any relationship between the data which must be retained and a threat to public security?

              The existing laws in the region are silent on this subject.

               

              • Does national legislation restrict the data retention in relation to …?
                • Data pertaining to a particular time period and/or geographicalarea and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

              Article 8 of Law No. 9 of 2011

              It shall be prohibited to install Surveillance Camera and devices in the bedrooms, physiotherapy rooms, toilets, changing rooms and places dedicated for women

               

              • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?]
              According to Article 7 of Law No. 9 of 2011, save as with the approval of the Competent Authority, the transfer, save, sending or publishingof any of the recorded data, shall be prohibited.
              • Who” is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
              • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?
              According to Article 3 of Law No.9 of 2011, The Competent Authority shall have the right to enter the Facilities for the purpose of inspecting the Surveillance Camera and devices to ascertain the extent of compliance with the technical specifications and effectiveness in achieving their purpose.
              • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
              • Who should the individual address (see, Guarantee C)?
              • Does the court/control committee have access to all relevant information, including closed materials?
              According to Law No. (13) of 2016 Concerning Personal Data Protection, the data subject has the right to request for correction, deletion, access and review the personal data.
              Réunion (French Overseas Department and Region)AfricaRE(EU member state)✔️✔️✔️
              RomaniaEuropeRO(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
              See, SCC Generator
              S, R, E: 01/06/2002SIulian Matache
              SerbiaEuropeRS
              Potential future candidate (p. 52) for adequacy?
              ✔️Standard Contractual Clauses („Службени гласник РС“, број 5/2020)S, R, E: 01/01/2006S, R

              Ivan Milosevic, Partner JPM Jankovic Popovic Mitic and Andrea Cvetanovic, Senior Lawyer JPM Jankovic Popovic Mitic

              I. The nature of the offences which may give rise to an interception or surveillance order:


              A) Offences processed by criminal courts

              In accordance with Article 162 para 1 of the Criminal Procedure Code ("Official Herald RS", Nos. 72/2011, 101/2011, 121/2012, 32/2013, 45/2013, 55/2014 and 35/2019) – “Criminal Procedure Code”)), special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined for the following criminal offences:

              1) for which the competence of public prosecution of special competence is prescribed by special law:

              a) Law on Organisation and Organisation of State Bodies in Prevention of Organised Crime, Terrorism and Corruption (“Official Herald RS" Nos. 94/2016 and 87/2018 – other law):

              • criminal offence of organised crime;

              • murder the highest-ranking officials of the state bodies (Art. 310 of Criminal Code “Official Herald RS” Nos. 85/2005, 88/2005 - correction, 107/2005 - correction, 72/2009, 111/2009, 121/2012, 104/2013, 108/2014, 94/2016 and 35/2019 – „Criminal Code“)) and criminal offence of armed rebellion (Art. 310 of Criminal Code);

              • criminal offences against official duty (Art. 359 and Art. 361- 368 of Criminal Code) and criminal offence – giving and receipt of bribe in relation of voting (Art. 156 of Criminal Code);

              • criminal offences against commerce (Art. 223, 223a, 224, 224a, 227, 228, 228a, 229, 230, 231, 232, 232a, 233, Art. 235 para 4, Art. 236 and Art. 245of Criminal Code);

              • terrorism (Art. 391 of Criminal Code), public instigation to commit terrorist acts (Art. 391a of Criminal Code), canvass and training to commit terrorist act (Art. 391b of Criminal Code), usage of lethal device (Art. 391v of Criminal Code), destruction and engagement of nuclear facility (Art. 391g of Criminal Code), financing terrorism (Art. 393 of Criminal Code) and terrorist accouplement (Art. 393a of Criminal Code);

              • criminal offence against state bodies (Art. 322 para 3 and 4 and Art. 323 para 3 and 4 of Criminal Code) and criminal offence against judiciary (Art. 333 and Art. 335, Art. 336 para 1, 2 and 4 and Art. 336b, 337 and 339 of Criminal Code), if these have been committed in connection to criminal offence stated in items i) – iv) above.
              b) Law on Organisation and Competence of State Bodies for War Crimes Procedures (“Official Herald RS" Nos. 67/2003, 135/2004, 61/2005, 101/2007, 104/2009, 101/2011 – other law and 6/2015)
              • criminal offences prescribed by Art. 370 – 384 and 385 and 386 of the Criminal Code;

              • grave breaches of international humanitarian law committed on the territory of Former Yugoslavia prescribed in Statute of International Criminal Tribunal for Former Yugoslavia;

              • assistance to offender after committing criminal offence (Art. 333 of the Criminal Code) if committed in connection to criminal offences stated in item i) and ii) above.
              Offences prescribed by Art. 162. Criminal Procedure Code:

              2) aggravated murder (Art. 114 of Criminal Code), abduction (Art. 134 of Criminal Code), presenting, procuring and possession of pornographic material and exploiting a minor for pornography (Art.185 para 2 and 3 of Criminal Code), robbery (Art. 206, para 2 and 3 of Criminal Code), extortion (Art. 214 para 4 of Criminal Code), abuse of position by responsible person (Art. 227 of Criminal Code), misuse in public procurement (Art. 228 of Criminal Code), receipt of bribe in performing business activities ( Art. 230 of Criminal Code), giving bribe in performing business activities (Art. 231 of Criminal Code), counterfeiting money (Art. 241 para 1-3 of Criminal Code), money laundering (Art. 245, para 1-4 of Criminal Code), unlawful production and putting into circulation of narcotics (Art. 246 para 1-4 of the Criminal Code), compromising independence (Art. 305 of Criminal Code), compromising territorial integrity (Art. 307 of Criminal Code), attack against the constitutional order (Art. 308 of Criminal Code), sedition on a violent change of the constitutional order (Art. 309 of Criminal Code), diversion (Art. 313 of Criminal Code), sabotage  (Art. 314 of Criminal Code), espionage (Art. 315 of Criminal Code), disclosing a state secret ( Art. 316 of Criminal Code), instigation national, racial and religious hatred and intolerance (Art. 317 of Criminal Code),violation territorial sovereignty (Art. 318 of Criminal Code), conspiracy for unconstitutional activity (Art. 319 of Criminal Code), preparation acts against the constitutional order and security of Republic of Serbia (Art. 320 of Criminal Code), grave offences against the constitutional order and security of Republic of Serbia (Art. 321 of Criminal Code), unauthorized production, possession, carrying and transport of weapons and explosive materials (Art. 348, para 3 of Criminal Code), illegal crossing of state border and human trafficking (Art. 350, para 2 and 3 of Criminal Code), abuse of official duty (Art. 359 of Criminal Code ), influence peddling (Art. 366 of Criminal Code), receipt of bribe (Art. 367 of Criminal Code), giving bribe (Art. 368 of Criminal Code), human trafficking (Art. 388 of Criminal Code), endangering persons under international protection (Article 392 of Criminal Code) and criminal offence under the Art. 98, para 2 - 5 of Data Secrecy Law.


              3) prevention and impeding collection of evidences (Art. 336 para 1 of Criminal Code) if committed in connection with criminal offences under points a) and b) above


              4) special evidence collecting – secret surveillance of communication can be determined for the following criminal offences: unauthorized use of copyrighted work or other work protected by similar right (Art. 119 of Criminal Code), damaging computer data and programs  (Art. 298 of Criminal Code), computer sabotage (Art. 299 of Criminal Code), computer fraud (Art. 301 para 3 of Criminal Code) and unauthorized access to computer, computer network or electronic data processing (Art. 302 of Criminal Code).


              B) Actions processed by Ministry of Interior (police departments)

               special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching criminal offences for which sentence to imprisonment of 4 years or longer period and warrant has been issued (Article 60 of Law on Police (“Official Herald RS" Nos. 6/2016, 24/2018 and 87/2018) – “target search measures”.

               

              C) Actions processed by Security-Informative Agency

               “special measures”: i) secret surveillance and recording of communication regardless the form and technical means by which measures are implemented or surveillance of electronic or other address; ii) statistical electronic surveillance and information systems to obtain data on communication or location of used mobile terminal equipment; iii) secret surveillance and recording of communication at public place and at places where access is limited or in closed area; iv) computer search of processed personal and other data and their comparison with data obtained in items i) – iii). Along with “special measures”, secret surveillance and recording of places, closed areas and subjects, including devices for automated processing of data and equipment where data are stored or where electronic records can be stored can be determined in case where reasonable grounds to suspect exists that actions directed against security of Republic of Serbia are performed or planned and where circumstances of the case indicated that such actions could not be discovered, prevented or proved or where it would cause disproportionate difficulties and grave danger (Art. 13 and 14 of Law on Security-Informative Agency, “Official Herald RS” Nos. 42/2002, 111/2009, 65/2014 – Decision of the Constitutional Court, 66/2014 and 36/2018)

               

              D) Actions processed by Military Security Agency

              Military Security Agency shall collect data by means of special procedures and measures when it is not possible to collect data otherwise or when their collection involves excessive risk to life and health of people and property, i.e. excessive costs. Special procedures and measures are implemented primarily for the purpose of prevention, i.e. with the aim to prevent threats against the Ministry of Defence and the Serbian Armed Forces (Law on Military Security Agency and Military Counterintelligence Service (“Official Herald RS” Nos. 88/2009, 55/2012 – Decision of the Constitutional Court and 17/2013).

              Special measures and procedure can include the following measures: i) secret surveillance of persons in the open space and in public places by applying technical means; ii)secret electronic surveillance of telecommunications and information systems in order to collect data on telecommunication traffic and the locations of the users without the insight in the content; iii) secret recording and documenting of conversations in the open space and in the closed areas by using technical means; iv) secret surveillance of the content of letters and other means of communication including covert surveillance of the content of telecommunications and information systems; v) secret surveillance and recording of the interior of facilities, closed areas and objects.

               

              II. A definition of the categories of people that might be subject to surveillance:


              A) Categories of people that might be subject to surveillance to process offences by criminal courts

              Pursuant to Art. 161 para 1 of Criminal Code Procedure, special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined against a person for whom reasonable grounds to suspect that she/he has committed criminal offence prescribed in Art. 162 of Criminal Code Procedure exists, if evidences for criminal prosecution cannot collected in other manner or their collection could be have significantly exacerbated.

              In accordance with para 2 of the same Article of the same Law, as exception, special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined and against a person for whom reasonable grounds to suspect that she/he has committed criminal offence prescribed in Art. 162 of Criminal Code Procedure exists and circumstances of the case indicate that criminal offence could not be discovered, prevented or proved or this would cause disproportionate obstacles or significant danger.

              In accordance with para 3 of the same Article of the same Law, when deciding on determination and duration of the said special evidence collecting, the body which is responsible for the procedure shall in particular, evaluate whether the same result could be achieve in the manner by which rights of citizens are less limited.

              In case by execution special evidence collecting material on criminal offences and offender of criminal offence which/who have not been covered by decision on such special evidence collecting  has been collected, such material can be used in the procedure only if it is related to criminal offences prescribed by Art. 162 of the Criminal Procedure Code (Art.164 of the Criminal Procedure Code – accidental finding).

              B) Categories of people that might be subject to surveillance to by Ministry of Interior (police departments)

              To arrest and bring a person to competent authority in case of reasonable grounds to suspect that a person has committed criminal offence for which a sentence of imprisonment of four year or more is prescribed and for whom a warrant is issued and under assumption that police officers cannot arrest this person applying other measures or actions, i.e. when such arrest is connected to disproportionate difficulties, “target search measures” can be determined against such person as well as against other persons for whom reasonable grounds to suspect exists that these persons assist such person to hide.

              C) Categories of people that might be subject to surveillance to by Security-Informative Agency

              Special procedures and measures can be implemented against person, group or organisation 

              “Special measures” can be determined against a person, a group or an organisation in case where reasonable grounds to suspect exists that actions directed against security of Republic of Serbia are performed or planned and where circumstances of the case indicated that such actions could not be discovered, prevented or proved or where it would cause disproportionate difficulties and grave danger.

              D) Categories of people that might be subject to surveillance to by Security Military Agency

              Special measures and procedures are applied against a person, a group or organisation to prevent threats against the Ministry of Defence and the Serbian Armed Forces.

