Welcome!

Yes.

Article 35 of the Albania Constitution and articles 5 - 7 and 12 - 16 of the law no. 9887, dated 10.03.2008 “On personal data protection” as amended (“Data Protection Law” or “DPL”) provide for the obligation of the data controller to conduct processing activities, inter alia, based on clear, precise and accessible rules.

On the other hand, the interception of communications is specifically regulated under the provisions of the Albanian Criminal Procedure Code, in harmony with the provisions of legislation governing the telecommunication sector.

Albanian legislation does not entitle public authorities to have access to data subjects’ personal data on a generalised basis (including the data sourced through electronic communications).

As such, the principles of article 5, and legal criteria set out under article 6, of DPL provide for several obligations which the public authorities should account to when processing one’s personal data.

According to articles 29 - 38/a of DPL, the competent authority for the supervision and monitoring of the personal data processing and the respecting of the individuals’ right for personal data protection and privacy is the Commissioner for Freedom of Information and Personal Data Protection (the “Commissioner”).

The Commissioner is an independent authority, appointed by the Albanian Parliament for a term of 5 years (renewable).

The Commissioner reports to the Albanian Parliament at least once a year and whenever deemed necessary by and/or is of interest of the latter.

Articles 12 - 15 of DPL confer onto the data subjects the right of seek access to their personal data, the right to seek the blocking of further processing thereof, and the right to seek correction or erasure of their personal data that are, inter alia, untrue, incomplete or processed/collected in violation of the provisions of DPL.

According to article 16 of DPL, any individual is entitled to file complaint with the Office of the Commissioner.

According to article 32 of DPL, any data controller is obliged to cooperate with the Commissioner’s inspectors during the relevant administrative proceedings. To this effect, the Commissioner, in order to properly carry out its legal tasks and duties, it entitled to access the ICT systems used by any data controller personal data processing activities and/or for archiving purposes.

For further information please consult the Commissioner’s website: https://www.idp.al/?lang=en

In accordance with the Law on Criminal Procedure of FBiH and Law on Criminal Procedure of RS, the types of special investigative actions („measures“) and conditions of their application are regulated. These are actions that need to assist prosecutors to effectively reveal the perpetrators and the evidence of serious and complex crimes, especially organized crime. There are criminal offenses in whose execution included a larger number of people in different locations and which are carried out with the help of new communication technologies, so that it is not possible to prove the classic the means of proof (documents, material evidence, witnesses).

Special investigative actions may be ordered in case of criminal offenses punishable by at least three years of imprisonment or by a more severe sentence.

If evidence cannot be obtained in any another way or its obtaining would be accompanied by disproportional difficulties, special investigative measures may be ordered against a person where grounds for suspicion exsists that he or she has committed or has along with other persons taken part in committing or is participating in thecommission of an offense.

Measures referred above shall be ordered by the preliminary proceedings judge in an order upon the properly reasoned motion of the prosecutor containing: the data on the person against whom the measure is to be applied, the grounds for suspicion, the reasons for undertaking the measures and other important circumstances necessitating the application of the measures, the reference to the type of required measure and the method of its implementation and the extent and duration of the measure. The order shall contain the same data as those featured in the prosecutor’s motion as well as ascertainment of the duration of the measure ordered.

Exceptionally, if a written order cannot be received in due time and if there is danger in delay, the execution of a measure may commence on the basis of a verbal order pronounced by the preliminary proceeding judge.

The written order of the court must be obtained within 24 hours following the issue of the verbal order.

Special investigative measures are as follows:

a) Surveillance and technical recording of telecommunications, also called WIRETAPPING;

This measure may be ordered against persons against whom there are grounds for suspicion that he or she will deliver to the perpetrator or will receive from the perpetrator of the offenses information in relation to the offenses, or grounds for suspicion that the perpetrator uses a telecommunication device belonging to those persons. In practice this measure is very useful but it limits right to privacy not only for suspicious person, but indirectly, for any third party with whom the suspect makes contact by means of communication. Companies performing the transmission of information shall be bound to enable the prosecutor and police authorities to enforce these measures.

b) Access to computer systems and computer data comparison;

This measure would apply to the computer crimes such as double accountancy, correspondence and other. State investigative authority have access to computer systems and electronic transmission of data.

c) Supervision and technical recording of the premises;

d) Secret surveillance and technical recording of persons, means of transport and objects which are in relation to them;

This measure nowdays is often applied. If the judge approved this measure in the preliminary procedure in this case it can be evidence.

e) Use of undercover investigators and use of informant;

By compiling or transcribing the records without making references to the personal data therein about the undercover investigator and informant, or in another appropriate way, the prosecutor and the preliminary proceedings judge shall prevent unauthorized persons as well as the suspect and his defense attorney from establishing the identity of the undercover investigator and of informant.

f) Simulated purchase of certain objects and simulated bribery;

g) Supervised transport and delivery of the objects of a criminal offense.

Measures referred above under a), through d) and g) may last up to one (1) month, while on account of particularly important reasons the duration of such measures may upon a properly reasoned motion of the prosecutor be prolonged for a term of another month, provided that the measures referred under a), b) and c) may last up to six (6) months in total, while the measures referred under d) and g) may last up to three (3) months in total.

It is also worth to note that in accordance with the Criminal Code of Federation of Bosnia and Herzegovina (FBiH) and the Criminal Code of Republika Srpska (RS) it is regulated that whoever takes a photograph, film or other recording of another person in his personal premises without that person's consent, or who directly passes on or displays such a photograph to a third person or enables the third person in some other way to have a direct access to the photograph, shall be shall be punished by a fine or imprisonment for a term not exceeding three years. An official person, who perpetrates this criminal offence in the discharge of duty, shall be punished by imprisonment for a term between six months and five years.

Whoever photographs or films a child with an aim of developing photographs, audio-visual tapes or other pornographic materials or who possesses or imports or sells or deals in or projects such material, shall be punished by imprisonment for a term between one and five years. Items meant or used for the perpetration of this criminal offence shall be forfeited and items produced by the perpetration of the criminal offence shall be forfeited and destroyed.

An official or responsible person in the Federation who, without the consent of an individual (data subject) and contrary to the conditions stipulated by the law, collects, processes or uses personal data, or uses such data contrary to the statutory purpose of their collection, shall be punished by a fine or by imprisonment for a term not exceeding six months.

The general overarching national data protection law in Bosnia and Herzegovina (BH) is the Law of Personal Data Protection, published in the Official Gazette of BH (Official Gazette) as Nos. 49/06, 76/11, 89/11 (PDP law).

Data Controller means any public authority, natural or legal person, agency or any other body, which, independently or together with another party, manages, processes and determines the purpose and the manner of personal data processing on the basis of laws or regulations.

In accordance with the Article 22 of the PDP law, it is regulated that before collecting any personal data, the controller shall notify a data subject, unless the data subject has already been informed, on:

1. the purpose of processing,
2. controller, receiving authority or third party whom the data will be accessible,
3. if forwarding of data for processing is legal obligation,
4. consequences in the case that the data subject refuses to proceed so,
5. the cases in which the data subject has right to refuse to provide personal data,
6. if the personal data collection is voluntary,
7. the right to access and the right to correct data referring to him/her.

If the controller failed to collect personal data from a data subject, it is required to notify the data subject without delay about the identity of the third party that provided the controller with the personal data, and provide information aforementioned in accordance with Article 22 of the PDP Law.

Some exceptions do apply. Namely,  the data controller shall not be obliged to provide information on processing of personal data or to enable access to personal data if that action could cause significant damage to legitimate interests of the following categories in Bosnia and Herzegovina:

1. state security,
2. defence,
3. public security,
4. prevention, investigation, detection of crimes and prosecution of perpetrators as well as violations of ethical regulations of the profession,
5. important economic and financial interests, including monetary, budgetary and tax issues,
6. inspection and duties related to control,
7. protection of data subjects or rights and freedoms of other people.

These restrictions shall be allowed only to the extent required in a democratic society for any of the aforesaid purposes.

In accordance with the PDP law, main principles of personal data processing are regulated under the Article 4. 

Personal data protection rules and principles are:

• to process personal data fairly and lawfully,
• to process personal data collected for special, explicit, and lawful purposes in no manner contrary to the specified purpose,
• to process personal data only to the extent and scope necessary for the fulfilment of the specified purpose,
• to process only authentic and accurate personal data and update the data when necessary,
• to erase or correct personal data that are incorrect and incomplete, given the purpose for which the data are collected or further processed,
• to process personal data only within the period of time necessary for the fulfilment of the purpose of their processing,
• to keep personal data in the format that allows identification of the data subject for no longer than required for the purpose for which the data are collected or further processed,
• to ensure that personal data that were obtained for various purposes are not combined or merged.

The principle of legality of personal data processing implies the processing of personal data prescribed by law, which regulate a certain area, i.e. on the basis of and within the limits of laws and other regulations.

The Law of Personal Data Protection (PDP) regulates the processing of personal data which is any operation or set of operations performed on personal data, such as but not limited to:

• Collection, recording, or organisation.
• Storage, adaptation, or alteration.
• Consultation or use.
• Disclosure by transmission, or dissemination.
• Alignment or combination, blocking, erasure, or destruction.

PDP law generally applies to the processing of personal data in the territory of Bosnia and Herzegovina (Article 2(1), PDP law). It also applies to processing outside of Bosnia and Herzegovina when a data controller engages a data processor outside of Bosnia and Herzegovina, to process data on behalf of the data controller (Article 12 and 18 PDP law).

Under the PDP law, a data controller or data processor processing data on behalf of a data controller may process personal data without the consent of a data subject if the processing is:

• In accordance with a law or required to comply with the duties specified by a law.
• Necessary for the data subject to enter into negotiations on a contractual relationship or to fulfil contractual obligations agreed on with the data controller.
• Necessary to protect the vital interests of the data subject.
• Required to complete a task carried out in the public interest.
• Necessary for the protection of rights and interests exercised by the controller or user, if the processing does not contravene the rights of the data subject to the protection of personal privacy and personal life.
• Necessary for carrying out legitimate activities of political parties, political movements, civic associations, trade union organisations, and religious communities.

Personal data are processed only to the extent necessary to fulfil a certain purpose. This principle means that if the law or by-laws adopted on the basis of law do not prescribe per se which personal data are processed, then the minimum personal data required to achieve the purpose of such processing is taken. Realization of the principles of justice and legality means adherence to material and formal legal regulations that are to be applied in a specific legal matter, e.g. insight and access to emails of data subjects.

Therefore, in case personal data processing is carried out by government authorities for intelligence purposes would be justifiable but only to the extent and scope necessary for the fulfilment of the specified lawful purpose and only within the period of time necessary for the fulfilment of the lawful specified purpose. The existence of reasonable suspicion against the data subjects, i.e. persons concerned for specific criminal act charges would be objective criteria used to determine which personal data of individuals are stored. 

Lawyer, defence counsel, notary public, doctor of medicine, doctor of dentistry, or other health professional, a psychologist, a guardian, a religious confessor, or another person who without authorization discloses a secret learned in the exercise of professional duties, shall be punished by imprisonment up to one year.

Disclosure of professional secrets is not criminal offense if someone discovers a secret in the general interest or the interest of another person which is more important than the interest of secrecy.

The PDP law permits the transfer of personal data outside of Bosnia-Herzegovina if adequate safety measures are ensured in the destination country. The adequacy of the safety measures is assessed on case by case basis by the Personal Data Protection Agency of BH (Agency), particularly with regard to:

• The type of personal data.
• The processing purposes and period.
• The country to which data is transferred.
• Related legislation of the country to which data is transferred.
• Professional rules and standards and safety measures in force in the country to which data is transferred.

The Agency considers EU member states adequate for transferring personal data.

The Agency also allows data transfers to countries that do not meet adequacy requirement if:

• The transfer is necessary to conclude or to exercise an agreement between the controller and a third party, and it is in the interest of the data subject.
• A data controller from the destination country provides satisfactory level of guaranty for privacy protection.

In addition to meeting the foregoing requirements, transfers of data abroad require:

• A data transfer agreement.
• Certificate of Incorporation for Data Controller and Data Processor, which is a document issued by a competent authority in specific country that serves as evidence that a foreign data controller or data processor is duly registered as legal entity.
• Notice to data subjects of the intention to transfer personal data outside of Bosnia-Herzegovina.

Materials received through the measures and notification of the measures undertaken:

Upon  the  completion  of  the  application  of  the  measures,  all  information,  data  and  objects  obtained  through  the  application  of  the  measures  as  well  as  a  report  must be submitted by police authorities to the prosecutor. The prosecutor shall be bound to provide  the preliminary proceedings judge with a written report on the measures undertaken. On the basis of  the submitted report the preliminary proceedings judge shall evaluate the compliance with judge's order. 

Should the prosecutor refrain from prosecution, or should the data and information obtained through  the  application  of  the  ordered  measures  not  be  needed  for  the  criminal  proceedings,  these data shall  be  destroyed under the supervision of the preliminary proceedings judge, of which event the judge shall make  separate records.

No data or information received through the undertaking of measures (Incidental Findings) shall be used as evidence if they are not related to a criminal offense  punishable by at least three years of imprisonment or by a more severe sentence. 