               

              III. A limit on the duration of the measure:

              A) Limit of duration of the measures to process offences by criminal courts

              Secret surveillance of communication and secret tracking and interception can last 3 months and can be prolonged for another maximum 3 months due to necessity of further collection of evidences.

              In case of criminal offences for which the competence of public prosecution of special competence is prescribed by special law is prescribed, secret surveillance of communication can be exceptionally prolonged two times for 3 months. This special evidence collection shall be terminated as soon as reason for its application cease to exit. 

              Computer data searching can last maximum 3 months and can be exceptionally prolonged two times for 3 months due to necessity of further collection of evidences.  This special evidence collection shall be terminated as soon as reason for its application cease to exit.

               

              B) Limit of duration of the measures applied by the Ministry of Interior (police departments)

              “Target search measures” can last maximum 6 months and can be prolonged for another six months.

              C) Limit of duration of the measures applied by the Security-Informative Agency 

              “Special measures” can last 3 months and can be prolonged three times for three months if necessary to discover, prevent or obtain evidences.

              D) Limit of duration of the measures applied by the Military Service Agency 

              Special measures and procedure can last 6 months and can be, upon new proposal, prolonged for another 6 months.

              IV. The procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; the circumstances and substantive and procedural conditions relating to the access of the competent authorities; Assessment whether the number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued


              A) Procedure before administrative bodies


              Personal data obtained and processed by applying measures are secret data. This means that only persons who are issued security certificates can examine or use data, i.e. access data. Security certificates are issued by the Office of the Council for National Security and Protection of Secret Data. This Office is obliged to establish and maintain records on us issued security certificates. The contents, form and manner to maintain records for access to secret data are provided for in Decree on Content, Form and Manner to Maintain Records for Access to Secret Data (“Official Herald RS” No. 89/2010).


              Data Secrecy Law (“Official Herald RS” No. 104/2009) prescribes that a public authority shall apply general and special protection measures under law and regulations adopted under law, with a view to protecting secret data in its possession.


              General measures for the protection of secret data shall include: i) determining the classification level; ii) assessing classified data security threat; iii) establishing the manner of using and handling classified data; iv) designating a person responsible for keeping, using, exchanging and other forms of classified data processing; v) designating a classified data controller, including his security clearance depending on the classification level; vi) determining special zones, buildings and premises intended for classified data and foreign classified data protection; vii) classified data handling control; viii) measures for the physical and technical protection of classified data, including the installation and set-up of technical means of protection, determination of a security zone and protection outside that zone; ix) protection measures for information and telecommunication systems; x) crypto protection measures; xi) protection regime for jobs and formation posts, under any internal acts on job classification and systematisation; xii) establishing special educational and training programmes required for the protection of classified data and foreign classified data; xiii) other general measures prescribed by law.  


              Some special protection measures can be regulated in more detail by an act of the competent minister or the head of a special organisation, under the Government act. Moreover, it is prescribed in Art. 84 para 1 of Data Secrecy Law that the head of a public authority shall be responsible for internal control of the implementation of this Law and regulations adopted based on this Law.


              It is prescribed that para 2 of the same Article that special post shall be allocated in the ministry responsible for internal affairs, the ministry responsible for defence and in the Security Informative Agency, and, as necessary, in other public authorities, for internal control and other professional tasks concerning secret data classification and protection, or else an existing organisational unit within the ministries or the agency shall be entrusted with performing the mentioned activities and tasks.  


              To enhance effective implementation measures for protection of secret data, Serbian Government enacted Decree on Special Measures on Handling of Secret Data (“Official Herald RS” No. 90/2011). This decree obliges the head of public authority to determine authorised persons for regular and sudden checks of manner of implementation of measures for control of secret data.


              Moreover, the Serbian Government rendered Decree on Special Protective Measures of Secret Data in Information-Communication Systems (“Official Herald RS” No. 53/2011), system must fulfil conditions ensuring: i) protection from unauthorised access, which assumes identification and secure guarantees of identity (authentication) of persons which have access to system; ii) control and maintenance of records on access to system; iii) continual recording (automated, manual and combined) on security condition of the system (security logs), activities of the system and change of condition of the existing system; iv) examination of security logs by authorised persons; v) determination authorisations to users in regard to security of systems; vi) determination authorisations to users in regard usage of system; vii) ensuring secure manner for indication level of secrecy; viii) identification of user who executes amendment, printing, re-taping and deletion secret data; ix) recording amendments, printing, re-taping or deletion secret data by user; x) protection important and program elements, system possibilities and functionalities of system; xi) obtaining back up archives of secret data in case of loss of existing archives as well as maintenance of records on access to archives.


              In accordance with Decree on Manner of Maintenance of Records, Processing, Usage, Protection and Deliverance Information and Documents on Affairs in the Competence of Security Informative Agency  (“Official Herald RS” 68/02), direct access to documents can be achieved only under written authorisation. Regardless the forms and type of carrier, documents are records are kept in protected boxes or cupboards, worked out for this purpose, placed in specially secured areas. Transfer of documents and records is performed applying special measures and in manner to be protected from potential loss, theft or destruction. Manner of maintenance of records, processing, usage, protection and deliverance information and documents to competent state bodies is to be defined by internal instructions of the Director of the Agency.


              Law on Records and Processing of Data in the Field of Internal Affairs (“Official Herald RS” 24/18) defines obligations of the Ministry of Interior in regard to personal data protection in the field of internal affairs, purpose of processing, rights and protection of rights of persons whose data are processed, types and contents of records, duration of period of processing, exchange of data, storage, protection and control of data and other issued which are important for processing of personal data in the field of internal affairs.


              In accordance with Art. 60 para 12 of the Law on Police, upon completion of “target search”, personal data obtained shall be delivered to the President of Supreme Cessation Court or authorised judge who is obliged to destroy them and draft record on this fact.


              In accordance with Art. 31 of the Law on Military Security Agency and Military Counterintelligence Service, Military Service Agency shall create and keep the records and registers of personal and other data and documents on those data. Military Security Agency shall create and maintain collections and registers of date within the scope of its work. The records and registers of data and documents shall be defined as secret data in compliance with the law regulating protection of secret data. In case both services come in possession of data in the competence of other security services or police, these will be delivered other security services if these are related to national security affairs, where, if these are related to criminal offences, these will be delivered, in accordance with provisions of Criminal Procedure Code governing special evidence collecting.

               

              In accordance with Rulebook on Requirements for Devices for Legitimate Interception of Electronic Communications and Technical Requirements for Fulfillment the Obligation of Retention of Data on Electronic Communications (“Official Herald RS” No. 88/2015), competent body shall maintain record containing decision of the court which represents legal ground for access or deliverance of retained data and date and time of access/deliverance.   


              Furthermore, in accordance with same Rulebook, in case when state body is not in the position to have access to retained data without access to premises or electronic communication network, accompanied devices or electronic communication equipment, operator is obliged to maintain record on received request for access or deliverance of the requested data which particular contains: identification the person which accessed the data/whom data are delivered, court decision which serves as legal ground for access or deliverance and date and time of access and deliverance.


              Decision of the court defines by which the measures is approved contains the following data: the indication of the measure, data on person/group/organisation to whom/which a measure shall be applied, reasons for application the measure, place and duration of the measure.


              Under assumption that:

              • Persons having access to data/whom data are delivered possessing security certificates;
              • persons are granted internal authorisations to access the data;
              • the information systems of state bodies/operators record date and time of access to data;
              • data are accessed/delivered by/to person by making a reference to court decision which represent a valid legal ground for access to deliverance the data  

                  an assessment may be made that number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued.

                   

                  B) Procedure before Criminal Courts


                  Data on requesting, deciding on and application the measure are secret data. Other persons who in whatever capacity, learn about these data are required to keep them secret.


                  Depending on the particular measure, order of the court contains: available data on person to whom the measure is determined, legal title of criminal offence, indication of available telephone number/address, authorisation for  reasons for suspicion, indication of premises, place or transport vehicle,, authorisation to enter and placing devices, description of data to be searched and processed, indication of state body which is obliged to perform search of requested data, manner of application the measure, scope and duration of the measure.


                  Proposals for measures and order are recorded in special court record and are stored together with material on applied measure in special court file with indication “special evidences collecting” and indication of level of classification in accordance with Data Secrecy Law. 


                  Order is applied by Ministry of Interior, Security and Informative Agency or Military Service Agency applying procedures under Section “Procedure before administrative bodies”.


                  In case the public prosecutor does not initiate criminal procedure within 6 months upon the moment when he has been familiar with the file or states that he will not use it in the procedure or will not request criminal procedure against the suspected person, a judge for preliminary procedure shall order decision on destruction the collected material.


                  Upon the termination of measure, the authority which executes order shall deliver to the judge for preliminary proceedings recordings of the communications, letters and other parcels and a special report which contains: the time of commencement and termination of the surveillance, data on the official who conducted the surveillance, a description of the technical means used, the number and available data on the persons encompassed by the surveillance, and an assessment of purposefulness and results of the application of the surveillance.


                  The judge for preliminary proceedings shall in the opening of letters and other parcels take care not to damage seals and to preserve the covers and addresses. A record shall be made of the opening. All the materials obtained by the application of the secret surveillance of communications shall be delivered to the public prosecutor. The public prosecutor shall order the recordings obtained through use of technical means to be transcribed in full or in part and to be described.


                  Upon the termination computer data search the public authority, or the legal person which implemented the order shall deliver to the judge for preliminary proceedings a report containing: data on the time of commencing and terminating a computer search data search, data searched and processed, data on the official who conducted the computer data search, description of the technical means employed, data on the persons encompassed and results of the implemented computer data search. The judge for preliminary proceedings shall deliver the said report to the public prosecutor.


                  An assessment may be made that number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued.
                  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

                  Data can be processed to accomplish the following goals:

                  1. On the ground of court order to collect evidence to initiate criminal procedure for serious criminal offences. Court order specifies which data, for which purposes will be processed, manner of processing and duration of processing – special evidence collecting to initiate criminal procedure. State bodies applying measure must act in accordance with court order;

                  2. Special measures applied by Security Informative Agency must be approved by the court, following the proposal of the Director of the Agency with rationale. Proposal contains legal title of the measure, available data on person, group and organisation to which the measure is to be applied, reasons justifying application of the measure, scope of measure and its duration. Extension of the measure must be approved by the court; in case the court does not approve extension of the measure, collected data are deleted;

                  3. Special measures and procedures applied by Military Security Agency must be approved by the court - following the proposal of the Director of the Agency or authorised officer with rationale. Proposal contains legal title of the special measure/procedure, data on person, group or organisation to whom/which measure is to be applied and place and duration of the measure;

                  4. Target search measures applied by the Ministry of Interior/police departments shall be approved by the President of Supreme Cassation Court or authorised judge. In case of urgency, director of the Police can order measure subject to oral consent of the court, whereby the court must deliver decision in writing with 24 hours upon receipt of oral consent.

                    When deciding on the measure, it shall be particularly considered whether the same result can be achieved in the manner by which rights of citizens are less limited.
                  • What objective criteria are used to determine which personal data of individuals are stored?

                  In accordance with Article 5 of Serbian Law on Personal Data Protection (“Official Herald RS” No. 87/2018) which transposed provisions of Directive (EU) 2016/680 prescribes that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Further, Article 7 of the same Law prescribes that personal data collected by competent state bodies for special purposes shall not be processed for the purpose different than initial one, except in case when further processing is prescribed by law.  

                  Purpose of processing different than one for which personal data are collected is allowed only in case the following conditions are cumulatively met:

                  1. Controller is authorised to process such personal data for other purposes, in accordance with the law;

                  2. Processing is necessary and proportionate to other purpose, in accordance with the law.

                  • Does national legislation require any relationship between the data which must be retained and a threat to public security?

                  No.

                   

                  • Does national legislation restrict the data retention in relation to …?
                    • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                    • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

                  No.

                  • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

                  Judges, prosecutors and doctors must report preparation of criminal offence for which sentence of five years imprisonment or harsher sentence is prescribed (Article 331 of Criminal Code). They must report criminal offence for which sentence of five years imprisonment or harsher sentence is prescribed and offender for which they learned in the course of performance of their duty (Article 332 of the criminal code).

                  Lawyers have right to disclose professional secret in case it is necessary to prevent serious criminal offence (Codex of lawyers’s professional ethics).

                  • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

                  Judges are responsible for overseeing surveillance measures. Judge are independent in performance of their duties.

                  • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

                  The judge issues/approves order for application of surveillance measures and terminates the order.

                  In case the public prosecutor does not initiate criminal procedure within 6 months upon the moment when he has been familiar with the file or states that he will not use it in the procedure or will not request criminal procedure against the suspected person, a judge for preliminary procedure shall order decision on destruction the collected material.

                  • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

                  Yes. In accordance with Article 32 of Law on Personal Data Protection, in case that competent bodies process personal data for special purpose, data subject has right to erasure and controller is obliged to erase personal data without undue delay if provisions of Art. 5, 13 and 18 (data protection principles, lawfulness of processing by competent body and processing of special categories of data)  have been breached by such processing and personal data shall be erased due to legal obligation of controller.


                  In accordance with Article 34 of the same Law, if the processing is performed by the competent authorities for special purposes, the controller is obliged to inform the data subject in writing about the refusal to correct or delete his personal data, i.e. restriction of processing, as well as the reasons for refusal or restriction.


                  The controller shall be completely or partially released from the of notification to the extent that such restriction is a necessary and proportionate measure in a democratic society, with due respect for the fundamental rights and legitimate interests of data subjects, in order to:

                  1. avoid obstructing the official or statutory collection of information, investigation or proceedings;
                  2. enable the prevention, investigation and detection of criminal offenses, prosecution of perpetrators of criminal offenses or execution of criminal sanctions;
                  3. protect public safety;
                  4. protect national security and defence;
                  5. protect the rights and freedoms of other persons.


                  The controller is obliged to inform the person to whom the data relate that he can file a complaint to the Commissioner for Information of Public Importance and Protection of Personal Data, i.e. a lawsuit to the court.


                  The controller is obliged to inform the competent authority about the correction of inaccurate data since these data were obtained.


                  If personal data have been corrected, deleted or their processing has been restricted, the controller is obliged to inform the recipients of this data about their correction, deletion or restriction of processing.


                  Recipients of data notified are obliged to delete the data in their possession, delete them or limit their processing.

                  • Who should the individual address (see, Guarantee C)?

                  The Commissioner for Information of Public Importance and Protection of Personal Data.


                  Data subject has the right to file a complaint to the Commissioner if he / she considers that the processing of his / her personal data has been performed contrary to Law on Personal Data Protection. 


                  In the complaint procedure, the provisions of the law governing inspection supervision in the part related to the handling of petitions shall apply accordingly.


                  Filing a complaint with the Commissioner does not affect the right of this person to initiate other administrative or judicial protection proceedings.


                  The Commissioner is obliged to inform the complainant about the course of the proceedings, the results of the proceedings, as well as the right of the person to initiate court proceedings.


                  The data subject, the controller, processor, or other natural or legal person to whom the decision of the Commissioner, made in accordance with this Law, has the right to file an administrative dispute against that decision within 30 days from the date of receipt of the decision. . Filing a lawsuit in an administrative dispute does not affect the right to initiate other administrative or judicial protection proceedings.


                  If the Commissioner within 60 days from the day of filing the complaint does not act on the complaint or does not inform the complainant about the course of the proceedings, the results of the proceedings, as well as the right of the person to initiate court proceedings, data subject has a right to initiate administrative dispute.


                  Data subject has the right to judicial protection if he / she considers that, contrary to Law on Personal Data Protection, the right prescribed by this law has been violated by the controller or processor by processing his / her personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection proceedings.


                  The lawsuit for protection of rights may require the court to oblige the defendant to:

                  1. provide information referred to in Art. 22 to 27, Art. 33 to 35 and Article 37 of this law;
                  2. correction, i.e. erasure of data on plaintiff from Art. 29, 30 and 32 of this law;
                  3. restriction of processing from Art. 31 and 32 of this law;


                  The lawsuit for protection of may request the court to determine that the decision relating to the plaintiff was made contrary to Art. 39 of this law.


                  The lawsuit shall be submitted to the higher court in whose territory the controller or processor or their representative has a permanent or temporary residence, or in whose territory the data subject has a permanent or temporary residence, unless the controller or processor is authority.


                  Revision of the final decision made on the lawsuit is always allowed.


                  The provisions of the law governing civil proceedings shall apply in the court protection procedure, unless otherwise provided by this law.

                  • Does the court/control committee have access to all relevant information, including closed materials?
                  Yes.
                  Russian FederationAsiaRU✔️✔️S, R, E: 01/09/2013SKonstantin Tiazhelnikov, country Data Protection Responsible for Russia at Carlsberg Group

                  The nature of the offences which may give rise to an interception or surveillance order:

                  Under the Federal Law N144-FZ of 12.08.1995 “On operative investigation activity” (hereinafter referred to as “OIA Law”), these are only offences of a criminal nature, i.e., leading to criminal liability (as opposed to either administrative or civil liability). However, it is not necessary to commit a criminal offence to face interception of communication as this measure may be lawfully applied for the purposes of detection and prevention of crimes, as well as to identify individuals preparing them (i.e., before a crime is actually committed). The only exemption the OIA Law specifies in this relation is that wiretapping of telephone and other conversations cannot be applied in relation to individuals suspected or accused of committing minor crimes, as well as individuals who may have information about such crimes (however, this exemption does not cover surveillance itself and written communications for unknown reasons).

                  The above description appears too broad and thus leaves significant room for abuse (despite the fact the OIA Law formally sets out the law enforcement agencies’ obligation to respect the right to private life, personal and family privacy, and privacy of correspondence). Indeed, almost any individual may arbitrarily be regarded as an offender who, e.g.,, appears to be preparing a crime only to be subsequently prosecuted on formal grounds and to initiate investigation activities, including surveillance and interception of communication. On top of that, the OIA Law allows operative investigation activity (including surveillance and interception) to be carried out covertly which (by its nature) leads to a lack of transparency and control over how the respective data is collected and further processed by law enforcement agencies and their officials.

                  It should also be noted that surveillance and interception of communications are also lawful in cases not directly connected to offences (with the exemption mentioned above), e.g., if used for obtaining information about events or actions (resp. omissions) that pose a threat to the state, military, economic, information or environmental security of Russia. This entails the same issue of potential abuses coupled with a lack of control and transparency as described above.

                  There are also other legal grounds set out in the OIA Law that might be relied upon (see Articles 2 and 7 of the OIA Law).

                  A definition of the categories of people that might be subject to surveillance:

                  The OIA Law generally lays down that citizenship, national origins, gender, place of residence, property, official and social status, membership in public associations, religious and political beliefs cannot be deemed as an obstacle to conducting operative investigation activities (including surveillance) in respect of individuals, unless otherwise provided by Federal law.

                  At the same time, specific laws may provide for exemptions from this general rule, e.g., under the Law of the Russian Federation N3132-1 of 26.06.1992 “On the status of judges in the Russian Federation”, judges are inviolable, which includes secrecy of correspondence and other forms of communication; inviolability also applies to the communication of a deputy of the State Duma of the Russian Federation or a member of the Federation Council (under the Federal Law N3-FZ of 08.05.1994 "On the status of a member of the Federation Council and the status of a Deputy of the State Duma of the Federal Assembly of the Russian Federation"). In such specific cases, a special procedure must be followed to obtain the respective measure.

                  A limit on the duration of the measure:

                  There are no specific rules on this. From the general provisions of the Federal Law N152-FZ of 27.07.2006 “On personal data” (hereinafter referred to as ‘Data Law’) (backed by the overall logic of the investigation legislation) it can be concluded that the respective measures may be applied for as long as necessary to achieve the purpose of its application.

                  The procedure to be followed for examining, using and storing the data obtained:

                  There are only isolated and unsystematic legislative provisions in this regard.

                  Examination of the obtained data is not addressed in the applicable legislation and is thus left to the discretion of law enforcement agencies and their officials.

                  As for the use, the OIA Law only contains a very broad and generic list of ways of how the results of operative investigation activity may be used. For example, the data may be used to conduct operative investigation activities, to search for fugitive offenders, for the purposes of tax authorities, as well as factual grounds to initiate criminal proceedings, etc. (Article 11).

                  Storage of the data obtained seems to be unsystematically and broadly regulated in the same manner, giving individuals insufficient control over whether their data is stored and for how long. Under the OIA Law (Articles 5 and 8):

                  (i) The materials obtained as a result of operative investigation activities in respect of individuals whose guilt in committing a crime has not been proved are stored for one year and then destroyed, unless official interests or justice require otherwise. Phonograms and other materials obtained as a result of wiretapping or interception of other conversations of individuals against whom criminal proceedings have not been initiated shall be destroyed within six months from the date when the interception ends.

                  It stems from the above that there are only retention periods in particular cases which have been specified and not storage conditions themselves. In addition, in fact, this means that the data might potentially be uncontrollably stored by law enforcement agencies for an indefinite amount of time, hiding behind unclear ‘official interests’, with no possibilities to exercise control over such storage.

                  (ii) If a criminal case is initiated against an individual whose telephone and other conversations were wiretapped, the phonogram and the hard copy of the recording shall be transferred to the investigator as material evidence. Under the Criminal Procedure Code of the Russian Federation (hereinafter referred to as ‘CPC’), such phonograms and hard copies:

                  1. are stored sealed in conditions that exclude the possibility of familiarizing third parties with the information contained and that ensure their safety and security of the information;
                  2. shall be returned to their rightful owner after inspection and other necessary investigative activities, if it poses no harm to the investigation.

                  However, there is no further guidance as to whom the terms ‘third parties’ and ‘rightful owner’ are meant to describe and how the degree of possible harm shall be evaluated which again raises the issue of insufficient clarity and a lack of transparency.

                  The precautions to be taken when communicating the data to other parties:

                  No specific measures and/or precautions identified in the applicable laws.

                  The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

                  Under the OIA Law (Article 8):

                  - investigative activities restricting constitutional rights to the secrecy of correspondence, telephone conversations, postal, telegraph and other messages transmitted over electric and postal networks are allowed based on a court decision, providing that there is information on prepared or committed illegal acts, on individuals preparing them, or on events or actions (omissions) that pose a threat to the state, military, economic, information or environmental security of Russia.

                  - in urgent cases that can lead to committing a serious or particularly serious crimes, as well as where there is information on events or actions (inactions) that pose a threat to the state, military, economic, information or environmental security of Russia, the investigative activities are allowed if conducted on the basis of a reasoned decision of one of the heads of an investigative body, followed by the mandatory notification of the court (judge) within 24 hours. The court decision must be obtained within 48 hours, otherwise, the respective investigative activities shall be discontinued.

                  The above provisions were initially designed as an expression of the system of “checks and balances” with courts supervising competent investigative authorities and ensuring the rule of law. However, at this stage of the legal and social reality in Russia, courts unfortunately tend to embody a formal rather than a real line of defense, often serving the interests of investigators and glossing over inadequacies in investigating practices.

                  The same is true for the right set out in Article 5 of the OIA Law, under which investigative activities might be appealed to a superior body carrying out investigative activities, to the procuracy or the court.

                  Is the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued?

                  This principle is not fully met. Interception of communications or surveillance may be lawfully performed by investigatory authorities upon requests of other investigatory authorities, with superior bodies, courts, and/or the procuracy being ad hoc involved in this process. This implies the involvement of multiple officials and employees (including those performing solely back-up tasks) in the data processing lifecycle with no strict distribution of roles in terms of data access. Thus, within the law enforcement system, access to the data stored can overall be seen as uncontrolled and unmanaged rather than otherwise.

                  With a higher degree of certainty, we can conclude that the respective data cannot be accessed by third parties outside the law enforcement system. At the same time, as long as there are no specific precautions taken when communicating data to other stakeholders (including external), this cannot be said with absolute certainty. Nor can the formal confidentiality obligation under Article 5 of the OIA Law (‘investigatory authorities are forbidden to disclose information concerning private life, personal and family secrets, dignity and good name that became known in the course investigative activities, without the consent of citizens, except in cases provided for by federal laws’) be deemed as an effective safeguard.