In accordance with the PDP law, the controller is not required to provide information to data subject on the processing of personal data in the following cases: 

1. If processing personal data is exclusively for statistical, scientific-research or archival purposes;
2. If the information or the fact that the data were stored is to be held in secret under the laws or with respect to their type, especially because of overriding legitimate interests of the third party;
3. If processesing personal data is consented by the data subject.

The person against whom any of the aforementioned measures were undertaken, shall be notified of the undertaking of the measures, the reasons for their undertaking and information stating that the received materials did not constitute sufficient grounds for criminal prosecution and were thereafter destroyed.  

In case of personal data processing carried out by government authorities for intelligence purposes, the preliminary proceedings judge shall forthwith  and  following  the  undertaking  of  the  measures  inform  the  person  against  whom  the  measures  were  undertaken.  That  person  may  request  from  the  court  a  review  of  legality  of  the  order  and  of  the  method by which the order was enforced. Data and information received through the undertaking of the measures shall be stored and kept as long as the court file is being kept.

The PDP law grants data subjects the following rights, amongst others:

• The right to be informed regarding:
  • the identity of any third party from whom the data controller collects the personal data of the data subject;
  • the status of the data controller's or processor's processing of the data subject's personal data;
  • the purpose of the data processing;
  • legal grounds for and duration of processing; and
  • any party who has or will receive the data subject's personal data and for what purpose.
• The right to access from the data controller, once per year and free of charge, information on personal data processed relating to the data subject.
• If the data subject finds or suspects that a data controller or processor violated the data subject's right or that there is a direct risk of a violation, the data subject has the right to file a complaint with the Personal Data Protection Agency of BH and request any of the following:
  • the controller or processor refrain from the wrongful activities and remedy the factual situation caused by the activities;
  • the controller or processor correct or supplement the personal data to make them authentic and accurate; and
  • the personal data be blocked or deleted.

According to the Article 24 PDP law, it is regulated that the Controller shall, at the request of the data subject, correct, delete or block data that were found to be incorrect or incorrectly listed or processed in any other manner that is contrary to law and rules relating to data processing. The controller shall, at the request of the data subject, inform the third party to whom the data were transferred.

Before start processing personal data, data controllers are required to submit to the Data Protection Agency of Bosnia and Herzegovina (DPA) the Notification/Request for Intention to Establish Personal Data Filing System along with prescribed documents. The DPA will make the assessment based on the documents and forms submitted and following their approval (Authorization) the processing of the personal data may start. The data controller is authorised to begin processing personal data only after the DPA approves the processing, or upon the expiration of two (2) months following the day the request has been received by the DPA. If upon the expiration of 2 months from the day the request was submitted, the DPA makes no decision whatsoever, the processing may also start.

Local notification/authorization regime is based on purposes.

Please note that Prior Notification to the DPA is required whenever the processing does not come directly from a law. Therefore, data controller would be required to notify DPA on its intent to process data and adopt Decision on Personal Data Processing for such purpose.

If the processing of personal data is based on the on particular law (such as Criminal Law, Employment Law, Tax Law etc.), Prior Notification to the DPA is not required. However, DPA's Authorization is still required.

In another words, DPA's Authorization for processing of personal data is always required, while Prior Notification is required only when the processing purpose does not directly come from a specific law.

Ms. Tripti Dhar, Partner – Reina Legal

• B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
• Admitted to practice in India; enrolled with the Delhi Bar Council
• Certified CIPP/E
• Member of International Association of Privacy Professionals (IAPP)
• DSCI Certified Privacy Professional (DCPP)
• Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India

• The nature of the offences which may give rise to an interception or surveillance order;

Article 26 of Constitution:

The freedom of postal, telegraphic, telephonic and electronic communication is safeguarded and its confidentiality is guaranteed. Communications shall not be censored or their confidentiality breached except in exigencies specified by law and in accordance with procedures and under guarantees prescribed by law.

Article 372 Amiri decree no. 15 of 1976 with respect to enactment of the Penal Code:

A fine not exceeding BD20 shall be penalty for any person who opens a letter or telegram against the will of the addressee or eavesdrop on a telephone conversation. An offender shall be liable for imprisonment for a period not exceeding 6 months or a fine not exceeding BD 50 if he divulges the contents of the letter, telegram, or telephone conversation to a person other than that to whom it has been intended and without the permission thereof should such action cause damage thereto

Article (4) of Law on Combating Cybercrime in the Kingdom of Bahrain:

Without prejudice to any more severe penalty in any other law, imprisonment with a fine not exceeding one hundred thousand Dinars or one of these penalties shall be punishable by wiretapping, intercepting or intercepting without legal justification using technical means, Transmitted from or to the IT system, including any emissions of electromagnetic waves from the IT system that carry such data. If an eavesdropping, capture or objection results in a disclosure of the transmission or part thereof without legal justification, that is not an aggravating circumstance.

• A definition of the categories of people that might be subject to surveillance;

The existing laws in the region are silent on this subject.

• A limit on the duration of the measure;

The existing laws in the region are silent on this subject.

• The procedure to be followed for examining, using and storing the data obtained;

The existing laws in the region are silent on this subject.

• The precautions to be taken when communicating the data to other parties; and

The existing laws in the region are silent on this subject.

• The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

The existing laws in the region are silent on this subject.

• Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

The existing laws in the region are silent on this subject.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

The existing laws in the region are silent on this subject.

• What objective criteria are used to determine which personal data of individuals are stored?

The existing laws in the region are silent on this subject.

• Does national legislation require any relationship between the data which must be retained and a threat to public security?

The existing laws in the region are silent on this subject.

• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?
• Does national legislation provide for any exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)?

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

The existing laws in the region are silent on above subjects.

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
• Who should the individual address (see, Guarantee C)?
• Does the court/control committee have access to all relevant information, including closed materials?

• The nature of the offences which may give rise to an interception or surveillance order :

- national independence, territorial integrity and security as well as national defense;

- the prevention of terrorism;

- the prevention of attacks on the government;

- the major interests of foreign policy, the execution of international commitments of Benin and the prevention of any form of foreign interference;

- crime and organized crime;

- the fight against the proliferation of arms;

- economic, industrial and scientific interests.

(Intelligence Services Act in Benin Republic : Article 3)   

• A definition of the categories of people that might be subject to surveillance :  

The surveillance measures are applicable to any person on whom there are serious reasons to collect information for intelligence purposes, except members of parliaments, judges, public prosecutors and barristers during the period of their mandate or professional activity, as well as people who, by virtue of their statute are likely to know of the indictment of the President of the Republic and members of the Government.

The exemption can be lifted by the National Commission for the Control of Surveillance Measures as part of legal proceedings or under conditions of absolute necessity.

(Intelligence Services Act in Benin Republic : Article 6)   

• A limit on the duration of the measure :

The surveillance measures are granted for a maximum period of four (4) months by the National

Commission for the Control of Surveillance Measures. They shall stop at the end of this period. They are renewable under the same conditions of form and duration.

(Intelligence Services Act in Benin Republic : Article 17)   

• The procedure to be followed for examining, using and storing the data obtained :

The authorization granted by the Head of Government to carry out surveillance measures is subject to the prior opinion of the National Commission for the Control of Surveillance Measures, except in the cases provided by the law.  

The Commission has twenty four (24) hours to respond to requests and seventy two (72) hours if a plenary session of the committee is necessary.

After authorization by the Head of Government, and with the exception of the emergency cases listed in the law, requests for the implementation of surveillance measures are expressed in writing and are motivated by the National Intelligence Coordinator.  

Each request must specify:

- the organization for which it is presented;

- the purpose (s) pursued;

- the reason (s) for the measure (s);

- the person (s) concerned.

If the identity of the person (s) concerned is not known, s/he may be designated by his technical identifier (s) or his/her function (s).

Requests for renewal of an authorization also specify the reasons why this renewal is justified.

(Intelligence Services Act in Benin Republic : Article 14, 15, 16)   

• The precautions to be taken when communicating the data to other parties :

If a request for international mutual legal assistance, or if a national legal procedure concerns facts or acts committed by intelligence services and covered by the secrecy of national defense, the public prosecutor, under the authority of the minister in charge of justice, shall inform the National Intelligence Coordinator.

If this is the case, the Minister of justice shall inform the public prosecutor or the requesting international authority that its request cannot be granted, in whole or in part. This decision is notified to the judicial authority at the origin of the request and shall obstruct the execution of the request or the return of performance documents.

If this is not the case, the National Intelligence Coordinator shall propose total or partial lifting of the secrecy of national defense, relating to these acts and acts committed.

(Intelligence Services Act in Benin Republic : Article 25)   

• The circumstances and substantive and procedural conditions relating to the access of the competent authorities :

The authorization and implementation of surveillance measures on national territory can only be decided if:

- they proceed from an authority legally empowered ;

- they result from a procedure in accordance with the law;

- they respect the missions entrusted to the competent services;

- they are justified by the threats, risks and challenges related to the fundamental interests of the Nation.

(Intelligence Services Act in Benin Republic : Article 4)   

• Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

The agents committed for the collection of intelligence data must be sworn agents. They are  responsible for any deliberate infringement of the individual liberties and the rights to privacy if the violations go beyond the provisions of the law. 

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

Rights to privacy, in particular the secrecy of correspondence, the protection of personal data and the inviolability of home, are guaranteed by law.

The public authority can only infringe on them in case of necessity, of public interest and within the limits fixed by law.  

(Intelligence Services Act in Benin Republic : Article 4)   

• What objective criteria are used to determine which personal data of individuals are stored ?

Only information related to one of the following objectives can be retained :

- national independence, territorial integrity and security as well as national defense;

- the prevention of terrorism;

- the prevention of attacks on the government;

- the major interests of foreign policy, the execution of international commitments of Benin and the prevention of any form of foreign interference;

- crime and organized crime;

- the fight against the proliferation of arms;

- economic, industrial and scientific interests

(Intelligence Services Act in Benin Republic : Article 18)   

• National legislation requires a relationship between the data which must be retained and a threat to public security

(Intelligence Services Act in Benin Republic : Article 3)   

• National legislation does not restrict the data retention in relation to …
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)
    
    
• National legislation provides for exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

The National Commission for the control of surveillance measures is an independent administrative authority.

It is composed of five (5) members :

- two (2) members of parliament designated for the duration of the legislature by the National Assembly, one (l) from the majority and one (l) from the minority;

- two (2) judges of the Supreme Court appointed by the President of the Supreme Court, one from the Administrative Chamber, the other from the Judicial Chamber;

- one (1) high ranking officer, still in function or not, appointed by the Head of Government because of his knowledge and experience in intelligence and State security

In the exercise of their functions, the members of the commission do not receive instructions from any authority.

(Intelligence Services Act in Benin Republic : Articles 7 and 8)   

• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio ?

The authorization granted by the Head of Government to carry out surveillance measures is subject to the prior opinion of the National Commission for the Control of Surveillance Measures, except in the cases provided by the law.     

• National legislation provides for possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data.

Any citizen who suspects that he or she is subject of surveillance can submit a complaint to the National Commission for control of surveillance measures which shall carry out investigations

The Court of Appeal has jurisdiction in first instance to hear cases related the implementation of surveillances measures.  

The Supreme Court has jurisdiction in last resort.

(Intelligence Services Act in Benin Republic : Articles 32 and 33)   

• Who should the individual address (see, Guarantee C) ?

An independent oversight committee.  

• Does the court/control committee have access to all relevant information, including closed materials?

The requests and authorizations are recorded in the registers kept by the National Intelligence Coordinator and accessible to the National Commission for the Control of surveillance measures whenever necessary

Law No 217- 44 of 5 February 2018 on Intelligence Services in the Republic of Benin

Constitutional Court decision No DCC 18-013 of 01 February 2018 

Alexander McD White, Privacy Commissioner

Commissioner White is Bermuda’s first Privacy Commissioner, establishing the office and building the foundations for a successful data protection environment in the country. He is a licensed lawyer, a founding member of the International Association of Privacy Professionals' Privacy Bar Section Advisory Board, and founder of the IAPP State, Local, and Municipal (SLAM) Government Affinity Group. He served a three-year term on the U.S. Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee (DPIAC). Prior work includes service as State Deputy Chief Privacy Officer for the U.S. State of South Carolina and as a lawyer in the insurance industry. For more information, see: www.linkedin.com/in/a1exwhite

Note: This analysis of European Essential Guarantees is primarily based upon Bermuda’s Personal Information Protection Act (PIPA), which received Royal Assent in 2016. As a United Kingdom Overseas Territory, individuals in Bermuda are also protected by the European Convention on Human Rights.

The Personal Information Protection Act 2016 (PIPA) requires that processing of data be based on specific “conditions” (section 6) that largely align with the “legal bases” of the European Union’s General Data Protection Regulation. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights.

The Personal Information Protection Act 2016 (PIPA) contains certain “Minimum Requirements” that apply to all entities in Bermuda, even national security entities that are exempt from other PIPA requirements. These Minimum Requirements include “Fairness” (section 8) and “Proportionality” (section 11) that largely align with concepts of necessity and proportionality in European law and jurisprudence. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights.

Bermudians have numerous avenues by which to appeal to protect their rights. The Personal Information Protection Act 2016 (PIPA) creates the Office of the Privacy Commissioner, with powers to receive reports, investigate, and issue orders of any entity subject to PIPA. This includes national security entities, which must comply with PIPA’s “Minimum Requirements.” The Privacy Commissioner is an independent officer appointed by the Governor of Bermuda, not its political government, and “shall not be subject to direction of control of any other person or authority” (section 26). In addition, Bermuda’s Human Rights Commission receives complaints and investigates violations of Bermuda’s Human Rights Act, and individuals may protect their common law rights to privacy through Bermuda’s courts. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights.

Individuals have the ability to report violations to the Office of the Privacy Commissioner, who has statutory powers to investigate and issue orders. The Privacy Commissioner’s orders are subject to judicial review by the Supreme Court of Bermuda (PIPA section 45), and if the court finds violations of orders then both entities and individual actors personally may be held liable (PIPA section 47). Further, as a United Kingdom Overseas Territory, individuals in Bermuda may submit their case for review by the European Court of Human Rights.

For more information on the Office of the Privacy Commissioner, including copies of the Personal Information Protection Act 2016 and regulatory guidance, visit www.privacy.bm.

In terms of Section 28 of the Cybercrime & Computer Related Crimes Act, 2018 empowers a police officer or any person authorized by the Commissioner may apply to a judicial officer ex-parte for an order permitting real time collection or recording of traffic data. An order may also be granted ex-parte compelling a service provider to effect such real time collection or recording of traffic data. The Directorate of Intelligence Security Services (DISS) may also intercept communications in terms of Section 22(4) of the Intelligence Security Services Act pursuant to a court order, the Act provides that the Directorate shall show cause to a judicial officer justifying the grant of the surveillance order.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
• What objective criteria are used to determine which personal data of individuals are stored?
• Does national legislation require any relationship between the data which must be retained and a threat to public security?
• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?
• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

A judicial officer oversees surveillance only in respect of the application made to get an order; it is then that the judicial officer considers the reasons justifying derogation from an individual’s fundamental right to privacy. In practice, the reasons advanced are usually unknown to those that the court orders are granted against and to the people especially that it is an ex-parte application.

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
• Who should the individual address (see, Guarantee C)?
• Does the court/control committee have access to all relevant information, including closed materials?

Have a look at this article written by a former lecturer of mine at the University of Botswana:

Balancing the Right to Privacy and the Public Interest: Surveillance by the State of Private Communications for Law Enforcement in Botswana

Cybercrime & Computer Related Crimes Act:

https://www.bocra.org.bw/cybercrime-and-computer-related-crimes-act-2018

Data Protection Act:

https://www.bocra.org.bw/data-protection-act

Section 22 of the Intelligence Security Services Act:

22. Powers of entry, search and seizure

            (1) Where the Director General believes, on reasonable grounds, that a warrant under this section is required to enable the Directorate to investigate any threat to national security or to perform any of its functions under this Act, the Director General shall apply to a senior magistrate or a judge of the High Court for a warrant in accordance with this section.

            (2) If the magistrate or judge to whom an application is made under subsection (1) is satisfied that there are reasonable grounds for suspecting that there is in the premises, place, vessel, boat, aircraft or other vehicle anything which is or contains evidence of the commission of any of the offences referred to in this Act, he or she may by warrant direct the Director General, or any officer or support staff authorised by the Director General under this Act, to enter and search such premises, place, vessel, boat, aircraft or other vehicle and seize and detain anything which the Director General, or the officer or support staff authorised by the Director General, has reason to believe is or contains evidence of any of the offences referred to in this Act.

            (3) Whenever the Director General, or an officer or support staff authorised by him or her under this Act, has reasonable cause to believe that there is in any premises, place, vessel, boat, aircraft or other vehicle any article or document-

            (a)       which is evidence of the commission of an offence referred to in this Act;

            (b)       in respect of which an offence has been, is being, or is about to be committed under this Act;

            (c)        is being conveyed, or is concealed or contained in any package in the premises, place, vessel, boat, aircraft or other vehicle, for the purpose of being conveyed,

then and in any such case, if the Director General, or the officer or support staff authorised by him or her under this Act considers that the special exigencies of the case so require, he or she may without a warrant enter the premises, place, vessel, boat, aircraft or other vehicle, and search, seize and detain such article, document or package.

            (4) The court mentioned in subsection (1) may, on application made by the Director General or an officer or support staff authorised by him or her to do so, issue a warrant under this section authorising the taking of such action as may be specified in the warrant in respect of anything so specified if the court considers it necessary for that action to be taken in order to obtain information which-

            (a)       is likely to be of substantial value to the Directorate in the discharge of its functions; and

            (b)       cannot be reasonably obtained through other means:

Provided that in the event the Directorate wishes to conduct an investigation of a personal or intrusive nature such as searches or interception of postal mail, electronic mail, computer or telephonic communications, the Director General or an officer or support staff authorised by him or her shall show cause to a court of Senior Magistrate or above or a Judge of the High Court and obtain an order in a secret hearing.

            (5) In the exercise of the powers of search, seizure and detention under this section, the Director General, or any other officer of the Directorate may use such reasonable force as is necessary in the circumstances, and may be accompanied or assisted by such other person as he or she considers appropriate to assist him or her to enter into or upon any premises, place, vessel, boat, aircraft or other vehicle, as the case may be.

            (6) A magistrate may, on the application, ex parte, of the Director General, by written notice require a person who is the subject of an investigation in respect of an offence alleged or suspected to have been committed by him or her to surrender to the Director General any travel document in his or her possession.

            (7) If a person on whom a notice under subsection (6) has been served fails to comply with the notice, he or she may be arrested and taken before a magistrate.

            (8) Where a person is taken before a magistrate under subsection (7), the magistrate shall, unless such person complies with the notice under subsection (6) or satisfies the magistrate that he or she does not possess a travel document, by warrant commit him or her to prison where he or she shall be safely kept until he or she complies with the notice.

            (9) A person who has surrendered a travel document under this section may at any time make a written application to the Director General for its return, and every such application shall contain a statement of the grounds on which it is made.

            (10) The Director General may, within 14 days of receipt of the application referred to in subsection (9)-

            (a)       grant the application either without conditions or subject to such conditions as to the further surrender of the travel document and the appearance of the applicant at any time and place in Botswana as may be specified by the Director General in a written notice served personally on the applicant; or

            (b)       refuse the application.

• The nature of the offences which may give rise to an interception or surveillance order;

Any “Offence” of the Criminal Code as detailed in section 183[1]. There are 85 listed offences from the Criminal Code which range from high treason, terrorism related, weapons trafficking, bribery, breach of trust, child pornography, keeping a gaming or betting house, murder, sexual assault, robbery, identity theft, and unauthorized use of a computer.

The Criminal Code also lists certain offences of the following Acts:

Bankruptcy and Insolvency Act

Cannabis Act

Competition Act

Controlled Drugs and Substances Act

Copyright Act,

Corruption of Foreign Public Officials Act

Customs Act

Excise Act, 2001

Export and Import Permits Act

Immigration and Refugee Protection Act

Security of Information Act

Trademarks Act

S. 487.014 of the Criminal Code, also allows, without a court order, a law enforcement official “to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.” This means that so long as no other law prohibits such a disclosure, the information may be provided to law enforcement without a court order.

The Canadian Security Intelligence Service[2]  (CSIS) may apply to a judge for a warrant is they believe that information is required to investigate a threat to the security of Canada[3].

Communications Security Establishment Canada[4] (CSEC) is exempted for prosecution under Part VI of the Criminal Code so long as the Minister of National Defence (who is an elected politician[5]) authorized any intercept of private communications[6].  The CSEC may collect “foreign intelligence” by intercepting private communication.

• A definition of the categories of people that might be subject to surveillance;

Anyone participating in private communications with a person who is in Canada[7]

• A limit on the duration of the measure; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances and substantive and procedural conditions relating to the access of the competent authorities.
  Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

I could not find national legislation that addresses the above topics.

[1] https://laws-lois.justice.gc.ca/eng/acts/C-46/page-41.html#h-118716

[2] https://www.canada.ca/en/security-intelligence-service.html

[3] CSIS Act. Section 21, https://laws-lois.justice.gc.ca/eng/acts/C-23/page-9.html#h-1193870

[4] https://www.cse-cst.gc.ca/en

[5] https://www.canada.ca/en/government/ministers/harjit-singh-sajjan.html

[6] National Defence Act

[7] See the definition of “Private Communication” under section 183 of the Criminal Code

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
  What objective criteria are used to determine which personal data of individuals are stored? Does national legislation require any relationship between the data which must be retained and a threat to public security?

• “(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
• (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,
• (iii) the disclosure is requested for the purpose of administering any law of Canada or a province, or
• (iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;”

Information collection by authority of CSIS Act, is limited to information “strictly necessary” that “intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada“[8]

• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

For Information collection by authority of CSIS Act, the judicial authorization issued under section 11.13  or 21 of the Act is required to address destruction or retention of a dataset.

• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

There is no specific national legislation that protections citizens from requests for disclosure from governmental bodies in general. However, the Supreme Court of Canada has confirmed that Solicitor-Client privilege is a Constitutional Right[9] under section 7 of the Charter[10] and the right to privacy under section 8 of the Charter.

[8] Canadian Security Intelligence Service Act (R.S.C., 1985, c. C-23), Art.12.1

[9] Canada (Privacy Comissioner) v. Blood Tribe Department of Health, 2008 SCC 44 (CanLII), [2008] 2 SCR 574

[10] https://laws-lois.justice.gc.ca/eng/Const/page-15.html

[11] Canadian Security Intelligence Service Act (R.S.C., 1985, c. C-23), Art. 11.1 (1) b

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

 At the moment there is no National body overseeing surveillance measures. Recently, the federal government has introduced Bill C-59[12], which would introduce a new regulatory body, the National Security and Intelligence Review Agency. This regulatory body would oversee the work of all national security agencies. The three major surveillance organizations in Canada are the RCMP, the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE).

• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

Surveillance collected by a warrant obtained through the criminal must be disclosed to the person surveilled after the expiry of the authorization.

[12] https://www.parl.ca/LegisInfo/BillDetails.aspx?Language=E&billId=9057418

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data? Who should the individual address (see, Guarantee C)? Does the court/control committee have access to all relevant information, including closed materials?

Section 8 of the Charter of Rights protects Canadians and individuals present in Canada unreasonable search or seizure. If this has been violated, individuals must pursue their claim through the provincial courts through the civil liability legal regime. The most notable case was of Maher Arar who commenced his claim in the Province of Ontario[13] and eventually received an apology and compensation in the amount of $10.5 million from the federal government[14].

[13] https://www.falconers.ca/wp-content/uploads/2016/09/Ara-Statement-of-Claim.pdf

[14] https://archive.vn/20070128130429/http://cnews.canoe.ca/CNEWS/War_Terror/2007/01/26/3453332-cp.html, accessed July 14, 2020.

[15] https://laws-lois.justice.gc.ca/eng/acts/C-5/page-6.html#h-137843

R. v. Rogers Communications, 2016 ONSC 70

Commission of Inquiry Into the Actions of Canadian Officials in Relation to Maher Arar - Archived website versions: https://www.canada.ca/en/privy-council/services/commissions-inquiry/arar.html

Canadian Security Intelligence Service Act: https://laws-lois.justice.gc.ca/eng/acts/C-23/

Canadian Charter of Rights and Freedoms: https://laws-lois.justice.gc.ca/eng/Const/page-15.html

Criminal Code of Canada: https://laws-lois.justice.gc.ca/eng/acts/C-46/index.html

Preliminary remarks:

• Currently, Switzerland benefits from an adequacy decision by the EU Commission pursuant to Article 45 GDPR. It is up for review in 2020 and a decision is expected in the coming weeks as of the publication of this contribution (17 July 2020).
  
  
• This contribution focuses on interception and surveillance regimes based on national law, specifically the following:
  • Federal Act on the Surveillance of Post and Telecommunications (SPTA, SR 780.1) (Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs, BÜPF, Loi fédérale sur la surveillance de la correspondance par poste et télécommunication, LSCPT) and Ordinances
  • Swiss Code of Criminal Procedure (Criminal Procedure Code, CrimPC, SR 312)
  • Federal Act on the Intelligence Service (Intelligence Service Act, IntelSA, SR 121) (Bundesgesetz über den Nachrichtendienst, NDG, Loi fédérale sur le renseignement, LRens) and Ordinances
    
    
• Switzerland, although not a member of the EU, is part of Schengen cooperation, and as such the Schengen regulatory framework may apply to certain access requests. It will not be discussed here.

Nature of the offences which may give rise to an interception or surveillance order:

• Criminal proceedings: National law sets out a (long) list of offences that may justify interception or surveillance orders within criminal proceedings (Articles 269 et seq. CrimPC), provided that a) a strong suspicion exists, b) the seriousness of the offence justifies the measure and c) the investigation so far has provided unfruitful or would be hampered unreasonably without the measure in question.
  
  
• As an exception to the above, metadata relating to telecommunications or postal communication may be requested where there is a strong suspicion that any felony or misdemeanour has been committed (Article 273 CrimPC – this is also possible where the suspicion relates to the simple contravention of “misuse of a telecommunications installation” pursuant to Article 179^septies of the Criminal Code)
  
  
• Surveillance measures may also be ordered pursuant to requests for mutual legal assistance, to search for missing persons, to trace persons on whom a custodial sentence or custodial measure has been imposed or for intelligence purposes (Article 1 SPTA).
  