                  In general, do the national laws impose such a limitation to what is “strictly necessary”?

                  ‘Limit to what is strictly necessary’ is a general principle outlined in the Data Law. However, this principle does not have any specific understanding in the context of investigative activities, nor is it further supported by specific legislation (incl. the OIA Law). From ‘Guarantee A’ section it can be seen that the legal grounds for obtaining (using, storing, …) data are broadly and vaguely (rather than clearly) described without easily understandable ‘building blocks’ of the notion of the ‘strict necessity’. It becomes clear that we cannot speak of an effective implementation of this principle in the specific investigation laws.

                  What objective criteria are used to determine which personal data of individuals are stored?

                  The Data Law declares the ‘data minimization’ principle, i.e., the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are stored. In other words, the storage must not happen purposelessly. But, here again, this general approach is not supported in the specific investigation laws which identify no further criteria. In practice, investigative authorities tend to adopt an approach that can be roughly described as ‘let’s keep it and then see if we need it’, arguing that there might appear intelligence-related (or similar) purposes in the future that they are unaware of at the moment of collection.

                  Does national legislation require any relationship between the data which must be retained and a threat to public security?
                  Statistically, in most cases, the data obtained in the course of investigation activities are retained for the purposes related to, in one way or another, public security. However, this is not typically a legal requirement as most investigation activities (e.g., interception of written communications) may lead to the data being obtained and stored amid the absence of a clear threat to public security (e.g., investigation activities performed for the purpose of deciding on providing an access to the information constituting a State secret).

                  At the same time, in some cases, the connection to the issues of public security is required: e.g., as mentioned in ‘Guarantee A’ section, wiretapping of telephone and other conversations must be connected to a crime of a particular gravity, either committed or suspected (i.e., there must be a particular degree of threat to public security).

                  Does national legislation restrict the data retention in relation to …?
                  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                  • The retention (storage) limitations described in the ‘Guarantee A’ section are the only ones reflected in the investigation laws (which, as can be seen, in many cases are reduced to the setting out of retention periods). There are no other specific provisions regarding the retention restrictions in relation to the above.

                  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

                    No, this is out of the scope of the applicable laws.

                  Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

                  No. The laws only set out several professional categories whose representatives may not be interrogated in the capacity of witnesses under an obligation of professional secrecy (judges, attorneys, priests, etc.).

                  Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

                  Surveillance measures are supervised by a judge. A court decision is generally required to commence the respective activities and get access to the data (unless this is a matter of urgency, see ‘Guarantee A’ section for more details in this regard).

                  Judges are formally declared independent and are bound only by law. However, as described above (see ‘Guarantee A’ section), in practice they are unlikely to be seen as a real line of defense for those under surveillance. Rather, in the investigation context, a judge in a contemporary political and social environment is often a part of the investigative mechanism with a formal approach, instead of being an epitome of various guarantees characteristic of a democratic society.

                  Thus, in the context of ‘Guarantee C’, it seems unlikely that there is a clear and really independent system of judicial controls over how surveillance measures are applied.

                  At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

                  It takes place before and is a formal prerequisite of the investigation measure (i.e., processing operation), unless there is a matter of urgency.

                  There are no other oversight stages as such.

                  Under the OIA Law, the validity period of the respective court decision may not exceed six months, unless otherwise specified in the decision itself. If there is a need of an extension, the judge makes a new court decision based on the newly submitted materials.

                  Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

                  Traditionally, there are only isolated and unsystematic legal provisions in this regard.

                  Under the OIA Law, an individual who was not found guilty in a criminal offence has a right of access to data concerning him or her. However, this right is only applicable:

                  (i) if the individual believes that his or her rights were violated—thus, literally, the right of access may not be effectively exercised in the ordinary course of events when no violations occur;

                  (ii) to the extent allowed by the requirements of secrecy and excluding the possibility of disclosure of state secrets—such blurred categories with barely defined boundaries leave room for arbitrary discretion and various abuses.

                  From the description above it becomes clear that the applicable laws do not address:

                  (i) the notions of the right to rectification and the right to erasure as such;

                  (ii) the situations when the data was obtained by investigation authorities outside the context of a committed or suspected criminal offence (e.g., when deciding on providing access to the information that constitute a State secret).

                  Thus, the right of access exists on a very limited scale, while the rights of rectification and erasure are not addressed at all and theoretically (rather than practically) can only be derived from the general Data Law.

                  Who should the individual address (see, Guarantee C)?

                  The respective investigation authorities storing the data should be approached. The refusal may be appealed to the courts (although, as described above, this is mostly a formal guarantee, amid the absence of real independence of judges).

                  Does the court/control committee have access to all relevant information, including closed materials?

                  No restrictions are established in this relation. Upon request, a judge must be provided with all the information related to the refusal being appealed, unless this involves information on officials infiltrated into criminal groups, regular undercover employees of agencies that carry out operative investigative activities, or individuals who assist them on a confidential basis.

                  Overall assessment

                  Based on the observations outlined above it would be fair to conclude that none of the described Guarantees A-D are fully met in the applicable legislation and judicial practice. The existing provisions cannot be deemed as clear and precise, nor do they epitomize principles of necessity and proportionality in terms of an interference with the right to privacy and the protection of personal data. At the same time, existing oversight mechanisms are of limited nature and cannot be seen as truly independent and efficient in a democratic society. Remedies and rights to redress set out therein are insufficient and have rather formal (than enforceable) character.

                  Remark 1.

                  Telecommunications providers are a “willing companion” of the respective investigation authorities as they are under a legal obligation to store (Article 64 of the Federal Law N126-FZ of 07.07.2003 “On communications”):

                  (i) information about the facts of receiving, transmitting, delivering and (or) processing of voice information, text messages, images, sounds, video or other messages sent by users of communication services (retention period: 3 years);

                  (ii) text messages sent by users of communication services, voice information, images, sounds, video, and other messages sent by users of communication services (retention period: up to 6 months).

                  The information described above must be provided to the investigation authorities, when prescribed by the applicable laws.

                  In the media, the law introducing the legal obligations of telecommunications providers described above is often mentioned as the “Yarovaya Law” (passed in 2016).

                  Remark 2.

                  For a better understanding of the context of how surveillance, resp. interception of communications works, it is recommended to study examples of real criminal investigations.

                  One of the most known cases is the case of Oxana Sevastidi accused of high treason in 2016. She was sentenced to seven years in prison for texting in 2008 about a Russian train full of military equipment heading toward the Georgian breakaway region of Abkhazia during the short war between Russia and Georgia. Subsequently, she was pardoned by the President of Russia. Allegedly, the case was politically motivated.

                  To learn more: https://www.rferl.org/a/russia-sevastidi-released-text-georgian-war-jailed/28364651.html

                  The case of Oxana Sevastidi was not the only one based on the arbitrarily intercepted text message as a Georgian citizen Ekaterina Kharebava was accused of the same crime (formally of espionage) in 2014 and subsequently sentenced to six years in prison. She was recognized as a political prisoner by the human rights organisation “Memorial”.

                  Remark 3.

                  To access the Russian legislation in English language, the following online resource can be used: https://english.garant.ru Subscription is available for a fee.

                  ___________

                  Please note that according to a recent legal study published by the European Data Protection Board "on Government access to data in third countries", the researchers found that in Russia, "[...] [personal data protection] enforcement and the application of the legislation has serious drawbacks. In addition, Russia has a striking record of violating the European Convention of Human Rights (ECHR)."

                  RwandaAfricaRWPius Ntazinda
                  Saudi ArabiaAsiaSA

                  Ms. Tripti Dhar, Partner – Reina Legal

                  • B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
                  • Admitted to practice in India; enrolled with the Delhi Bar Council
                  • Certified CIPP/E
                  • Member of International Association of Privacy Professionals (IAPP)
                  • DSCI Certified Privacy Professional (DCPP)
                  • Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India
                  • The nature of the offences which may give rise to an interception or surveillance order;

                  The Article 40 of Saudi Arabian Constitution, protects the right to privacy, although it states that correspondences “may not be confiscated, delayed or read, and telephones may not be tapped except as laid down in the law.

                  Article 9 of the Telecommunications Law and Regulations states that the privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening or recording the same is not permitted, except for the cases stipulated by the relevant Acts.

                  Article Nine of Telecom Act Royal Decree No. (M/12) dated 12/03/1422H:

                  The privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening or recording the same is not permitted, except for the cases stipulated by the relevant Acts.

                  Privacy-related offences under Article 3(1) of the Anti-Cyber Crime Law include:

                  'spying on, interception or reception of data transmitted through an information network or computer without legitimate authorisation'

                   

                  • A definition of the categories of people that might be subject to surveillance;

                  Chapter 10 : Violations and Penalties Article Thirty-seven of the Telecom Act Royal Decree No. (M/12) dated 12/03/1422H states that Any of the following actions by any operator, individual or a juridical person constitutes a violation Interception of any telephone call or data carried on the public telecommunications networks in violation of the provisions of this Act

                   

                  • A limit on the duration of the measure;

                  The existing laws in the region are silent on this subject.

                   

                  • The procedure to be followed for examining, using and storing the data obtained;

                  The existing laws in the region are silent on this subject.

                   

                  • The precautions to be taken when communicating the data to other parties; and

                  The existing laws in the region are silent on this subject.

                   

                  • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

                  The existing laws in the region are silent on this subject.

                   

                  • Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.
                  The existing laws in the region are silent on this subject.
                  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
                  • What objective criteria are used to determine which personal data of individuals are stored?
                  • Does national legislation require any relationship between the data which must be retained and a threat to public security?
                  • Does national legislation restrict the data retention in relation to …?
                    • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                    • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
                  • Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?
                  The existing laws in the region are silent on all the above subjects.
                  • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
                  • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?
                  The existing laws in the region are silent on this subject.
                  • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
                  • Who should the individual address (see, Guarantee C)?
                  • Does the court/control committee have access to all relevant information, including closed materials?
                  The existing laws in the region are silent on this subject.
                  Solomon IslandsOceania/AustraliaSB
                  SeychellesAfricaSC
                  SudanAfricaSD
                  SwedenEuropeSE(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
                  See, SCC Generator
                  S, R, E: 01/10/1985S✔️
                  SingaporeAsiaSG
                  Potential future candidate (p. 52) for adequacy?
                  ✔️
                  See here
                  or here
                  ASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
                  Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
                  ✔️✔️Lanx Goh, CIPM, CIPP/A/E/US, FIP
                  Saint Helena (British Overseas Territory)AfricaSH
                  SloveniaEuropeSI(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
                  See, SCC Generator
                  S, R, E: 01/09/1994S✔️
                  SlovakiaEuropeSK(EU member state)✔️✔️✔️✔️✔️Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR
                  See, SCC Generator
                  S, R, E: 01/01/2001S✔️
                  Sierra LeoneAfricaSL
                  San MarinoEuropeSM✔️✔️S, R, E: 01/09/2015S
                  SenegalAfricaSN✔️R (Accession), E: 01/12/2016Adama Diouf
                  SomaliaAfricaSO
                  SurinameAfricaSRAbigaïl Z.M. de Rijp LLM
                  • Attorney at Law: civil and criminal law, with specialization in Law & Technology, corporate and contract law
                  • Legal, Business & IT Consultant
                  I. Rules regarding general processing

                  In Suriname, the general processing of data is not based on clear, precise and accessible rules, because Suriname has not yet legalized the right to privacy and the protection of personal data. In this regard, there is no legal basis that would justify interference in case of general surveillance- you can’t legally interfere into that which you have not legalized. However, there are different rules with regard to the prosecution of criminals and criminal conduct.

                   

                  II. Rules regarding processing in light of the detection of crimes and criminal prosecution

                  A. Detection of crimes (in general)

                  Cybercrime is penalized in Suriname through the Surinamese Criminal Code (WSr). Article 187i WSr penalizes the use of hidden cameras in homes. According to article 187j WSr, the publication of these images also constitutes a criminal offense.