  
• For intelligence purposes, the Intelligence Service Act sets out a list of threats allowing access to information and data, namely specific threats to internal or external security from terrorist activities, espionage, ABC weapons’ proliferation or illegal trade in radioactive substances, war material and other armaments or an attack on critical infrastructure (Articles 26, 27 and 19 para. 2 IntelSA). Furthermore, and less clearly defined, such measures may be ordered in cases of specific threats to important national interests set out by law (i.e. basic constitutional order, Swiss foreign policy or the protection of Switzerland as a “location for employment, business and finance”, Articles 27, 19 and 3 IntelSA). For the more specific case of data gathering through surveillance measures requiring authorisation, the Federal Intelligence Service must demonstrate, in addition to the abovementioned threat, that the seriousness of the threat justifies the measure and that investigations so far have been unsuccessful or would otherwise be without prospect of success or hampered unreasonably (Article 27 IntelSA).

Categories of people that might be subject to surveillance;

• Within criminal proceedings, surveillance may be ordered against the accused or against a third party, provided that there is reason to believe, based on specific information, that the accused uses the postal address or the telecommunications service of the third party or that the third party receives communications on behalf of the accused or passes on communications from the accused to a third person (Article 270 CrimPC). Other types of surveillance using technical devices (i.e. outside of post and telecommunications) may only be used against the accused person (Article 281 CrimPC)
  
  
• For intelligence purposes, third parties may be monitored if there is reason to believe that the person from whom it is intended to gather the information is using premises, vehicles or storage facilities belonging to the third party or the third party’s addresses, computers or telecommunication connection points in order to transmit, receive or store information (Article 28 IntelSA)

Duration of the measure:

• In the course of criminal proceedings, real-time surveillance can be ordered for renewable periods of maximum three months’ each (Article 274 para. 5 CrimPC). Retroactive surveillance (metadata) can be requested for a six-month period starting from the date of the surveillance order (Article 273 para. 3 CrimPC).
  
  
• For intelligence purposes, real-time surveillance may also be ordered for renewable periods of maximum three months’ each (Article 29 para. 6 IntelSA).

Provisions surrounding access to and use of the data:

• Both for criminal proceedings and intelligence purposes, the relevant legislation contains detailed provisions on the handling of and access to data gathered by the authorities and stored in the relevant databases (SPTA and Ordinance on the Processing System for the Surveillance of Post and Telecommunications, SR 780.12, IntelSA and Ordinance on the Information Systems of the Federal Intelligence Service, SR 121.2).

Proportionality regarding number of persons who can access stored data:

• The relevant legislation relating to surveillance of post and telecommunications contains abstract provisions on the granting of access rights by the body in charge of surveillance, as well as a grid with possible roles and access rights depending on the function of the person requesting access (Articles 7 and 8 as well as Annex of the Ordinance on the Processing System for the Surveillance of Post and Telecommunications, SR 780.12). Access should occur only insofar necessary for the fulfilment of statutory duties. Whether access is limited to what is strictly necessary therefore depends on the ad hoc decisions of the competent body.
  
  
• As regards intelligence purposes, the relevant legislation contains various provisions setting out the principle of cooperation – and thus also sharing of information - of the Federal Intelligence Service with other specifically named public bodies (Articles 60-62 IntelSA and Ordinance on the Federal Intelligence Service, SR 121.1). As multiple bodies may receive information from the Federal Intelligence Service, the relevant provisions aim to provide the purposes or conditions of cooperation as well as illustrate which types of information may be shared, so as to ensure proportionality (cf. a long list of purposes for which data may be shared with national authorities in Annex 3 of the Ordinance on the Federal Intelligence Service, SR 121.1)

• The general duty of telecommunication service providers and postal service providers to retain communications metadata (or “secondary data”) for six months is a blanket duty that does not depend on any ad hoc criteria (Articles 19 para. 4 and 26 para. 5 SPTA, further additional information relating to the subscriber pursuant to Articles 21 para. 2 and 22 para. 2 SPTA). Limitation occurs only insofar as the duty to retain data is limited to 6 months.
  
  
• The law foresees a standard set of attributes that are to be monitored for each type of surveillance. Proportionality is ensured through the conditions to which a surveillance order in criminal proceedings is subject. Access to data by means of real-time surveillance in the context of criminal proceedings is contingent upon several conditions as mentioned under A above.
  
  
• Access to information for intelligence purposes is granted under similar conditions, cf. also the answers under A above. Access to surveillance data in an intelligence context is contingent upon the existence of a specific threat.
  
  
• Data which may be accessed is restricted to a given time period as regards real-time surveillance and retroactive surveillance. In addition to the defined surveillance types, telecommunication service providers or other digital actors (most importantly the “providers of derived communications services”, i.e. services that are based on the services provided by telecommunication service providers) may be requested to give the (any) metadata available to them relating to the person under surveillance. There are restrictions regarding the types of persons which may be subject to surveillance measures (see question A above) and there are exceptions for data relating to persons subject to professional secrecy obligations (Article 271 CrimPC and Article 21 IntelSA).

• Surveillance measures in the context of criminal proceedings must be authorised by the competent court for compulsory measures (Article 272 CrimPC), an independent judiciary body at cantonal (regional) level. Surveillance measures within the ambit of the Federal Intelligence Service are subject to the authorisation of the Federal Administrative Court and clearance from the Head of the relevant (Defence) department (Article 27 paras. 2 and 3 IntelSA). Composition of judicial bodies is governed by Article 6 of the European Convention on Human Rights and Articles 29a and 30 of the Swiss Federal Constitution which both foresee an independent and impartial tribunal constituted by law.
  
  
• Surveillance measures within criminal proceedings may be ordered provisionally by the public prosecutor, the request for authorisation must be submitted within 24 hours and the competent court must rule within 5 days of receiving the request (Article 274 CrimPC).
  
  
• For intelligence purposes, the ordinary procedure requires an application to the Federal Administrative Court before the measure is ordered. The Federal Administrative Court rules within five days (Article 29 IntelSA). Once court authorisation is granted, the Head of department decides whether to grant clearance to conduct surveillance or not (Article 30 IntelSA). In urgent cases, surveillance measures can be ordered by the Federal Intelligence Service immediately, but the Federal Administrative Court and the Head of department must be informed at the same time. Either may terminate the measure with immediate effect. The substantiated application must be filed within 24 hours of ordering the urgent measure (Article 31 IntelSA)

As regards data collected through surveillance measures in criminal proceedings, the access to personal data is governed:

• During proceedings, by the applicable Code of Criminal Procedure (CrimPC) which sets out the right to access both the files and personal data (Articles 97-98 and 101 CrimPC, see Article 10 para. 1 a SPTA)
  
  
• After the end of the proceedings, by the relevant data protection legislation applicable to the public body last in charge of data processing (either the Federal Data Protection Act FDPA, SR 235.1, or the relevant cantonal law). All Swiss data protection laws set out basic rights of access and rectification and under certain circumstances also erasure of personal data.
  
  
• A request relating to personal data is to be addressed in the first instance to the public body acting as a controller, i.e. the body in charge of the proceedings (Article 10 para. 3 SPTA). For requests made both during and after the proceedings, legal remedies are available to the affected person (namely appeal to a criminal court under the CrimPC [Article 393 CrimPC], appeal to the Federal Administrative Court for decisions rendered by public bodies at federal level [Article 33 para. 1 FDPA and Articles 31-33 of the Federal Act on the Federal Administrative Court, SR 173.32]).
  
  
• Information access requests relating to data collected by the Federal Intelligence Service may be addressed to the Federal Intelligence Service; the latter however is given multiple grounds on which it may defer providing information (Article 63 IntelSA). The applicant may request the Federal Data Protection Commissioner (Article 64 IntelSA), then in second instance also the Federal Administrative Court (Article 65 IntelSA) to review the lawfulness of the data processing and whether overriding interests in preserving secrecy justify the deferral (Article 63 para. 3 IntelSA). Notifications by the Federal Data Protection Commissioner and the Federal Administrative Court are made using standard wording. There is no further appeal against the decision of the Federal Administrative Court (Article 66 para. 2 IntelSA) due to the political nature of the activity of the Federal Intelligence Service

English versions of the main acts cited above can be found here:

• SPTA
• CrimPC
• IntelSA

Federal Supreme Court decision of March 2^nd, 2018 (in German), finding that the blanket duty to store telecommunications metadata for a duration of six months as per the SPTA does not violate Article 8 of the European Convention on Human Rights nor the corresponding provision of the Swiss federal constitution (Article 13):

• BGE 144 I 126

• The nature of the offences which may give rise to an interception or surveillance order;
• A definition of the categories of people that might be subject to surveillance:
  NO.
• A limit on the duration of the measure:
  NO.
• The procedure to be followed for examining, using and storing the data obtained:
  NO.
• The precautions to be taken when communicating the data to other parties:
  NO.
• The circumstances and substantive and procedural conditions relating to the access of the competent authorities.
• Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

• What objective criteria are used to determine which personal data of individuals are stored?

• Does national legislation require any relationship between the data which must be retained and a threat to public security?

• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?

• • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

• Who should the individual address (see, Guarantee C)?

• Does the court/control committee have access to all relevant information, including closed materials?

• The nature of the offences which may give rise to an interception or surveillance order.

Ecuadorian legislation establishes that interception or surveillance measures may be carried out as a priority in the case of offenses considered as serious in accordance with the Convention against Transnational Organized Crime. Nevertheless, the Public Prosecutor's Office may request a judge to order an interception or surveillance measure for any offence established in the Criminal Code. The petition must be duly motivated. Furthermore, according to the National Security Act, in cases of undercover investigation related to national security situations, interception or surveillance measures can be performed upon obtaining judicial authorization or court order.

• A definition of the categories of people that might be subject to surveillance.

There is no definition nor limitation regarding a category of people.

• A limit on the duration of the measure.

The Criminal Code established a 90-day measure duration. This term can be renewed once for an equal period.

For national security matters, the National Security Law establishes a 60-day measure duration. This term can be renewed once for an equal period. 

• The procedure to be followed for examining, using and storing the data obtained.

The Criminal Code establishes that the Prosecutor must request the intervention measure to the judge. This petition must be duly motivated with relevant evidence related with the purpose of the investigation. The judge will determine the period for the interception; this must not exceed 90 days. The Prosecutor may request an extension for a similar period. Data and information obtained during the interception may be used in the procedure against the alleged offender. The data and information must remain secure and confidential.  Only the transcription of the conversations or parts that are considered useful or relevant for the criminal investigation, will be included in the criminal procedure. 

Meanwhile, the National Security Act establishes that the information that is not related or will not be used  in a criminal procedure must be destroyed or deleted with the court`s authorization.

• The precautions to be taken when communicating the data to other parties
  

There is no technical description regarding the precautions to be taken when communicating the data to other parties. Nevertheless, the National Security Law establishes that the access to reserved information shall be authorized by both the National Secretariat of Intelligence and officials from related agencies. Furthermore, the Criminal Code establishes that all digital content (including recordings and videos) must be in compliance with the chain of custody procedures.

• The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

According to the Criminal Code, the Prosecutor must file a petition duly motivated to the judge, requesting any interception or surveillance measure. The motivation of the petition must determine the need of the interception measure with the purpose of the investigation. Meanwhile, the National Security Law establishes that the National Intelligence Secretariat must file a petition to the President of the National Court for the implementation of interception and surveillance measures. Access to reserved information will only be granted to officials of the National Intelligence Secretariat and related authorities, including police or army members related to the investigation. 

• Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

The Criminal Code allows the recording of all communications and information. Nonetheless, the use of these communications and information, is limited to the scope of the criminal investigation. The person may request all the recordings, when he or she deems it appropriate.  

Meanwhile, the National Security Law does not establish any objective limitation to the strictly necessary. Nevertheless, the President of the National Court may limit or prohibit the interception or surveillance if the interception or surveillance measures violates or  affects constitutional rights. Information collected and not considered as necessary for the criminal procedure must be destroyed or erased, previous authorization and in presence of the President of the National Court. 

• What objective criteria are used to determine which personal data of individuals are stored?

The Criminal Code and the National Security Law establishes that the data which must be stored is that which would give rise to the initiation of a criminal procedure. The information must be destroyed or erased if it not required or used in the criminal procedure.

• Does national legislation require any relationship between the data which must be retained and a threat to public security?

Yes, the National Security Law establishes that the data which must be retained has to be related or would give rise to a criminal procedure (if the data is related to a threat to national security).

• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?

The National Security Law prohibits data and information treatment based or selected by a persons religion, ethnicity, sexual orientation, political views, trade union, cultural, labor organizations or any other information that could result on discrimination.

• • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?

There is no time restriction or limitation. Depending on the third person, it may be subject to a particular regulation (i.e. Witnesses protection regulation).

• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

A judge is responsible for overseeing the surveillance measures. The judge is an independent authority and may refuse the interception or surveillance if these measures, if they violate constitutional rights or if they are not considered relevant for the criminal investigation.  

For national security measure, the President of the National Court is the competent judge to authorize or override these measures

• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?]

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

Yes, Ecuadorian legislation recognizes the constitutional guarantee of habeas data. With this constitutional guarantee, the data subject may request the rectification or deletion of his personal data.

• Who should the individual address (see, Guarantee C)?

The individual can file a habeas data to any judge.

• Does the court/control committee have access to all relevant information, including closed materials?]

Preliminary Remarks:

The majority of UK State surveillance law is contained in the Investigatory Powers Act 2016 (IPA 2016). Among the powers that the Act makes provision for includes the retention of communications data and the acquisition of communications data. Further rules and procedures can also be found in the Communications Data Code of Practice and the Bulk Acquisition of Communications Data Code of Practice, both of which were issued by the Home Office in 2018 under the IPA 2016.

In relation to the retention of communications data, the Secretary of State may require a telecommunications operator to retain communications data by providing that operator with a retention notice (s.87(1) IPA 2016). The Home Office, liaising with various public authorities (including the SIAs), is responsible for issuing retention notices. Telecommunications operators subject to a retention notice must keep the existence and the content of such a notice secret unless permission is given otherwise by the Secretary of State (ss.95(2) and (3) IPA 2016).

In relation to the acquisition of communications data, public authorities can obtain authorisation for the acquisition of communications data from telecommunications operators (ss.60A and 61 IPA 2016). This power may also be exercised in bulk form (s.158 IPA 2016). The existence and contents of an acquisition notice must be kept secret unless permission is given otherwise by the public authority serving the notice or the Secretary of State (ss.82(1) and (3) and 174(1) and (2) IPA 2016).

“Communications data” essentially means metadata, i.e., the ‘who, what, where and how’ of a communication (s.261(5) IPA 2016).

“SIAs” means the security and intelligence agencies, which includes the Government Communications Headquarters (GCHQ, for which see s.3 of the Intelligence Services Act 1994), MI5 (see s.1 of the Security Service Act 1989) and MI6 (see s.1 of the Intelligence Services Act 1994).

Retention of Communications Data

• In the interests of national security.
• For the purpose of preventing or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose (s.263(1) IPA 2016).
• In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
• In the interests of public safety.
• For the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
• To assist investigations into alleged miscarriages of justice.

Acquisition of Communications Data

• In the interests of national security.
• For the purpose of preventing or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conducted by a large number of persons in pursuit of a common purpose (s.263(1) IPA 2016).
• In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
• In the interests of public safety.
• For the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
• To assist investigations into alleged miscarriages of justice.
• Where a person (P) has died or is unable to identify themselves because of a physical or mental condition, so as to assist in identifying P or to obtain information about P’s next of kin or other persons connected with P or about the reasons for P’s death or condition.

• In the interests of national security.
• For the purpose of preventing death or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose (s.263(1) IPA 2016).
• In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.

• Providers of web-based email
• Providers of messaging applications
• Providers of cloud-based services
• Commercial entities providing communication services ancillary to the provision of another service, such as hotels, airport lounges and public transport operators

• Under a retention notice, the communications data may only be retained for up to 12 months (s.87(3) IPA 2016).
• A targeted acquisition notice lasts up 1 month, subject to renewal (s.65(1) IPA 2016).
• A bulk acquisition notice lasts up to 6 months, subject to renewal (s.162 IPA 2016)

• Secure that the retained data is of the same integrity, and subject to at least the same security and protection, as other data held on the same system
• Secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel
• Protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised, or unlawful retention, processing, access, or disclosure
• In addition, operators must ensure that data are destroyed where the retention period no longer applies and there are no other legal obligations requiring the retention of the data (s.92(2) IPA 2016).

• The communications data may only be obtained for the purpose of a specific investigation or to test, maintain or develop equipment, systems or other capabilities relating to the availability of obtaining communications data (ss.60A(1)(b) and 61(1)(b) IPA 2016).

• The communications data obtained may only be retained for a duration necessary for, essentially, the grounds on which the notice was issued (s.171 IPA 2016).
• The examination of communications data sought must be necessary for specified operational purposes (s.158(1)(c)(i) IPA 2016).
• Arrangements must be in place to ensure that the communications data are stored in a secure manner (s.171(4) IPA 2016).

• Under a bulk acquisition notice, the number of a persons to whom the communications data are disclosed and the extent to which any of the data is disclosed or otherwise made available must be kept to the minimum necessary for, essentially, the grounds on which the notice was issued (ss.171(2)(a) and (b) IPA 2016).

Retention of Communications Data

• The likely benefits of serving the notice
• The telecommunications service to which the notice relates
• The appropriateness of limiting the data to be retained by reference to location or descriptions of persons to whom telecommunications services are provided
• The likely number of users (if known) to which the notice relates
• The technical feasibility of complying with the notice
• The likely cost of complying with the notice
• Any other effect of the notice on the telecommunications operator

• Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means
• The public interest in the integrity and security of telecommunication systems
• Any other aspects of the public interest in the protection of privacy

Targeted Acquisition of Communications Data

• Identify those who are using a service on the internet only where the service and the time of use are already known (s.62(3) IPA 2016)
• Identify the internet communications service being used by a known person or apparatus, including when and how it is used (ss.62(4)(b)(i) and 62(5)(c)(i) IPA 2016)
• Identify the internet service being used, including when and how, by a known person or apparatus (ss.62(4)(b)(iii) and 62(5)(c)(iii) IPA 2016)
• Obtain access to, or run, a computer file program by a known person or apparatus involving, wholly or mainly, the making available or acquisition of material the possession of which is a crime (ss.62(4)(b)(ii) and 62(5)(c)(ii) IPA 2016)

• Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means
• The public interest in the integrity and security of telecommunication systems
• Any other aspects of the public interest in the protection of privacy

Bulk Acquisition of Communications Data

• The examination of the communications data sought must be necessary for specified operational purposes (s.158(1)(c)(i) IPA 2016)
• The examination of the communications data sought for the operational purpose(s) must be necessary on the relevant statutory grounds (s.158(1)(c)(ii) IPA 2016)
• There must be arrangements in place consisting of safeguards relating to the retention and disclosure of the communications data sought (s.158(1)(d) IPA 2016).

• Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means
• The public interest in the integrity and security of telecommunication systems
• Any other aspects of the public interest in the protection of privacy

Retention of Communications Data

• Before a retention notice can be issued, it must be reviewed by a Judicial Commissioner. The Judicial Commissioner must confirm that the notice is necessary and proportionate in relation to the statutory ground on which it is being issued (s.89(1) IPA 2016).
• The Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review (s.89(2)(a) IPA 2016) and consider with a sufficient degree of care their general duties in relation to privacy (ss.89(2)(b) and 2 IPA 2016).

• The Investigatory Powers Commissioner is responsible for keeping under review the exercise by public authorities of statutory functions relating to the use of surveillance powers (s.229(1) IPA 2016). The operation of safeguards to protect privacy must also be monitored by the Commissioner (s.229(5) IPA 2016). This can be done by way of audit, inspection and investigation and the Commissioner, with the Judicial Commissioners, may use its powers to carry out such activities (s.235(1) IPA 2016).
• A telecommunications operator can refer back a retention notice to the Secretary of State for review (s.90(1) IPA 2016). This right expires after 28 days starting on the day that the notice was given (reg 2(1) of Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018). This right can be exercised where the obligations required under a notice are unreasonable (reg 2(2) of Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018).

Targeted Acquisition of Communications Data

• Certain public authorities may only obtain an acquisition authorisation from the Investigatory Powers Commissioner, including local authorities (ss.70(2A) and 73(1) IPA 2016). The Commissioner delegates these authorisation duties to the Office for Communications Data Authorisations (OCDA). The OCDA will need to consider the necessity and proportionality of the acquisition authorisation in relation to the statutory grounds on which the notice is being issued (s.60A(1) IPA 2016).
• Authorisations can also be given by a designated senior officer within the public authority itself when the authorisation is sought on certain statutory grounds (s.70(5A) IPA 2016). The designated senior officer will have to consider the necessity and proportionality of the acquisition authorisation in relation to the statutory grounds on which it is being issued (s.61(1) IPA 2016).

• The Investigatory Powers Commissioner is responsible for keeping under review the exercise by public authorities of statutory functions relating to the use of surveillance powers (s.229(1) IPA 2016). The operation of safeguards to protect privacy must also be monitored by the Commissioner (s.229(5) IPA 2016). This can be done by way of audit, inspection and investigation and the Commissioner, with the Judicial Commissioners, may use its powers to carry out such activities (s.235(1) IPA 2016).

Bulk Acquisition of Communications Data

• Before an acquisition notice can be issued, it must be review by a Judicial Commissioner (s.159(1) IPA 2016). The Judicial Commissioner must confirm that the notice is necessary and proportionate in relation to the statutory ground on which it is being issued (ss.159(1)(a) and (b) IPA 2016). The Judicial Commissioner must also ensure that the examination of the communications data is limited to the operational purposes and is necessary in relation to the statutory ground on which it is being issued (ss.159(1)(c)(i) and (ii) IPA 2016).
• The Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review (s.159(2)(a) IPA 2016) and consider with a sufficient degree of care their general duties in relation to privacy (ss.159(2)(b) and 2 IPA 2016).

• The Investigatory Powers Commissioner is responsible for keeping under review the exercise by public authorities of statutory functions relating to the use of surveillance powers (s.229(1) IPA 2016). The operation of safeguards to protect privacy must also be monitored by the Commissioner (s.229(5) IPA 2016). This can be done by way of audit, inspection and investigation and the Commissioner, with the Judicial Commissioners, may use its powers to carry out such activities (s.235(1) IPA 2016).

The Data Protection Act 2018

• The SIAs are subject to the obligations under the Data Protection Act 2018 (DPA 2018) where the processing of personal data is carried out by automated means or where the personal data form part of, or are intended to form part of, a filing system (s.82(1) DPA 2018).
• Among these obligations include complying with data subject rights, including the right of access (ss.94 and 95 DPA 2018), and the right to rectification and erasure (s.100 DPA 2018).
• However, the SIAs may be exempt from complying with data subject rights if the personal data are required for the purpose of safeguarding national security (s.110(1) DPA 2018) or if the personal data are processed for the purpose of preventing and detecting crime or the apprehending and prosecuting of offenders (Schedule 11, 2 DPA 2018).

Investigatory Powers Tribunal

• The Investigatory Powers Tribunal (IPT) has special jurisdiction to hear cases against the SIAs, and certain other public authorities, to determine whether such authorities have complied with the Human Rights Act 1998 (which transposes the European Convention on Human Rights (ECHR) into UK domestic law) (s.65(2)(a) Regulation of Investigatory Powers Act 2000 (RIPA)).
• Any person who claims that a UK public authority has infringed their rights may bring proceedings against that authority to the IPT (s.7(1)(a) Human Rights Act 1998).
• An individual may claim to be a victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures (Human Rights Watch Inc & Others v Secretary of State for the Foreign and Commonwealth Affairs Office & Others (2016)).
• However, the UK is not obliged to respect a person’s right to privacy under the ECHR when that person is situated outside of the territory of the UK in respect of electronic communications which pass through the UK and are obtained by an SIA (Human Rights Watch Inc & Others v Secretary of State for the Foreign and Commonwealth Affairs Office & Others (2016)).
• The IPT is empowered to make orders quashing or cancelling a warrant or authorisation if it finds against a public authority (s.67(7)(a) RIPA).
• The IPT has the power to hear closed hearings whereby SIAs can submit evidence regarding their operations that would be too sensitive or confidential to discuss in open court (Liberty & Others v GCHQ & Others (2014)).
• The IPT may require the assistance of the Investigatory Powers Commissioner or the Judicial Commissioners to investigate claims brought to it as well as require public authorities to disclose all such documents and information as may be required to vet a claim brought to it (ss.68(2) and (6) RIPA).
• The UK High Court has the jurisdiction to hear appeals against the rulings of the IPT where the appeal is based on an error of law made by the Tribunal in its decision (R (Privacy International) v Investigatory Powers Tribunal & Others (2019)).

See Report of the Bulk Powers Review (2016) for a detailed description of the operational utility of the bulk powers contained under the IPA 2016, including the bulk acquisition of communications data.

See R (Liberty) v Secretary of State for the Home Department (2018), in which the High Court held that where public authorities are seeking to serve a retention notice on a telecommunications operator for the purpose of preventing or detecting crime, that purpose should be specifically limited to ‘serious’ crime. The IPA 2016 was amended in 2018 to comply with this part of the judgment (see Data Retention and Acquisition Regulations 2018). However, the Court did find that the other aspects of the retention provisions, including the requirement for a notice to be necessary and proportionate subject to review by a Judicial Commissioner, was held to be compliant with EU law (in particular the Watson Case).