                  The Surinamese Ministry of Justice and Police initiated the ‘Safe City Project’. This project is originally intended to fight crime through detection thereof. Through its ‘Command Center’, this project, via video surveillance, collects data of the activities of Surinamese citizens within our capitol, Paramaribo, and the district Wanica. Since these recordings are taken on public roads, the protection article 187i WSr provides is not applicable. Unfortunately, this form of ‘crime detection’ has no legal basis. The only requirements this project meets are describing the nature of the offences and the people subject to surveillance – it applies to all crimes and all people who use public roads. This is presumably an execution of article 44 of the Surinamese Code on Criminal Procedure (WSv) which concerns arrests in flagrante delicto (catching someone red handed). As a result of the abovementioned, the absence of a clear legal basis for these recordings and the subsequent unregulated use of the obtained data in a Court of Law, clearly constitute gross contradictions of this Guarantee.

                  B. Criminal prosecution

                  Article 89 WSv of regards the interception of individual communications.

                  During the preliminary judicial investigation, the examining judge may, ex officio or at the request of the prosecuting officer, in crimes ex. art. 56 WSv, and if the investigation urgently requires, rule that:

                  1) telephone calls in which it is suspected that the suspect participates or will participate in, may be overheard or intercepted by an investigating officer;


                  2) anyone who works at a telephony institution provides the Judge any desired information regarding all traffic the institution has intervened in which it is suspected that the suspect has participated.

                  The provisions of this article are (largely) in accordance with the requirements of Guarantee A:

                  • there is a clear prescription of the offences and categories of data subjects (suspects ex. art 19 WSv of crimes summed up in article 56 WSv);
                  • there is no limit on the duration of the measure, but according to paragraph 3 wiretapping or recording must be reported in official minutes within 48 hours (“twenty-four hours twice”);
                  • there are procedures and procedural conditions that must be followed for examining, using and storing of and the access to the data, ex. article 89 paragraph 3-5 and article 90 WSr;
                  there are precautionary measures for third party communication, ex. article 90 WSr;

                  Criteria

                  Safe City project

                  Code on Criminal Procedure (WSv)

                  Limitation to strict necessity

                  No. Presumably, all traffic data is collected and stored, because this project is originally intended to detect crimes and pursue criminals. However, since this project has no legal basis, other than the fact that video data is collected, there is no clarity on what is/can further (be) done with the collected data.

                  Yes. Article. 89 WSv (warrant for wiretaps) Paragraph 4 states that the examining judge destroys the obtained data as soon as possible if that data is insignificant to the investigation, or relates to communications made by or to a person, that has been excused from testifying under article 198 WSv. The wiretap regards all communication of suspects. The Code only disregards “insignificant” data.

                  Objective criteria for stored personal data

                  Relationship retained data and threat to public security

                  There is no national legislation on data protection (collecting, storing, processing, retaining etc.),

                  One can assume that all traffic data are stored with the intention “to fight crime” c.q. enhance national security.

                  Nonetheless, the far-reaching importance and fundamentality of privacy and data protection leave no room for assumptions. Consequently, the lack of a legal basis for this project constitutes many breaches of data privacy.

                  In a broad way, yes. Article 89 WSv regards the prosecution of crime suspects and all of their communications (based on the warrant).

                  Data retention restriction related to time, geographic, group of suspects, persons who could contribute to fighting crime

                  ·       Regarding data

                  Yes, according to art. 89 WSv par. 4, all insignificant data must be destroyed as soon as possible.

                  ·       Regarding persons

                  Articles 206a – 2016f WSv regard the identity of anonymous witnesses. During the preliminary judicial investigation, the examining judge may ex officio, at the request of the prosecuting officer, the suspect (or his Attorney) or the witness himself, grant a witness anonymity.

                  Exception obligation of professional secrecy

                  Yes, according to article 198 WSv, those who, by virtue of their status, profession or duties are bound to secrecy, can be exempted from testifying or answering certain questions. This right is only applicable in instances where the required information has been entrusted to them as such (secrecy).

                  Criteria

                  Safe City project

                  Code on Criminal Procedure (WSv)

                  Who is responsible for overseeing surveillance measures?

                  This project is led by a ‘Command Centre’, that is basically a cooperation of the following institutions:

                  ·       The Ministry of Justice and Police

                  ·       The National Security Directorate

                  ·       TELESUR (national telecom provider).

                  Once again, because of the absence of a legal basis, the duties and organizational structure regarding oversight are unclear.

                  In case of wiretaps ex. article. 89 WSv, the examining judge is responsible for oversight. Official minutes (in Dutch processen-verbaal) are made up of the tapped/ interfered communications.

                   

                  When (at which “stage”) does (independent) oversight in relation to surveillance measures take place?

                  This is unclear.

                  Citizens have no idea when, how or by whom the “practical” oversight takes place.

                  The examining judge oversees the surveillance measures at all stages of the data processing life cycle. According to the law, the wiretaps always take place in front of this judge as part of a legally sanctioned ‘Preliminary Investigation’, which is translates to Gerechtelijk Vooronderzoek (GVO)in Dutch. During the GVO other investigative measures take place such as the hearing of witnesses, house searches etc.

                  Criteria

                  Safe City project

                  Code on Criminal Procedure (WSv)

                  Possibility for access, rectification or erasure

                   

                  No. Suriname does not have a privacy or data protection law and the ‘Safe City Project’ has no legal basis, which makes it unclear for citizens what legal remedies they have at their disposal and to whom they should file a complaint.

                  This is unclear.

                  Citizens have no idea who they could address in case they would want

                  In case of wiretaps ex. article. 89 WSv, the official minutes report the recorded data. Suspects and their Attorney have access to the entire criminal file. According to article 24 WSv, if this access is denied, the suspect can file a complaint to the Court of Justice.

                  Erasure only takes place if the recorded information is insignificant to the investigation or relates to communications made by or to a person, that has been excused from testifying under article 198 WSv.

                  The examining judge will then, ex officio, erase that data.

                  Since the examining judge is appointed to oversee this legal measure, (s)he has access to all relevant information, including closed materials.

                  Who should the individual address

                  Access to all relevant information

                  Notwithstanding the abovementioned, Suriname has drafted its first Data Protection Bill which is currently still under advisement of the National Parliament.
                  São Tomé and PríncipeAfricaST
                  El SalvadorNorth AmericaSVKarla Alas
                  SyriaAsiaSY
                  Eswatini (Swaziland)AfricaSZ
                  Turks and Caicos IslandsNorth AmericaTC
                  ChadAfricaTD✔️
                  French Southern TerritoriesAfricaTF
                  TogoAfricaTG
                  ThailandAsiaTHASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
                  Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
                  ✔️N/A
                  Please see the country report for Thailand as part of the study "State of Privacy" conducted by Privacy International.
                  TajikistanAsiaTJ✔️
                  TokelauOceania/AustraliaTK
                  Timor-LesteAsiaTL
                  TurkmenistanEuropeTM
                  TunisiaAfricaTN
                  See here
                  ✔️R (Accession), E: 01/11/2017SInvitation valid until 8 February 2023N/A
                  Please see the country report for Tunisia as part of the study "State of Privacy" conducted by Privacy International.
                  TongaOceania/AustraliaTO
                  TurkeyEuropeTR✔️✔️The Turkish Data Protection Authority has published two sets of SCCs: Controller-to-controller (Turkish; English); Controller-to-Processor (Turkish; English)S, R, E: 01/09/2016✔️Oğuz Kartöz, CIPP/E
                  Trinidad and TobagoSouth AmericaTTMukta Balroop
                  TuvaluOceania/AustraliaTV
                  TaiwanAsiaTWBobby Piao-Hao Hsu is senior lead specialist of privacy and data protection at TPV Technology Group, where he is responsible for daily execution of regulatory compliance cross more than 17 jurisdictions. Before joining TPV, he was Public Policy Counsel of LINE Taiwan Limited, where he had the opportunities to represent the LINE operations in Taiwan in various contexts and to advocating Group's interests via diversified channels, planning and executing of in-depth covered programs both locally and overseas, together with the support mobilized cross-functions within the Group globally.

                  Until April 2017, he worked as Legal Researcher at Science and Technology Law Institute (STLI), Institute for Information Industry, where he is responsible for policy research in the field of privacy, energy law and innovative technology. It is also during his post at STLI, that he started his policy research in the field of internet governance, data protection and other regulatory mechanisms favor development of tech/ innovative enterprises, including the trends of IoT, Big Data, renewable energy and the right to be forgotten.

                  Prior to STLI, Hsu worked as Senior Assistant Research Fellow at Taiwan Research Institute (TRI), Direct Dialogue Campaigner at Greenpeace (East Asia, Taipei) and Program Associate at Human Rights in China (Hong Kong Office).

                  As a jurist not specialized in criminal procedures, Hsu would like to thank all the support other practicing professionals both in public and private sectors have generously provided during the process.

                  In principle, the interception of communications is regulated by The Communication Security and Surveillance Act (CSSA).I

                   

                  • The nature of the offences which may give rise to an interception or surveillance order;

                  According to Art. 5 and Art 6 of CSSA, only under certain enumerated offences can an “interception warrant” to be issued by the approval of the court.

                  In addition, an access warrant could also be issued by the prosecutor under Section III of Article 11-1 when it comes to investigation of a number of more serious offencesII, instead of by the court.

                   

                  • A definition of the categories of people that might be subject to surveillance;

                  Art. 7 of CSSA, on the other hand, stipulates the interception regarding foreign forces. In this case, an interception warrant is still needed. Nevertheless, unlike the scenario in Article 5 and 6, where the interception warrant could only be issued when involving certain specific crimes as prescribed in various criminal codes, when it comes to “foreign forces”, the only criterion for determination of the legitimacy of the interception warrant is the necessity “to conduct surveillance on … communications III in order to collect intelligence on foreign forces or hostile foreign forces to protect national security”

                   

                  • A limit on the duration of the measure;

                  As stipulated by Article 11, the following information must be documented on the interception warrant:

                  1. grounds for the case, and the laws and regulations referencing the alleged violation;
                  2. surveillance subjects;
                  3. features of the communication surveillance, such as types or numbers, that is sufficient for identification purposes;
                  4. surveillance location;
                  5. reasons for surveillance;
                  6. duration and methods for surveillance;
                  7. petition agency;
                  8. enforcement agency;
                  9. setup organization

                  Section I of Article 12 further adds: the communication surveillance duration of Articles 5 and Article 6 is not to exceed 30 days each time; while the communication surveillance duration of Article 7 is not to exceed one year each time. If it is necessary to continue the surveillance, specific reasons must be specified, and the last date for petition should be no later than two days before the expiration date. However, the period of continuous surveillance under Articles 5 and 6 shall not exceed one year. If the enforcement authority deems it necessary to continue surveillance, a new application shall be filed in accordance with Articles 5 and 6.

                   

                  • The procedure to be followed for examining, using and storing the data obtained;

                  About the examination and usage of data, Section 4 of Article 5 stipulates, ” [t]he enforcement authority shall file at least one report every 15 days during the period of communication surveillance, describing the progress of conducting the surveillance, and/or if there is the necessity to continue implementing the surveillance.  ”

                  In terms of storage, there is a 5 year-limitation according to Section I of Article 17.IV

                   

                  • The precautions to be taken when communicating the data to other parties; and
                  • The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

                  According to Section I of Article 18, “[i]nformation obtained from the communications surveillance pursuant to this Act shall not be provided to other agencies (institutions), groups or individuals. However, this restriction does not apply to those complying with the surveillance objective as described in Article 5 or Article 7, or other laws and regulations.”

                  If we take closer look, we would find it not difficult to fulfil the condition prescribed in Article 18. Nevertheless, in practice, it is also challenging for different investigation bodies to share information or intelligence gathered due to lack of incentive from the institutional structures.