There are two types of secret surveillance in Georgia: Counterintelligence and secret investigative actions. Let’s review legal framework:

1. Law of Georgia “On Counter-intelligence Activities” that is major legal act to detect and prevent terrorist acts and foreign intelligence, to prevent threat against national security of Georgia. They have lots of measures to perform their duties. One of them is electronic surveillance which means secret surveillance and recording of telephone communications, removing and fixing information from the communication channel (connection to the means of communication, computer networks, line communications and stationery equipment), from the computer system (both directly and remotely) and for this purpose the installation of appropriate software in the computer system, determining the geolocation in real time. The government of Georgia approves special authorities who perform counterintelligence services. Electronic surveillance could be implemented by court order. Only Supreme Court of Georgia is authorized to issue order. I can say there is not limit of duration because when electronic surveillance starts it continues for the period necessary to achieve its objectives, but not more than 90 days. But this term is continuable no more than 12 months each time. The quantity is not limited. In urgent need when the delay may result in the destruction of important, factual data necessary for the purposes of counterintelligence or to make it impossible to obtain such data, the head of the Special Service shall have the right to decide whether to initiate an electronic surveillance measure without the judge's order. In such a case, the authorized representative of the head of the special service shall immediately notify the court and, within 24 hours of the start of the electronic surveillance measure, apply to him/her with a relevant petition. The Special Service processes information and saves only necessary one, other information is eliminated. Access to information is restricted and allowed only for limited persons, when security measures are met. The information shall be saved no more than 10 days. Court have opportunity to control surveillance authorization. The official authority who is entitled for surveillance is Legal Entity Georgian Operational-Technical Agency;
   
   
2. “Criminal Procedure Code of Georgia” in article 143¹ defines types of secret investigative actions that could be a) secret eavesdropping and recording of phone conversations; b) removal and recording of information from a communications channel (by connecting to the communication facilities, computer networks, line communications and station devices), computer system (both directly and remotely) and installation of respective software in the computer system for this purpose; c) monitoring of post and telegraphic communications (except for a diplomatic post); d) secret video and audio recording, film and photo shooting; e) electronic surveillance through technical means, which do not endanger human life, health or the environment. It is admissible to carry out several investigative actions at the same time.

The nature of the offences could be an intentionally serious and/or particularly serious offence or offences defined article by article (see article 143³, p.2, sub-paragraph “a”). The people that might be subject to surveillance could be person against whom a secret investigative action is to be carried out, has committed any of the offences defined already (person directly related to the offence), or a person receives or transmits information that is intended for, or is provided by, a person directly related to the offence, or a person directly related to the offence uses the communication means of the person (see article 143³, p.2, sub-paragraph “b”).

The prosecutor is entitled to apply to court with reasonable motion and court is authorized to define period of time to conduct secret investigative action (Article 143³, p. 10, sub-paragraph “d”). There is one exception then prosecutor is entitled to conduct secret investigative action without court ruling in the case of urgent necessity, when a delay may cause destruction of the facts important for the case (investigation), or make it impossible to obtain those data, but he/she is obliged to limit this action in time that doesn’t exceed 48 hours. Also, prosecutor is obliged to apply to first instance court no more than 24 hours after beginning secret investigative process and ask for recognition of lawfulness (article 143³, p. 6). Another exception goes to duration of time that might not be clear and precise because the total period of time to conduct secret investigative action could be 6 months (article 143³, p. 12). There is balance when General Prosecutor of Georgia is authorized to extend secret investigative action once no longer than 3 months.

Some about procedure, after court ruling of authorization or refusing or recognition of lawfulness one copy of ruling is sent to State Inspector Office of Georgia (hereinafter – SIOG, remark: that is authorized to control data protection in the country) by using electronic control program and after submission from SIOG is possible to begin action. Court ruling determines authorized agency that conducts secret investigative action and authorized agency that is introduced and transmitted secret investigative materials. Only investigators, prosecutors and judges may, before the completion of secret investigative actions, examine the information obtained as a result of those actions (provided that such information is substantially related to the issue that they are to review) (article 143⁹).

If materials will be recognized as inadmissible evidence shall be immediately destroyed six months after the court of the final instance renders a ruling on the case. Until destruction, these materials shall be kept in a special depository of a court. No one may access these materials, or make copies of them or use them, except for the parties who use them for the purpose of exercising their procedural powers. The materials obtained as a result of secret investigative actions that are attached to a case as material evidence shall,

be kept in the court for the period of keeping this criminal case. After the expiration of this period, the above materials shall be immediately destroyed. An administration of the court that kept the material before its destruction shall be responsible for adequate keeping of the material obtained as a result of secret investigative actions.

These measures aren’t enough to say that Georgia has clear precise and accessible rules because there is opportunity from State Intelligence Service always and anytime control and listen who they want.

3. Law of Georgia “On Electronic Communications” in article 8 ¹ paragraph 1 declares that the authorized authority has the right to have inpatient or semi-inpatient technical capacity for real-time communication of data transmitted through the infrastructure of the electronic communication company and its identification data. The authorized authority mentioned here is Legal Entity Georgian Operational-Technical Agency.

There is general rule in law of Georgian on Counter-intelligence activities that all measures they carry out depend on strict protection of human rights and freedoms and the rights of legal persons, and respect for human dignity. Counter-intelligence agency has very special and important role in any country to detect and prevent terrorist acts and foreign intelligence, to prevent threat against national security. Their activities are secret so its very difficult to control proportionality or legitimate objectives do meet the expectations or not.

The principles of carrying out secret investigative actions according to Criminal Procedure Code of Georgia are the following: a) Determinacy - there is a list of criminal offences there should be initiated secret investigative actions (article 143³, section 2, sub-section “a”), b) Legitimate goal -  to achieve a legitimate goal in a democratic society, in particular, to ensure national or public security, to prevent riots or crime, to protect the country's economic interests and the rights and freedoms of other persons. Secret investigative actions are necessary in a democratic society if they are carried out due to urgent public needs and if they constitute an adequate and proportional means for the achieving a legitimate goal; c) necessity - Secret investigative actions may be carried out only when the evidence essential to the investigation cannot be obtained through other means or it requires unreasonably great effort; d) Proportionality - The scope (intensity) of the secret investigative action must be proportionate to the legitimate goal of the secret investigative action.

There are special laws providing obligations for professionals to save professional secrecy:

1. Lawyers have permanent obligation to secure professional secrecy according to law of Georgia on Lawyers article 7, p. 1, sub-p “a” and it is not limited in time;
   
   
2. The health care provider is obliged to protect the confidentiality of the information about the patient during and after the patient's death according to Law of Georgia On Patient Rights article 27;
   
   
3. According to Law of Georgia “On Freedom of Speech and Expression” the source of professional secrecy is protected by absolute privilege

The independent oversight mechanism is still under question (see, my Answer in Guarantee A about Constitutional lawsuit) because Legal Entity Georgian Operational-Technical Agency has technical capacity for real-time communication. Court and SIOG have opportunity to control in electronic registry if the measures were done properly.

According to Criminal Procedure Code of Georgia the Supreme Court of Georgia shall prepare a registry of secret investigative actions, which shall include statistical information on secret investigative actions, in particular: information on motions filed with the courts for the conduct of secret investigative actions, and on ruling rendered by courts on those motions, as well as information on the destruction of materials obtained as a result of operative-investigative actions that did not concern criminal activities of the given person but which, include details on that or another person's private life and that has been destroyed in accordance with Article 6(4) of the Law of Georgia on Operative-Investigative Activities.

1. The Constitution of Georgia - https://matsne.gov.ge/en/document/view/30346?publication=35
2. Criminal Procedure Code of Georgia (Old version) - https://matsne.gov.ge/ka/document/download/90034/64/en/pdf
3. Law of Georgia On electronic Communications (Old version) - https://matsne.gov.ge/en/document/download/29620/26/en/pdf
4. Law of Georgia „On Personal Data Protection“ - https://matsne.gov.ge/en/document/download/1561437/5/en/pdf
5. Law of Georgia “ON COUNTER-INTELLIGENCE ACTIVITIES” (Old version) - https://matsne.gov.ge/en/document/download/27364/4/en/pdf

There are many different laws applicable. Older laws (such as p.d. 342/77 about fingerprints and photographs of arrested people) apply to every offence and every arrested person. In case of a conviction the retention period is 90 years after the person’s birth, or until death, if sooner than 90 years. There is no erasure even in case of a decision declaring the defendant innocent if the innocence relies on his/her practical repentance.  There are some measures and procedure steps’ requirements regarding the collection, storage and communicating of the data, as well as a prohibition of confidentiality breach. Among third parties that are allowed to access the data collected, surprisingly private companies are included, as long as the data refer to an employee or candidate employee, and the public prosecutor allows their access. To the best of my knowledge, this provision is due to the period this law came into force and hopefully is currently not applied.

Things look much better regarding the recently renewed Code of Penal Procedure, that enforces the immediate destruction of evidence such as DNA, in case of innocence, or the retention under strict rules of access in a special registry, inspected by a public prosecutor. Any DNA file must be destroyed at the time of death of the referred person. The right to obtain a defendant’ s DNA sample only applies in most severe offences.

 As far as fingerprints collected in the course of passports’ issuance, Greece follows the EU Regulation 2225/2004, but Homo Digitalis complaints about police’ s unlawful practice of retention in its central database of all fingerprints collected for purposes of passport issuance. There is no legal basis for such retention, since the law and the EU regulation, provides for fingerprint storage only on the encrypted machine-readable biographical data page of the passport. 

The main law that provides for video surveillance in public spaces is 3917/2011. Art. 14 p.5 provides that it might be allowed to implement such surveillance only for the specific, exhaustively listed in it, serious offences, through means and under guarantees provided by a presidential decree that was never signed, until recently: on September 10 2020, the Greek Republic issued the presidential Decree 75/2020 for the execution of art. 14.  The first draft of the Decree, was vastly amended, in accordance to the Hellenic DPA Opinion, that had found it to be unconstitutional and totally incompatible with the GDPR and the L.4624/2019 that implemented the EU 2016/680 Directive. The later p.d. provides for the circumstances under which the Hellenic Police, the Coast Guard and the Fire Brigade are allowed to install and operate sound and/or video recording systems, including body worn cameras and drones,  in public places. The provisions of the p.d. are clear enough and accessible to anyone through the national official journal. As for the precision element: Article 5 provides that it is required to have sufficient evidence that the specific offences referred to in art. 3 are taking place or are about to take place in the specific space. The existence of sufficient evidence should be reasoned with reference to facts such as, in particular, statistical or empirical data, studies, reports testimonies, information on frequency, type and  specific characteristics of the crimes committed in a specific area, as well as for, on the basis of the above elements, probable spread or transfer of crime to another public space.   The p.d. provides that a data protection impact assessment should be carried out before the installation decision, but also before the operation decision, of any surveillance system. The p.d. provides for several technical and organizational measures that should be implemented, such as strict access rights, log file retention and encrypted connection.

A recent amendment of L.2800/2000 added art. 25, that provides for the use of police drones for collection and processing of images. There is absolutely no other provision than a rather indefinite reference allowing such a processing “according the law”. Homo Digitalis sent the Minister an open letter about this issue too.

There is another case where the police may currently use smartphone cameras, or other technical equipment to collect image, audio and video footage: art. 41D of L.2725/1999, as it was recently amended provides that: in case of sport events and after a public prosecutor’s authorization, police officers may use such means, for the confrontation of acts of violence and criminal offenses on the occasion of sporting events and for the purposes of prevention, investigation, detection, prosecution of criminal offenses, imposition and execution of criminal sanctions or restrictive conditions. For the lawful collection and processing of the above data, the previous relevant notification of the fans is necessary by any appropriate means, in particular with a clear indication on the ticket, with announcements on fixed or mobile plates, with announcements from loudspeakers or with a relevant announcement in the Media. The physical or digital carrier in which the evidence is embedded is a legal means of proof, which can be used in the context of criminal proceedings and the execution of criminal sanctions and restrictive conditions. The content of the material or digital carrier is permanently deleted or the material or digital carrier is completely destroyed after thirty (30) days from the collection and processing of personal data (unless it actually provides evidence of criminal offence).

C) Undercover/secret police investigations such as video/audio recordings of activities (not communications) PCC art. 254, 255:

The totally renewed in late 2019 Code of Penal Procedure provided specific guarantees for secret investigative acts such as video/audio recordings of activities: such recording is strictly prohibited if the activity is taking place inside a house. It can take place only by a competent public prosecutor order for specific and exhaustively listed serious crimes, and only when there are serious indications of guilt of the person(s) under surveillance. Additionally, there must be no other appropriate way to detect or prevent the specific crime.

D) Retention periods of criminal convictions CPP art. 573.
Criminal convictions are archived and stored only by the competent public prosecutor, until the 80^th year of the convicted person. There are strict provisions of confidentiality and access controls. There is a provision of remedy / challenging procedure of the registry, as well as a provision of an updating procedure every six months.

In addition, while the provision of article 10 GDPR is providing authorization to the national legislator to take the necessary measures for the provision of adequate guarantees for the processing of personal data relating to criminal convictions and offenses, the Greek law did not introduce such a provision. According to the Greek DPA’s opinion on this law, “it becomes rather impossible to implement the provision of Article 10 of the GDPR” in Greece.