                   

                  • Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.]
                  To answer this questions, there must be a certain number of interview conducted to serve a credible basis, which is unfortunately not yet within the capacity of the author. Nevertheless, from Article 16 of the implementation rules of the CSSAV it is assured that the staffer of the institutions technically support the surveillance would not have the access to the interceptions/ wired contents.
                  • In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

                  In the Section II of Article 5, it is stipulated that “[r]elevant documents and investigation information about the residence of the target of interception should also be attached, specifying that there is sufficient reason to believe that the contents of communications are related to the case, that prior investigation has been conducted in another manner without success, or that it is reasonably clear that investigation in another manner will not achieve the purpose or creates material risk. The prosecutor should respond within four hours after accepting the application. If the case is complex, the deadline may be extended for four hours with the consent of the Chief Prosecutor. The court should reply within 48 hours after receiving the application case as approved by and transferred from the prosecutor. If the case is in trial proceedings, the warrant should be issued ex officio by the judge. The judge may also enter appropriate instructions to the enforcement officers on the interception warrant.”

                  Article 13 also provide related limitation in the respect of actual implementation of the interception.VI

                  In light of the regulatory content above, it could be argued that the legislative structure has limited the use of surveillance (wiring of the phone, Jian Ting [監聽]) to a necessity test. Nevertheless, the high approval rate, especially from the Prosecutor, may not be the positive indicators demonstrating a “strict” necessity examination.VII
                  • Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

                  Before the issuance of the interception warrant:

                  About the issuance of an interception warrant, Section III of Article 5 provides: “[i]f the application as referred to in the preceding Paragraph is inconsistent with the legal procedure, lacks reason, is not specified or not sufficiently specified, it shall be denied by the court. The decision to deny an application by the court shall not be challenged.”

                   

                  During the interception surveillance:

                  Section VI, Article 5 provides: the enforcement authority shall file at least one report every 15 days during the period of communication surveillance, describing the progress of conducting the surveillance, and/or if there is the necessity to continue implementing the surveillance. The prosecutor or the judge that issued the interception warrant may also order the enforcement authority to submit a report at any time. If a situation arises where the surveillance should not be conducted continuously, the judge shall consider, by free evaluation based on the rules of experience and logic, withdrawing the issued interception warrant.

                   

                  Examination mechanism post surveillance:

                  It has been criticized that, unlike the French or other models, the current interception surveillance lack of a mechanism for individual to challenge the State interference even after the surveillance at issue is over.

                  There is, nonetheless, a general obligation for the State to compile aggregated transparency report is prescribed in Article 16-1.VIII

                   

                  • When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

                  If we considered the wired content as the data at issue, the relative independent review of the wiring action may not take place until 15 days after the wiring. Section IV of Article 5 provides that: the enforcement authority shall file at least one report every 15 days during the period of communication surveillance, describing the progress of conducting the surveillance, and/or if there is the necessity to continue implementing the surveillance.

                  It is provided in the same Section that the prosecutor or the judge that issued the interception warrant may also order the enforcement authority to submit a report at any time. If a situation arises where the surveillance should not be conducted continuously, the judge shall consider, by free evaluation based on the rules of experience and logic, withdrawing the issued interception warrant.

                  However, at this stage, what a judge or prosecutor is only authorized by law to review whether or not there is legitimate necessity for the enforcement authority to continue carrying out the surveillance.
                  • Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

                  According to Article 15 of CSSA, the enforcement authority of communication surveillance cases as described in Article 5, Article 6, and Article 7, Paragraph 2 should, when the communication surveillance is over, state the name, permanent address or contact address of the person under surveillance, the Subparagraph under Article 11, Paragraph 1 that is applicable to the surveillance case and reference number of the authority issuing the interception warrant, the actual period of surveillance, whether communications information corresponding to the purpose of the surveillance has been obtained and the remedy procedure in the report, to the prosecutor, or the authority overseeing national intelligence. The prosecutor, or the authority in turn should report to the court, so that the person under surveillance may be notified.

                  Nevertheless, the individuals being weird would not have direct access to the transcript of what has been documented about him or her. In practice, if the content of the surveillance transcript is used in the proceedings later, it could then be challenged by the data subjects. However, if the surveillance never leads to any actual indictment, it is uncertain whether the data subjects would have the access to it. This could be indirectly inferred from Section I of Article 18, where it is stipulated: Information obtained from the communications surveillance pursuant to this Act shall not be provided to other agencies (institutions), groups or individuals.

                  So we could probably infer: if there is any indictment, charges pressed involving the use of transcript of the surveillance content, it is highly impossible for the data subjects to have access to the content of the surveillance transcript and it would probably be destroyed after 5 years.  

                  【End notes】:

                  I  Tong Xun Bo Zhang Ji Jian Cha Fa [通訊保障及監察法], originally promulgated in July 14, 1999, last amened on May 23rd, 2018. Available at https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=K0060044 (last visited: July 4, 2020).

                  II  These offences include: an offense punishable by a term of imprisonment of at least 10 years, the offense of robbery, forcible taking, fraud, extortion, kidnapping for ransom or violation of the Human Trafficking Prevention Act, Statute for Fire Arms, Ammunition and Harmful Knives Control, Statute for Punishment of Smuggling, Narcotics Hazard Prevention Act or Organized Crime Prevention Act.

                  III  Three types of communications are listed in Article 7, respectively:

                  1)     Domestic communications of foreign forces, hostile foreign forces, or their agents.

                  2)     Cross-border communications of foreign forces, hostile foreign forces, or their agents.

                  3)     Off-shore communications of foreign forces, hostile foreign forces, or their agents.

                  IV The information obtained from the communication surveillance should be sealed or otherwise marked, and stamped by the enforcement authority to preserve its true completeness without addition, deletion or change. Information used as case evidence shall be kept in the file, or otherwise kept for as long a time as is necessary for surveillance purposes. The enforcement authority should safe-keep the information for five years after the communication surveillance is completed, and destroy it afterwards.

                  V  Tong Xu Bo Zhang Ji Jian Cha Fa Shi Xing Xi Ze[通訊保障及監察法施行細則], originally promulgated in March 15, 2000, last amened on June 16, 2014. Available at https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=K0060053 (last visited: Jul. 4, 2020).

                  VI  Surveillance should be conducted by intercepting, wiretapping, sound recording, video recording, photographing, opening, checking, copying communications or other similar necessary methods, but there should be no installation of listening devices, video recording equipment, or other surveillance devices in a private residence.
                  When implementing communication surveillance, with exception to those having been dealt with by the law, the communications should be maintained in a smooth and open manner.
                  Unless the enforcement authority has any justification, the surveillance recordings should be collected every 3 days.
                  Any content of surveillance recording under the previous Paragraph that is not related to the purpose of surveillance shall not be translated.

                  VII  According the statistics provided by the Ministry of Justice, in 2019, the denial rate of the Court and the Prosecutor are respectively:  2.69% (455/16584) and 28% (4528/16040). See: https://www.rjsd.moj.gov.tw/RJSDWeb/common/WebList3_Report.aspx?list_id=1351  (last visited: Jul. 4, 2020).

                  VIII  The enforcement authority and supervisory authority for communications surveillance shall prepare an annual report with relevant statistical information of the communications surveillance performed during the year. Said report shall be published online regularly and shall be submitted to the Legislative Yuan for reference.
                  The previous Paragraph concerning regular online publication shall not be applicable to communications surveillance under Article 7.
                  The annual report of statistical information under Paragraph 1 shall include the following matters:

                  1. Cases of applications and approvals for communications surveillance under Articles 5, 6 and 7 and Article 12, Paragraph 1, number of targets under surveillance, number of cases, number of lines and types of lines. The same shall be applicable to case access under Article 11-1.
                  2. Situations where surveillance is stopped under Article 12, Paragraphs 2 and 3.
                  3. Notice or non-notice under Article 15, types of reasons for non-notice and situations where the reasons continue to or do not continue to exist.
                  4. The court’s supervision of the enforcement by the enforcement authority in accordance with the previous Article.
                  5. Execution of information destruction in accordance with Article 17.
                  6. Types and quantities of intercepted records.
                  TanzaniaAfricaTZLucy Minde
                  UkraineUA✔️✔️S, R, E: 01/01/2011

                  NGO “Privacy HUB” represented by:

                  Dmitry Korchynskyi, CIPP/E, CIPM, FIP, Senior Data Protection Specialist at PrivatBank

                  Artem Kobrin, CIPP/E, CIPM, FIP, CDPSE, Data Protection Specialist at PrivatBank

                  Vlad Nekrutenko, CIPP/E, CIPM, FIP, Head of privacy at Legal Nodes

                  All of those mentioned are serving as:

                  Executive summary:

                  In light of the CJEU’s “Schrems II” ruling of July 16th, 2020 and EDPB’s Recommendations 02/2020, transfers of personal data from the EU to Ukraine can be carried out using the mechanism adopted by the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (the “Standard contractual clauses” or “SCC/s”).
                   

                  Research on data protection guarantees shows that surveillance measures in Ukraine pursue legitimate objectives and are necessary for ensuring the stability of a democratic society. However, several gaps were identified, hence it is not possible to conclude that Ukraine provides an essentially equivalent level of data protection established compared to that in the EU.
                   

                  For instance, we assume that the rules lack certainty regarding the precise scope of personal data that can be accessed. Also, the necessity and proportionality of such processing activities do not need to be assessed by governmental representatives. Moreover, while an independent oversight mechanism exists, it fails to provide sufficient judicial scrutiny of necessity and proportionality of surveillance measures.

                   

                  On the other hand, the gap between the European and Ukrainian regimes can be compensated by the safeguards provided by the Standard contractual clauses. The Ukrainian law does not allow indiscriminate and silent surveillance activities, which would impede the contractual protection by the SCCs. Hence, the Ukrainian data importer will be able to inform the data exporter if they are subject to surveillance measures with regard to the data transferred. In that regard, EU data protection supervisory authorities will be in the position to audit the data importer, which is one of the main prerequisites for SCCs to be valid. Additionally, affected data subjects will be able to exercise their rights with the data importer as prescribed by the SCCs.

                   

                  There is no law that would oblige data importers to derogate from the applicable data protection laws beyond the necessary extent in a democratic society. Ukraine has declared its intention to join the EU by signing mutual treaties on association and cooperation. Such treaties combined with the fact that Ukrainian judicial practice recognises foreign laws provide a solid basis to assume that the Standard Contractual Clauses allow organisations to ensure compliance with GDPR requirements while transferring personal data to Ukraine.

                   

                  Along with the mutual treaties on association and cooperation between the European Union and Ukraine, as well as the court practice in Ukraine recognising foreign laws, we conclude that the SCCs allow organisations to ensure compliance with the GDPR requirements while transferring personal data to Ukraine.

                   

                  In particular, the following legislative acts were taken into account:

                   

                  Nature of the offences which may give rise to an interception or surveillance order:

                   

                  Article 246 CPC: Interception and surveillance of communications can only be conducted in criminal proceedings in cases of severe crimes or crimes of a specific gravity. Such crimes are defined in Article 12.4 and Article 12.5 CPC. It is worth mentioning that interception and surveillance may also be conducted to prevent crimes in preparation. Such activities are governed by a different law, namely the Law of Ukraine on “Operative Investigation Activity”.

                   

                  Law of Ukraine “On Intelligence”, Article 15 provides for a list of intelligence measures that could be conducted on the territory of Ukraine based on the judicial authorities. The list contains the different types of surveillance measures. The law does not split the surveillance measures into separate categories, but rather provides a single broad category of intelligence measures. Intelligence measures are defined as a set of actions and decisions of the intelligence body, which, in cases specified by laws of another entity, are conducted using different methods, staff, and means of intelligence.

                  The main purpose of intelligence measures is defined as the promotion to realise national interests, preserving national security from external threats, and the timely provision of intelligence information to the recipients (i.e., the main state officials).

                   

                  A definition of the categories of people that might be subject to surveillance:

                  Article 6 OIA defines the following categories of people that might be subject to surveillance:

                  • Persons who are preparing to commit a criminal offence;
                  • Persons hiding from pre-trial investigation bodies, investigating judges, courts or evading serving a criminal sentence;
                  • Missing persons.

                  Limit on the duration of the measure:

                  According to Article 246 CPC and depending on the circumstances, the limit on the duration may be up to eighteen months. However, according to Article 219, the limit on the duration may be repeatedly extended at the motivated request of the prosecutor for the term of pre-trial investigation.

                  The procedure to be followed for examining, using, and storing the data obtained:

                  According to Article 10 OIA, materials of the operative search activity may be used as follows:

                  • As reasons and grounds for initiating a pre-trial investigation;
                  • To obtain factual data that may serve as evidence in criminal proceedings;
                  • For the prevention, detection, termination, and investigation of criminal offences, reconnaissance and subversive encroachments against Ukraine, the search for persons who have committed a criminal offence, and persons who have disappeared;
                  • To ensure the safety of court employees, law enforcement agencies and persons involved in criminal proceedings, members of their families and close relatives, as well as intelligence officers of Ukraine and their close relatives, persons who confidentially cooperate(d) with the intelligence agencies of Ukraine, and members of their families;
                  • For mutual information of the subdivisions authorised to carry out the operative search activity and other law enforcement bodies;
                  • To inform state bodies according to their competence.

                  As per the CPC, Article 254 on the measures of protection of information that were obtained through covert investigative (detective) actions envisages the following safeguards:

                  • Information on the fact and the methods of conducting covert investigative (detective) actions, related executing bodies, as well as information obtained as a result thereof may not be disclosed by individuals who took knowledge of such information by way of reviewing the materials as prescribed in Article 290 of the CPC;
                  • If records on covert investigative (detective) actions contain information on the private (personal or family) life of other persons, defence counsel and other individuals entitled to review such records are warned about criminal liability for disclosing information obtained in respect of other persons;
                  • Making copies of records on covert investigative (detective) actions and their attachments shall not be allowed.

                  Article 255 describes the measures for protecting the information, which is not used in criminal proceedings:

                  1. Information, objects, and documents obtained as a result of covert investigative (detective) actions which, in the public prosecutor’s opinion, are not necessary for subsequent pre-trial investigation, shall be destroyed immediately based on the public prosecutor’s decision, except in cases specified in the third paragraph of the aforementioned Article as well as Article 256 of the CPC.
                  2. The subsequent use of the aforementioned materials for purposes not related to criminal proceedings, or reviewing such materials by participants to criminal proceedings, is prohibited.
                  3. Where the holder of any objects or documents obtained as a result of covert investigative (detective) actions may be interested in recovering them, the public prosecutor shall be required to serve such person a notice of such objects or documents being in the possession of the prosecutor and find out whether such person would want to recover them. When deciding on the acceptability of measures provided under this paragraph as well as on the time of conducting such measures, the public prosecutor shall take into account the need to safeguard the rights and legitimate interests of individuals as well as the necessity to prevent any prejudice to the criminal proceedings.
                  4. Destruction of information, objects, and documents shall be carried out under the supervision of the public prosecutor.
                  5. Destruction of information, objects, and documents obtained as a result of covert investigative (detective) actions shall not exempt the public prosecutor from their duty of notification under Article 253 of this Code.

                  Article 259. Preservation of information

                  1. If a public prosecutor intends to use as evidence, during the trial, information or any fragment of information obtained as a result of interference in private communication, he shall be required to ensure the preservation of all information or delegate the preservation of all information to the investigator.

                   

                  The precautions to be taken when communicating the data to other parties:

                  Article 222. Inadmissibility of disclosing information of pre-trial investigation:

                  1. Information of pre-trial investigation may be disclosed only with permission of the investigator or public prosecutor, and insofar as they deem such disclosure to be possible.
                  2. Whenever necessary, the investigator, the public prosecutor shall advise persons who learned information of pre-trial investigation in connection with having participated therein, of their duty not to disclose such information without their permission. Unlawful disclosure of information of pre-trial investigation shall entail criminal liability established by law.

                   

                  According to Article 252, all of the measures taken during the covert investigation should be properly captured and documented, including the information about third parties which got access to such data.

                   

                  The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

                  See above: Article 10 OIA, Article 254, 255, 259 CPC.

                   

                  The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued:

                  The scope of those who can request investigative actions is defined by Articles 246 and Article 222 (see above) of the CPC:

                  1. The investigator, public prosecutor, and investigating judge in cases specified by the present Code, upon request of a public prosecutor or request of investigator approved by a public prosecutor, shall decide on the conducting of covert investigative (detective) actions. The investigator shall be required to inform the public prosecutor on the decision to conduct certain covert investigative (detective) actions and their results. The public prosecutor may prohibit or stop the conduct of covert investigative (detective) actions.

                  Additional information on the procedures for the surveillance measures is provided in the Joint order of the General Prosecutor of Ukraine, Ministry of Internal Affairs of Ukraine, Security Service of Ukraine, Administration of The State Border Service of Ukraine, Ministry of Finance of Ukraine, Ministry of Justice of Ukraine on the adoption of the Instruction on the organisation of covert investigative (detective) actions and the use of their results in criminal proceedings.

                   

                  Summary:

                  1. Nature of the offences which may give rise to an interception or surveillance order:

                    Interception and surveillance of communications can only be conducted in criminal proceedings in respect of serious crimes or specific serious offenses. Such crimes are defined in art.12.4 and art. 12.5 CPC.  However, interception and surveillance may also be conducted to prevent crimes in preparation; such activities are governed by the Law of Ukraine on “Operative Investigation Activity”.
                     
                  2. Definition of the categories of people that might be subject to surveillance:

                    - persons who are preparing to commit a criminal offense;
                    - persons hiding from the bodies of pre-trial investigation, investigating judge, court or evading serving a criminal sentence;
                    - missing persons.
                     
                  3. Limit on the duration of the measure:

                    Depending on the circumstances, the limit on the duration may be up to eighteen months. However, according to Article 219 CPC, the limit on the duration may be repeatedly extended at the motivated request of the prosecutor for the term of pre-trial investigation.
                     
                  4. The procedure to be followed for examining, using, and storing the data obtained:

                    Ukrainian law provides a procedure that is rather ambiguous and does not provide a clear “step-by-step” guidance.
                     
                  5. The precautions to be taken when communicating the data to other parties:

                    CPC prohibits disclosing information of pre-trial investigation without prior written consent of the investigator or the prosecutor. The investigator or the prosecutor shall remind persons who obtained relevant information of their duty not to disclose such information without the permission of the investigator or the prosecutor. Also, it is prohibited to make copies of protocols on conducting covert investigative (detective) actions and appendices to them.
                     
                  6. The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

                    Investigator, public prosecutor, and investigating judge – but no limits on the number and no restriction to specific persons who need the data for the fulfilment of their obligations.
                     
                  7. The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued:

                    The law does not define the number of persons who can access the data stored. However, the law defines the roles which may have such access: the investigator, public prosecutor, and investigating judge.

                  In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

                   

                  The Law of Ukraine “On Operative Investigation Activity” (Article 9) provides retention limitations to what is necessary for conducting investigations. However, the rules might lack precision and a certain degree of discretion remains, hence the criteria of “strictly necessary” is blurred.

                   

                  Article 9. Guarantees of lawfulness during the implementation of operational and investigative activities

                  Information obtained as a result of operational and investigative activities concerning personal life, honour, human dignity, provided that it does not contain information about the commission of actions prohibited by law, is not subject to storage and must be destroyed. Information obtained as a result of operational and investigative activities on the preparation for terrorist acts or their commission by individuals and groups is stored for up to 5 years.

                  The results of operative-search activity, which per the legislation of Ukraine constitute a state secret, as well as information concerning personal life, honour, human dignity, shall not be subject to transfer and disclosure. For the transmission and disclosure of this information, employees of operational units, as well as persons to whom this information was entrusted in the course of operational and investigative activities or became known for service or work, are liable under applicable law, except in cases of disclosure of information about illegal actions that violate human rights.

                  Surveillance of a person, object, or location, as well as audio, video surveillance of a location, may be carried out to collect data about the person and their connections, if there are facts that confirm that they are preparing to commit a serious crime or specific serious offence to obtain information indicating signs of such a crime, to ensure the safety of court and law enforcement officers and persons involved in criminal proceedings, members of their families and close relatives of these persons, as well as to obtain intelligence in the interests of society and the state.

                   

                  Law of Ukraine on “Personal Data Protection”

                  Article 15. Deletion or destruction of personal data

                  1. Personal data collected during the performance of tasks of operative-search or counter-intelligence activity, or the fight against terrorism, shall be deleted or destroyed under the requirements of the law.

                   

                  • What objective criteria are used to determine which personal data of individuals are stored?

                   

                  Article 9-1. Term of conducting operational and investigative cases

                  Conducting operational and investigative cases is carried out:

                  1) in respect of unidentified persons who are preparing to commit a criminal offence, as well as persons who are hiding from bodies of pre-trial investigation, investigating judge, court or who are evading serving a criminal sentence - until their establishment or search, but not for longer than is provided by the statute of limitations or the statute of limitations for the execution of a conviction;

                  3) in respect of persons missing in special circumstances, including in connection with armed conflict, hostilities, riots within the state or in connection with emergencies of a natural or man-made nature or other events that may cause mass deaths, before establishing their whereabouts, burial place or location of remains;

                  4) in respect of persons on whom there is data on participation in the preparation for the commission of a criminal offence before establishing and record factual data on illegal acts, liability for which is provided by the Criminal Code of Ukraine, but not more than six months;

                  6) in respect of persons on whom there is evidence of their participation or involvement in terrorist activity, terrorist group or terrorist organisation, as well as material, organisational or other assistance to the establishment of a terrorist group or terrorist organisation - up to 5 years.

                  If there is data obtained during the operational and investigative case on the participation of a person in the preparation of a serious or especially serious crime, the term of the case may be extended up to 12 months + further extension of the term of the operational and investigative case, but not more than 18 months.

                  Defence counsels and clergymen are subject to specific safeguards. All of the listed persons enjoy the protection: Article 258 CPC: General provisions related to the interference in private communication.

                  1. Interference in private communication of defence counsel, between clergyman and the suspect, accused, convict, acquitted shall be forbidden.

                   

                  The criminal Procedure Code prohibits disclosing information of pre-trial investigation without the prior written consent of the investigator or the prosecutor. The investigator or the prosecutor informs persons who obtained information of their duty not to disclose such information without the permission of the investigator or the prosecutor. Also, it is prohibited to make copies of protocols on conducting covert investigative (detective) actions and appendices to them.

                   

                  • Does national legislation require any relationship between the data which must be retained and a threat to public security?

                  Yes, in part, see above.

                   

                  • Does national legislation restrict the data retention in relation to …?
                    • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?

                  No.

                   

                  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?

                   

                  No provision would restrict data retention. However, the CPC provides certain confidentiality guarantees to protect the anonymity of whistleblowers.

                   

                  Article 130-1. Payment of remuneration to the whistleblower

                  1. The whistleblower has the right to represent their interests during the consideration of the issue of payment of remuneration to them personally and through a representative - a lawyer (including anonymously, but until the decision on the payment of remuneration to them). To protect the personal data of an anonymous whistleblower after their disclosure to the court, in particular, security measures such as ensuring the confidentiality of personal data and/or a closed trial may be taken.

                   

                  • Does national legislation provide for an exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)?

                  Yes.

                   

                  Article 258. General provisions related to the interference in private communication

                  1. Interference in private communication of defense counsel, between clergyman and the suspect, accused, convict, acquitted shall be forbidden.

                   

                  Summary:

                  1. In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

                    No, Ukrainian law does not provide a clear definition of “strictly necessary” and there is still some discretion.
                    For instance, information concerning personal life, honour, human dignity, provided that it does not contain information about the commission of actions prohibited by law, is not subject to storage and must be destroyed.
                     
                  2. What objective criteria are used to determine which personal data of individuals are stored?

                    Ukrainian law does not provide objective criteria. Usually, the data which reveals the relation to a crime or crime in preparation is stored.

                  3. Does national legislation require any relationship between the data which must be retained and a threat to public security?

                    Yes, to a certain extent. Data relating to the preparation for terrorist acts or their commission is stored for up to 5 years.

                  4. Does national legislation restrict data retention in relation to:
                     
                    1. Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
                     
                    No.
                     
                    2. Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
                     
                    No.

                    3. Does national legislation provide for an exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

                    Yes, defence counsels and clergymen are subject to such exceptions. All of the listed persons enjoy the protection.