• In general, most of the laws examined above, impose a limitation to what is “strictly necessary”
• Objective criteria are used in some cases to determine which personal data of individuals are stored, such as the conviction of the data subject and the nature of the offence.
• All the legislation examined requires a relationship between the data which must be retained and a threat to public security.
• In general, the national legislation restricts the data retention in relation to data pertaining to a particular time period and a group of persons likely to be involved, in one way or another, in a serious crime. Time limits though, are rather extremely long. The national legislation provides for an exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers). In L. 4624/2019 that implements the LED, a distinction is made between different categories of data (such as (a) persons for whom there are good reasons to are believed to have committed a criminal offense; (b) persons for whom there are good reasons to are believed to be committing a criminal offense; (c) persons convicted of a criminal offense· (d) victims of a criminal offense or persons for which certain facts create the belief that they may be victims of offense; and (e) other persons, such as witnesses, informants or liaisons or associates of persons referred to in cases a to d), but without any provision for vulnerable groups, such as e.g. children, and without affecting the data protection principles (e.g. retention in different files, effect on retention time, destruction under different conditions, etc.).
• As regards to p.d. 75/2020 on police surveillance systems in public spaces: the p.d. provides that any surveillance system should monitor only the areas that are predefined, that zoom features and voice recordings should not in general be used (unless under specific circumstances such as when there are no other means to investigate a crime) and only when a public prosecutor has allowed the use of such means in a specific case. It also provides for short time retention periods (mostly up to 15 days). There are though some provisions for further storing of the data collected “when there are justified suspicions on the data subject of the preparation or the future commission of criminal offenses referred in par. 1”. The justified suspicions of preparation or future commission of the above criminal offenses can be extracted through testimonies or any kind of relevant information, from the movements and contacts of the individual, as well as from the nature, severity and number of crimes for which the data subject has been previously convicted or prosecuted. For data retention in this case the controller must issue a reasoned decision, which is subject to periodic revaluation every two years.

• In general, most of the examined penal legislation provides for overseeing procedures from the public prosecutor. In Greece, the public prosecutor is equally a judge. There are though cases where there is a provision of internal auditing (regarding the fingerprints registry). The later provides of no sufficient impartiality and independence, as the police auditors are directly subject to their minister. The oversight must -according the law- take place both regularly and irregularly (without previous notice).
• L. 4624/2019 that implemented EU Directive 2016/680 and measures implementing the GDPR, excludes all courts of the Hellenic DPA competence but with a different language than the LED and the GDPR uses. This raises uncertainties as to when and if the DPA is competent to perform its tasks over courts, even when not acting in their judicial capacity. No internal auditing body is provided for either. In addition, art. 10 p.5 of the law, excludes all “classified” information from the DPA’ s competence, leaving out of control secret services’ activities.
• P.D. 75/2020 The responsibility for monitoring compliance with personal data legislation lies with the data protection authority.

• 4624/2019 that implements EU Directive 2016/680 provides for the possibility for an individual to pursue legal remedies to have access to personal data relating to him or her, and to obtain the rectification or erasure of such data. Though, as the Greek DPA has stated, no provision has been taken for the rights of minors but also in any appropriate and effective measures or criteria for compliance of the controller and the processor with its provisions which must include specific guarantees for personal data concerning vulnerable persons, such as children
• The individual should address the competent authority who is the controller of his/her data or the court. The Greek Police has recently appointed a DPO, whose name and contact details have been published. (The Greek law L.4624/2019 implementing the LED, gives Greek national authorities the option not to publish the contact details of their data protection officer nor to communicate these details to the Greek supervisory authority).
• The court can have access to all relevant information.
• P.D. 75/2020 on police surveillance through video devices in public spaces provides that the decision on the installation and operation of police surveillance systems in public spaces can be challenged before the Greek State Council. The data subject can also lodge a complaint with the local data protection authority, but only if the controller refuses, or delays more than 30 days, to reply to a data subject access request. There is another limitation on the data subject access right, though. Art. 9 provides that the victim and the defendant can apply for access to the data only if they prove that this access is necessary for the establishment, exercise or defence of legal claims.

The main legislation in Hong Kong is Interception of Communications and Surveillance Ordinance (Cap. 589, Laws of Hong Kong) (ICSO).

The nature of the offences which may give rise to an interception or surveillance order:

• An interception or covert surveillance order may be granted for the purposes of preventing or detecting serious crime, or protecting public security.
• In relation to an interception order, serious crime means an offense punishable by a maximum penalty that is or includes a term of imprisonment of not less than 7 years. In relation to a covert surveillance order, serious crime means an offense punishable by a maximum penalty that is or includes (i) a term of imprisonment of not less than 3 years; or (ii) a fine of not less than HK $1,000,000.

A definition of the categories of people that might be subject to surveillance:

• Any person reasonably suspected to have been, is, or is likely to be, involved in the particular serious crime to be prevented or detected.
• Any person reasonably suspected to have been, is, or is likely to be, involved in any activity which constitutes or would constitute the particular threat to public security.

A limit on the duration of the measure:

• Judge’s authorisation: An officer of a department may apply to a panel judge for the issue of the judge’s authorisation for any interception or Type 1 surveillance[i] to be carried out by or on behalf of any of the officers of the department. The judge’s authorisation is not to be longer than the period of 3 months beginning with the time when it takes effect. The judge’s authorisation may be renewed more than once, and each renewal may not to be longer than 3 months from when it takes effect.
  
  
• Executive authorisation: An officer of a department may apply to an authorizing officer of the department for the issue of an executive authorization for any Type 2 surveillance[ii] to be carried out by or on behalf of any of the officers of the department. The executive authorization is not to be longer than 3 months from when it takes effect. The executive authorization may be renewed more than once, and each renewal may not more than 3 months from which it takes effect.
  
  
• Emergency authorisation: An officer of a department may apply to the head of the department for the issue of an emergency authorisation for any interception or Type 1 surveillance to be carried out by or on behalf of any of the officers of the department, if he considers that there is immediate need for the interception or Type 1 surveillance to be carried out by reason of an imminent risk of—
  
  (i) death or serious bodily harm of any person;
  (ii) substantial damage to property;
  (iii) serious threat to public security; or
  (iv) loss of vital evidence; and
  
  having regard to all the circumstances of the case, it is not reasonably practicable to apply for the issue of the judge’s authorization for the interception or Type 1 surveillance. Emergency authorisation is only effective for 48 hours beginning with the time when it is issued and cannot be renewed. 

The procedure to be followed for examining, using and storing the data obtained; The precautions to be taken when communicating the data to other parties; Whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued:

• The head of department is required to make arrangements to ensure that any interception or surveillance product obtained is safeguarded, and all practicable steps are taken to ensure that the product is protected against unauthorized or accidental access, processing, erasure or other use.
  
  
• The following should be limited to the minimum that is necessary for the relevant purpose of the authorisation:
  
  (i) the extent to which the interception or surveillance product is disclosed;
  (ii) the number of persons to whom any of the interception or surveillance product is disclosed;
  (iii) the extent to which the interception or surveillance product is copied; and
  (iv) the number of copies made of any of the interception or surveillance product.
  
  
• The interception or surveillance product should be destroyed as soon as its retention is not necessary for the relevant purpose of the authorisation, unless the product is required to be produced to the Commissioner on Interception of Communications and Surveillance.

The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

• As regards circumstances and substantive conditions, the conditions for issuing or renewing of authorization for interception or covert surveillance orders are that:
  • the purpose sought to be furthered by carrying out the interception or covert surveillance concerned is that of preventing or detecting serious crime, or protecting public security;
    
    
  • there is reasonable suspicion that any person has been, is, or is likely to be, involved in the particular serious crime to be prevented or detected; or any activity which constitutes or would constitute the particular threat to public security; and
    
    
  • the interception or covert surveillance is necessary for, and proportionate to, the purpose sought to be furthered by carrying it out, upon—
    (i) balancing the relevant factors against the intrusiveness of the interception or covert surveillance on any person who is to be the subject of or may be affected by the interception or covert surveillance;
    (ii) considering whether the purpose sought to be furthered by carrying out the interception or covert surveillance can reasonably be furthered by other less intrusive means; and
    (iii) considering such other matters that are relevant in the circumstances.

“Relevant factors” mean —

• the immediacy and gravity of the particular serious crime to be prevented or detected, or the particular threat to public security; and
  
  
• the likely value and relevance, in relation to the purpose sought to be furthered by carrying out the interception or covert surveillance, of the information likely to be obtained by carrying it out.

• As regards procedural conditions:
  • The panel judge shall not issue or renew the judge’s authorization for interception or Type 1 surveillance unless the judge is satisfied that the above circumstances and substantive conditions are met. The application or issue or renewal is to be made in writing. The application should be supported by an affidavit of the applicant, setting out details of the proposed duration of the order, the identity of person subject to the order, the grounds for reasonable suspicion against the person, particulars of premises for the order, benefits likely to be obtained by the order and an assessment of impact on any person other than the subject, reason why surveillance or interception cannot be furthered by other less intrusive means.
    
    
  • The authorising officer shall not issue or renew the executive authorization for Type 2 surveillance unless the officer is satisfied that the above circumstances and substantive conditions are met. The application should be in writing and the applicant must provide a statement in writing setting out the above details (e.g. proposed duration of the order).
    
    
  • The head of department shall not issue the emergency authorization for interception or Type 1 surveillance unless the head is satisfied that the above circumstances and substantive conditions are met. The application should be in writing and the applicant must provide a statement in writing setting out the above details (e.g. proposed duration of the order).

__________

[i] “Type 1 surveillance” means any covert surveillance other than Type 2 surveillance.

[ii] “Type 2 surveillance” means any covert surveillance that—

1. is carried out with the use of a listening device or an optical surveillance device by any person for the purpose of listening to, monitoring or recording words spoken or activity carried out by any other person, if the person using the device—
   (i) is a person by whom the other person intends, or should reasonably expect, the words or activity to be heard or seen; or
   (ii) listens to, monitors or records the words or activity with the consent, express or implied, of a person described in subparagraph (i); or
   
   
2. is carried out with the use of an optical surveillance device or a tracking device, if the use of the device does not involve—
   (i) entry onto any premises without permission; or
   (ii) interference with the interior of any conveyance or object, or electronic interference with the device, without permission.

• Under the ICSO, it is noted that any interception or Type 1/Type 2 surveillance may only be carried out with prescribed authorisation, subject to the above substantive and procedural conditions above. Applicants need to adhere to strict procedures when making an application, and must demonstrate reasonable grounds of suspicion for preventing or detecting serious crime or that there is threat to public security, why the same purpose cannot be achieved by less intrusive means, the specific premises or person proposed to be subject to the order.
  
  
• There is a limit in duration for each authorisation, whilst any renewal is subject to scrutiny of whether certain specific substantive conditions are met.
  
  
• Each prescribed authorization is issued with specific terms and conditions which may vary case by case. There is authorisation of (i) specific address/premises; (ii) person specified for the order. However, the applicant could be given broad authorisation for (a) the installation, use and maintenance of any devices required to be used in order to intercept any of the communications authorized to be intercepted under the prescribed authorization; and (b) the incidental interception of any communication which necessarily arises from the interception of communications authorized to be carried out under the prescribed authorization.
  
  
• Protected surveillance or interception product is generally required to be destroyed once the retention purposes expired. Once the product is obtained, the departments are obliged to put in place safegaurds to limit the extent to which it is disclosed, number of copies made, extent to which it is copied, number of persons to whom the product is disclosed.
  
  
• If the officer of a department discovers that there is any material inaccuracy to the information provided in the application for issue/renewal of authorisation or there is a material change in circumstances since the application for issue/renewal of the authorisation, the officer must report to the relevant authority granting the authorisation. If the relevant authority considers that the substantive conditions are no longer met, then it should revoke the authorization.
  
  
• Surveilance or interception may be restricted if a person who is the subject of the subject of the interception or covert surveillance has been arrested. The officer shall, as soon as reasonably practicable after he becomes aware of the matter, provide to the relevant authority by whom the prescribed authorization has been issued or renewed a report assessing the effect of the arrest on the likelihood that any information which may be subject to legal professional privilege will be obtained by continuing the interception or covert surveillance. Depending on the circumstances, the relevant authority may revoke or vary or specify new terms and conditions for the authorization.
  
  
• There is an exception provided for persons under obligation of professional secrecy, i.e. lawyers. Unless exceptional circumstances exist, a prescribed authorisation may not authorise the interception of communications in the office or other relevant premises, or a residence, of a lawyer; or any telecommunications service used at an office or other relevant premises, or a residence, of a lawyer, or any telecommunications service known or reasonably expected to be known by the applicant to be ordinarily used by a lawyer for the purpose of providing legal advice to clients. No covert surveillance may be carried out in respect of oral or written communications taking place at an office or other relevant premises, or a residence, of a lawyer. Exceptional circumstances exist if the relevant authority is satisfied that there are reasonable grounds to believe that the lawyer is a party to any activity which constitutes or would constitute a serious crime or a threat to public security; or any of the communications concerned is for the furtherance of a criminal purpose.
  
  
• Any information that is subject to legal professional privilege is to be remain privileged even if it is obtained by prescribed authorization.

• As noted above, there is different relevant authority depending on which kinds of authorisation is sought for the interception or Type 1 or 2 surveillance. The relevant authority is required to consider a same set of substantive conditions before issuing or renewing the authorisation. This ensures the consistency of standards of approval.
  
  
• The Commissioner on Interception of Communications and Surveillance is an independent oversight authority, appointed by the Chief Executive on the recommendation of the Chief Justice[iii]. He is responsible for overseeing the compliance by departments and their officers with the relevant requirements under the ICSO. The ICSO stipulates that the Commissioner, in performing his functions under the ISCO, is not to be regarded as court.
  