                  Depending on the stage and the exact surveillance measure, the supervisory bodies can carry out a general data protection oversight, as well as other bodies performing judicial oversight after surveillance measures. The following bodies should be taken into account:

                  • court judge - for intelligence measures carried out under the Law of Ukraine “On Intelligence”;
                  • investigating judge and prosecutor - for intelligence measures that are associated with fighting crimes (as described above);
                  • data protection authority - for compliance with data protection rules while storing and processing personal data.

                  Law of Ukraine “On Intelligence”. Surveillance measures could be deployed solely based on a court order. (Article 15-16 of the Law of Ukraine “On Intelligence”).

                  This is a positive factor as the ECtHR considered that the procedure of judicial authorisation of surveillance measures is the best practice that provides a solid safeguard against the arbitrates of surveillance. On the other hand, the mere existence of the fact of judicial supervision is not sufficient.

                  The ECtHR identified that the judiciary must be capable to verify the existence of a reasonable suspicion against the person that may give rise to the necessity of secret surveillance measures, conducting proportionality tests, and verifying whether it is possible to achieve the result of surveillance by less restrictive measures.

                  According to the OIA, a request to the court for authorisation of surveillance measures has to contain the following information related to the justification of surveillance measure (there are other requirements as well, however, they are not listed below as they are not relevant to the present issue):

                  • a summary of the circumstances of the case and a justification of necessity for the conduction of intelligence measures;
                  • the type of the intended intelligence measure and a reasoning on its duration within the period specified by the law (up to 6 months).

                  Further, the law prescribes that the judge, considering the request for authorisation of a surveillance measure shall establish the sufficiency and validity of the grounds for granting such an authorisation.

                  The system of judicial authorisation of surveillance measures contains a substantial gap, as it is not required from the court to fully assess the existence of a reasonable suspicion against the person, to conduct the proportionality assessment of the measures requested, and to verify whether it is possible to achieve the result of surveillance by less restrictive measures.

                  Also, there is an issue with the absence of ex-post oversight over the implementation of surveillance measures that shall be one of the main safeguards of human rights protection.

                  Judicial oversight of operative investigation measures. As for the operative investigation measures, judicial oversight is carried when the measure is first ordered by the investigator or prosecutor, and, in exceptional cases, when it is carried out.

                  Article 247 CPC. The investigating judge who considers petitions concerning covert investigative (detective) actions

                  1. Consideration of petitions referred to the powers of an investigating judge per the provisions of this Chapter shall be carried out by an investigating judge of an appellate court within whose territorial jurisdiction the pre-trial investigation body is located, and in criminal proceedings concerning criminal offences Judge of the Supreme Anti-Corruption Court.

                  Article 248. Examination of the request to obtain permission for the conducting of a covert investigative (detective) action

                  1. The investigating judge is required to consider the request to obtain permission for conducting a covert investigative (detective) action within six hours after he has received such request. The request shall be considered with the participation of the person who filed the request.
                  2. The request shall contain:

                  1) a designation and registration number of the criminal proceedings concerned;

                  2) a brief description of the circumstances of the crime within the framework of investigation of which the request is filed;

                  3) a legal qualification of the crime with an indication of Article (section of Article) of the Criminal Code of Ukraine;

                  4) information on the individual (individuals), location, or object in whose respect it is necessary to conduct covert investigative (detective) action;

                  5) the circumstances that provide grounds for suspecting the individual of committing the crime;

                  6) the type of covert investigative (detective) action to be conducted, and substantiation of the time limits for the conducting thereof;

                  7) a substantiation of the impossibility to obtain knowledge by other means on the crime and the individual who committed it;

                  8) information, depending on the type of covert investigative (detective) action, on identification signs which will allow to uniquely identify the subscriber under surveillance, transport telecommunication network, and terminal equipment, etc.;

                  9) a substantiation of the possibility to obtain in the course of covert investigative (detective) action further evidence which, alone or in concurrence with other evidence, may be significantly important for the clarification of the circumstances of the crime or the identification of perpetrators thereof.

                  Art. 250.

                  1. In exceptional urgent cases related to saving lives and preventing the commission of a serious or especially serious crime provided for in Sections I, II, VI, VII (Articles 201 and 209), IX, XIII, XIV, XV, XVII of the Special Part of the Criminal Code of Ukraine, covert investigative (investigative) action may be initiated before the decision of the investigating judge in the cases provided by this Code, by decision of the investigator, agreed with the prosecutor, or the prosecutor. In this case, the prosecutor is obliged to apply to the investigating judge immediately after the beginning of such a covert investigative (detective) action.
                  2. The investigating judge shall consider such a request under the requirements of Article 248 of the CPC.
                  3. Execution of any actions to conduct a covert investigative (detective) action shall be terminated immediately if the investigating judge decides to refuse to grant permission to conduct a covert investigative (detective) action. The information obtained as a result of such covert investigative (detective) action shall be destroyed under the procedure provided for in Article 255 of CPC.

                  General data protection oversight. As for the general data protection oversight, data protection supervision and control in Ukraine are carried out by the Verkhovna Rada’s Commissioner for Human Rights as provided for by the Law of Ukraine “On personal data protection”. The commissioner is not a standalone data protection authority but rather a Parliamentary ombudsperson overseeing human rights protection in general.

                  As an example of the Ombudsman’s oversight of the surveillance measures, it recently found violations of data protection law by the cyber police department of the National Police of Ukraine.

                  At the same time, the data protection oversight in Ukraine does have certain issues related to staffing and budget. In 2019, journalism organisation Ukrayinska Pravda made an official request regarding the composition of the commissioner's secretary and published the response they received. The department for personal data protection consisted of only 13 people and its budget consisted of no more than 150,000 euros. This serves as evidence that the body is not sufficiently resourced.

                  Right to be informed on investigative actions. Law of Ukraine on “Personal Data Protection”

                  Article 21. Notification of personal data processing

                  1. The notifications referred to in part one of this Article shall not be made in the case of:

                  1) transfer of personal data upon request in the performance of tasks of operative-search or counter-intelligence activity fight against terrorism.

                  Article 253 CPC. Notifying individuals subject to covert investigative (detective) actions

                  1. Individuals whose constitutional rights were temporarily restricted during covert investigative (detective) actions, as well as the suspect, their defence counsel shall be informed about such restriction in written form by a public prosecutor or, upon their instruction, by an investigator.

                  Access, rectification, or erasure of data collected for the purposes of surveillance.

                  An affected individual can obtain such rectification through court review, as well as by contacting a public prosecutor or Ombudsman. In this case, general rules on data protection apply (Art. 8 of the Law of Ukraine “On personal data protection”).

                  Who should the individual address?

                  Depending on the area of competence and stage of the action, individuals may address the prosecutor, public investigator, or investigative judge.

                  If data subjects do not receive access to the data relating to them, they may file a complaint with the Ombudsman and with a court (Art. 15, 22, 23 of the Law of Ukraine “On personal data protection”).

                   

                  Summary:

                  1. Does national legislation provide for any possibility for an individual to pursue legal remedies to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

                    Yes. A person can obtain such rectification through court review or Ombudsman. However, there are no specific norms on rectification or erasure, and general rules on data protection apply.
                     
                  2. Who should the individual address?

                    Depending on the area of competence individuals may address the prosecutor, the investigator, and the ombudsman.
                     
                  3. Does the court/control committee have access to all relevant information, including closed materials?

                    Yes.
                  Overall, the guarantees A-D are only to a limited extent de jure present in Ukrainian laws. De facto, guarantees provided by law are often violated or circumvented by authorities as the rules are not sufficiently clear and some provisions may be governed by internal documents or acts. For example, the Ukrainian data protection supervisory authority recently found violations of the data protection law by the cyber police department of the National Police of Ukraine (accessible at https://ombudsman.gov.ua/ua/all-news/pr/zaxistu-personalnix-danix-departamentom-k%D1%96berpol%D1%96cz%D1%96%D1%97-nacz%D1%96onalno%D1%97-pol%D1%96cz%D1%96%D1%97-ukra%D1%97ni/).
                  UgandaAfricaUGN/A
                  Please see the country report for Uganda as part of the study "State of Privacy" conducted by Privacy International.
                  United States of America (USA)North AmericaUS
                  The Privacy Shield framework has been invalidated by the CJEU, see here
                  (See also DoC List)

                  Organisations adhering to the US-Swiss Privacy Shield on the US DoC list guarantee individuals in Switzerland special protective rights.
                  However, they do not meet the requirements of an adequate level of protection within the meaning of the Swiss Federal Data Protection Act.
                  (See also: List of Countries, Swiss DPA Policy Paper, DoC List)
                  ✔️
                  Limited to the "Privacy Shield" Framework. Unclear if this continues to apply after its invalidation by the CJEU in Schrems II.
                  ✔️N/A
                  Please note that the German DPAs published an expert opinion on US surveillance laws drafted by Stephen Vladeck, who discusses surveillance powers of US intelligence agencies, including under FISA 702, Executive Order 12.333 and CLOUD Act.

                  See also, among many other resources related, inter alia, to the Schrems II case before the CJEU, epic.org's information on the Foreign Intelligence Surveillance Court (FISC).
                  UruguayUY✔️
                  See here
                  ✔️✔️✔️✔️✔️Resolución N° 41/021: Contenido mínimo de Cláusulas Contractuales para transferencias internacionales a países no adecuados.
                  The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021).
                  R (Accession), E: 01/08/2013SMartín Pesce Cutri
                  UzbekistanUZ✔️
                  Vatican CityVA
                  Saint Vincent and the GrenadinesNorth AmericaVC
                  VenezuelaSouth AmericaVEVrikson Iván Acosta Velásquez

                  I am a systemic thinker, oriented to creating, and also managing solutions, with J.D., SysEng and a M.B.A. degrees, and a Ph.D. (cand), with many years of experience on internet related topics, such as digital rights, internet governance, literacy, inclusion, and policy making, among other areas.

                  https://twitter.com/Vrikson_Acosta
                  The law about the protection of the privacy of the communications is vague and not updated to the current Constitution, which might be unconstitutionally changed by the regime controlling the country, and that have to be changed once freedom is restored.The law has a vague limitation to what is strictly necessary, and does not provide any exception for persons under an obligation of professional secrecy.There is no independent oversight mechanism for judges are not independent and there is no sufficient impartiality and independence in the surveillance process.There is no law regarding habeas data, although there is a limited, incomplete, vague, procedure create via “normative jurisdiction”, enable non pertinent courts to deal with data protection issues, for which neither judges nor the judiciary system has capabilities for these issues, especially regarding with technology.Updates to follow as soon as there is any meaningful change.
                  British Virgin IslandsNorth AmericaVG
                  U.S. Virgin IslandsNorth AmericaVI
                  VietnamAsiaVN✔️ASEAN Model Contractual Clauses for Cross Border Data Flows (2021)
                  Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021)
                  ✔️✔️
                  VanuatuOceania/AustraliaVU
                  Wallis and Futuna (French Overseas Collectivity)Oceania/AustraliaWF
                  SamoaOceania/AustraliaWS
                  KosovoEuropeXK
                  YemenAsiaYE
                  Mayotte (French Overseas Department and Region)AfricaYT(EU member state)✔️✔️✔️
                  South AfricaAfricaZA
                  Potential future candidate (p. 52) for adequacy?
                  ✔️
                  See here
                  or here
                  N/A
                  Please see the country report for South Africa as part of the study "State of Privacy" conducted by Privacy International.
                  ZambiaAfricaZM✔️
                  ZimbabweAfricaZWNompilo Simanje
                  North MacedoniaEuropeMK✔️✔️S, R, E: 01/07/2006SDimitar Gjeorgjievski
                  Cabo Verde (Cape Verde)AfricaCV✔️✔️R (Accession), E: 01/10/2018Djamilson Pinto
                  Holy SeeEuropeVA
                  South SudanAfricaSS
                  Saint Martin (French Overseas Collectivity)North AmericaMF(EU member state)✔️✔️✔️
                  Saint Barthélemy (St. Barts, French Overseas Collectivity)North AmericaBL