  
• The Commissioner shall, for each report period (12 months), submit a report to the Chief Executive. The report should set out, e.g. the numbers of authorisations granted, the major categories of offences for the investigation of which prescribed authorizations have been issued or renewed during the report period, the number of persons arrested during the report period as a result of or further to any interception or covert surveillance, summary of reviews conducted by the Commissioner, the number and broad nature of any cases of irregularities or errors identified in the reviews during the report period, an assessment on the overall compliance with the relevant requirements during the report period, etc.
  
  
• The Commissioner may, in the course of performing any of his functions, makes recommendations to the head of departments to change any arrangements of the departments to better carry out the objects of the ICSO. The head of departments shall submit to the Commissioner a report with details of any measures taken by the department (including any disciplinary action taken in respect of any officer) to implement the recommendations, as soon as reasonably practicable after the recommendations have been made or within the period prescribed by the Commissioner.
  
  
• Apart from the Commissioner, there is also general obligations on the departments to report on non-compliance. Where the head of any department considers that there may have been any case of failure by the department or any of its officers to comply with any relevant requirement, he shall submit to the Commissioner a report with details of the case (including any disciplinary action taken in respect of any officer). If the head of any department considers that there may have been a failure to comply with a relevant requirement in a case handled by the department; but the failure is not due to the fault of the department or any of its officers, the head must also submit to the Commissioner a report with details of the failure. 

__________

[iii] https://www.sciocs.gov.hk/en/ordinance.htm

• There appears to be no specific remedies for individuals to have access to personal data relating to him or her or to obtain rectification or erasure of such data under the ICSO. However, as noted above, if the officer of a department discovers that there is any material inaccuracy to the information provided in the application for issue/renewal of authorisation or there is a material change in circumstances since the application for issue/renewal of the authorisation, the officer must report to the relevant authority granting the authorisation. If the relevant authority considers that the substantive conditions are no longer met, then it should revoke the authorization.
  
  
• The legal remedies for individuals under the ICSO mainly concerns unauthorised surveillance or interception.
  
  
• If an individual suspects that (a) that any communication transmitted to or by him has been intercepted by an officer of a department; or (b) that he is the subject of any covert surveillance that has been carried out by an officer of a department, he may apply in writing to the Commissioner for an examination. If, on an examination, the Commissioner, determines that the interception or covert surveillance alleged has been carried out by an officer of a department without the authority of a prescribed authorization, the Commissioner shall as soon as reasonably practicable give notice to the applicant:
  
  (a) stating that he has found the case in the applicant’s favour and indicating whether the case is one of interception or covert surveillance, the date on which the interception or covert surveillance began and the duration of the interception or covert surveillance; and
  
  (b) inviting the applicant to confirm whether the applicant wishes to seek an order for the payment of compensation under the application, and if so, to make written submissions to him for that purpose.
  
  The compensation ordered to be paid to the applicant may include compensation for injury to feelings.
  
  
• The Commissioner has broad powers to obtain information under the ICSO. He may —
  (a) require any public officer or any other person to answer any question, and to provide any information, document or other matter (including any protected product, whether or not it contains any information that is or may be subject to legal professional privilege) in his possession or control to the Commissioner, within the time and in the manner specified by the Commissioner when making the requirement; and
  
  (b) require any officer of a department to prepare any report on any case of interception or covert surveillance handled by the department, or on any class of such cases, within the time and in the manner specified by the Commissioner when making the requirement.
  
  
• However, it should be noted that for the purposes of an examination, the applicant is not entitled to have access to any information, document or other matter (including any protected surveilance or interception product, whether or not it contains any information that is or may be subject to legal professional privilege) compiled by, or made available to, the Commissioner in connection with the examination.
  
  
• After the examination, the Commissioner shall notify the head of the department concerned of the determination, including any order or findings he has made in the examination. Upon receipt of the notification, the head of the department shall submit to the Commissioner a report with details of any measures taken by the department (including any disciplinary action taken in respect of any officer) to address any issues arising from the determination, as soon as reasonably practicable after the notification or, within the period prescribed by the Commissioner. The Commissioner may, before or after the head of the department has submitted a report to him, refer the determination and any other matters he thinks fit to the Chief Executive, the Secretary for Justice or any panel judge or any or all of them

• For full text of Interception of Communications and Surveillance Ordinance (Cap. 589), please see: https://www.elegislation.gov.hk/hk/cap589!en
   
• The Secretary for Security has issued a Code of Practice (issued in 2016) to provide practical guidance to officers of the law enforcement agencies in respect of matters provided for in ICSO. Please see: https://www.sb.gov.hk/eng/special/sciocs/2016/ICSO%20CoP%20-%20June%202016%20(E).pdf
   
• Under Article 43(6) of The Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region promulgated on 30 June 2020, the Police Force of Hong Kong, when investigating serious crimes in relation to cases concerning offence endangering national security, may apply for interception of communications and conducting covert surveillance.
  
  
• Article 43(6) of the National Security Law stipulates that (English translation obtained from XINHUANET at http://www.xinhuanet.com/english/2020-07/01/c_139178753.htm):
  
  “Article 43  When handling cases concerning offence endangering national security, the department for safeguarding national security of the Police Force of the Hong Kong Special Administrative Region may take measures that law enforcement authorities, including the Hong Kong Police Force, are allowed to apply under the laws in force in the Hong Kong Special Administrative Region in investigating serious crimes, and may also take the following measures:
  
  …
  
  (6) upon approval of the Chief Executive, carrying out interception of communications and conducting covert surveillance on a person who is suspected, on reasonable grounds, of having involved in the commission of an offence endangering national security...
  
  According to Schedule 6 to the Implementation Rules for Art. 43, a police officer responsible for enforcing the National Security Law may apply for the prescribed authorization for conducting interception or covert surviellance. The conditions for the authorisation are that the purposes for authorisation should be for preventing or detecting offences endangering national security or protecting national security, there should be reasonable suspicion that any person has been, is or is likely to be involved in offences or activities endangering national security. The interception or covert surveillance should be necessary to, and proportionate to the purposes sought. The police force is required to submit a written application to Hong Kong’s Chief Executive/a directorate officer authorised by the Chief Executive for approval. There is specified duration for the authorisation, provisions for safegaurds against interception or surveillance products, and exception is provided for legal professional privilege product.
  
  Schedule 6 to the Implementation Rules for Art. 43 appears to be modelled on the ICSO.
  
  For full text of the Implementation Rules, please see: https://www.gld.gov.hk/egazette/pdf/20202449e/es220202449139.pdf

Ms. Tripti Dhar, Partner – Reina Legal

• B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
• Admitted to practice in India; enrolled with the Delhi Bar Council
• Certified CIPP/E
• Member of International Association of Privacy Professionals (IAPP)
• DSCI Certified Privacy Professional (DCPP)
• Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India

• The nature of the offences which may give rise to an interception or surveillance order;

Section 69 of the Information Technology Act, 2000 confers power on the central government or the state government to issue direction for interception, monitoring or decryption of any information through any computer resource to protect sovereignty or integrity of India, defence of India security of state, friendly relations with foreign states, or public order or preventing incitement to commission of any cognizable offence or for investigation of any offence.

• A definition of the categories of people that might be subject to surveillance;

The existing laws in the region are silent on this subject.

• A limit on the duration of the measure;

Rule 11 of  Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes maximum time of interception as 60 days and on renewal not to exceed 180 days

• The procedure to be followed for examining, using and storing the data obtained;

Rule 3 of  Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes that such interception requires prior approval from the competent authority i.e. Secretary in Ministry of Home Affairs, in case of Central Government and Secretary in charge of Home department in case of State Government (except. in emergency cases where separate procedure is provided).

• The precautions to be taken when communicating the data to other parties;

Rule 20 of  Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes that the The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure the unauthorised interception of information does not take place and extreme secrecy is maintained and utmost care and precaution shall be taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary and no other person of the intermediary or person in-charge of computer resources shall have access to such intercepted or monitored or decrypted information.

• The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

Rule 6 of the said rules provides for Interception or monitoring or decryption of information by a State beyond its jurisdiction Rule 21 of the said rules places the obligation on intermediaries to ensure their employees maintain secrecy and confidentiality of intercepted communications and Rule 25 prohibits its disclosure except to the officer of authorized agency who" can use such information only for specified uses pursuant to direction of competent authority. Rule 23 prescribes destruction of intercepted communications after these are not required for law enforcement purposes.

• The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

Similarly, the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 were passed for governing activities of monitoring and collection of traffic data. Rule 3 of the said rules mandate prior permission of competent authority i.e. Secretary to the Government of India in Department of Information Technology under Ministry of Communications and Information Technology to conduct monitoring or collection of traffic data for cyber security reasons, inter alia, forecasting of imminent cyber incidents, tracking of persons and computer resource breaching cyber security. Competent authority can authorize any agency for the said purposes. In order to prevent unauthorized monitoring and maintenance of secrecy of information collected intermediaries are made liable for their employees by Rules 5, 6 and 11 of the said rules.

The Retd. Justice K S Puttaswamy Case (2017 SCC OnLine SC 996) established the ‘proportionality and legitimacy’ test – which is a four-fold test that needs to be fulfilled before state intervention in the right to privacy:

• The state action must be sanctioned by law.
• In a democratic society there must be a legitimate aim for action.
• Action must be proportionate to the need for such interference.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
• What objective criteria are used to determine which personal data of individuals are stored?
• Does national legislation require any relationship between the data which must be retained and a threat to public security?
• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

• Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?]

Competent Authorities: Under Rule 2(d) of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 the Secretary in the Ministry of Home Affairs, in case of the Central Government; or the Secretary in charge of the Home Department, in case of a State Government or Union territory, as the case may be;

Any officer not below the rank of Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary in this behalf, may authorize the interception of communications in case of an emergency. 

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
• Who should the individual address (see, Guarantee C)?
• Does the court/control committee have access to all relevant information, including closed materials?]

There is no legislation in place however the Personal Data Protection Bill, 2019 provides for correction, completion, updating and erasure of personal data and also envisages to establish regulating authority. The bill is yet to come into effect.

Japanese rule reflects the OECD guideline. It incorporates the concepts included in the OECD guidelines such as collection limitation and purpose specification.

The personal information protecting rules for administrative organs is specified in the “Act on the Protection of Personal Information Held by Administrative Organs” (“APPI-AO”), and for incorporated administrative agencies is specified in the “Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.” (“APPI-IAA”).

Both administrative organs and incorporated administrative agencies must follow the rules below to the extend necessary for conducting processes under its jurisdiction provided by laws and regulations. The rules include:

• Restriction on the Retention of Personal Information;
• Clear Indication of the Purpose of Use;
• Maintaining Accuracy;
• Security Measures; and
• Restriction of Use and Provision of Personal Information.

Regarding the criteria given in the Art. 29 Working Party's Working Paper 237, you cannot find any information in those Acts since these rules relating to handling personal information focuses on general topics and do not pick up the surveillance specifically.

As mentioned in the “Guarantee A”, rules for governmental organizations includes OECD guideline principles clearly.

• Restriction on the Retention of Personal Information (Art. 3 APPI-AO, Art. 3 APPI-IAA)
  • may retain Personal Information only when retaining the information is necessary for conducting processes under its jurisdiction provided by laws and regulations, and must specify the purpose of use of Personal Information as much as possible when retaining this information
  • must not retain Personal Information beyond the extent necessary for the purpose of use specified

No independent organization supervises governmental organizations in Japan. Responsible minister manages administrative organs and incorporated administrative agencies.

The Minister of Internal Affairs and Communications may collect reports on the status of enforcement of “Act on the Protection of Personal Information Held by Administrative Organs” from the heads of Administrative Organs.

The Japanese APPI applies to private organizations. Since the PPC is defined in the APPI, the power of the PPC is also restricted to private organizations. (See Art. 2 (5) APPI and Art. 61 APPI) The only exception when the PPC may monitor governmental organizations is when governmental organizations handle “Anonymized Personal Information”, which is pseudonymized governmental data.

Ms. Tripti Dhar, Partner – Reina Legal

• B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
• Admitted to practice in India; enrolled with the Delhi Bar Council
• Certified CIPP/E
• Member of International Association of Privacy Professionals (IAPP)
• DSCI Certified Privacy Professional (DCPP)
• Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India

• The nature of the offences which may give rise to an interception or surveillance order;

According to Article 1 of Law No. 61 of 2015 each camera and security surveillance device is used to capture, transfer, and record the image, in order to monitor and observe the security situation.

• A definition of the categories of people that might be subject to surveillance;

The existing laws in the region are silent on this subject.

• A limit on the duration of the measure;

Article 5 of Law No. 61 of 2015 prescribes a period to keep to recordings of the survelliance for a period of 120 days and shall destroy the recordings immediately after the expiry of that period.

• The procedure to be followed for examining, using and storing the data obtained;

The existing laws in the region are silent on this subject.

• The precautions to be taken when communicating the data to other parties; and the circumstances and substantive and procedural conditions relating to the access of the competent authorities.

Article 6 of Law No. 61 of 2015 prohibits the extradition or transfer, store, send or publish any of the recordings referred to, except with the written consent of the competent point of the investigation or the competent court.

• The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

The existing laws in the region are silent on this subject.

• What objective criteria are used to determine which personal data of individuals are stored?

Article 3 of Law No. 61 of 2015

Prescribed by the minister of technical specifications for the cameras and surveillance equipment and security according to what is locally and internationally certified, and identifies the competent authority places and points status and number in the facilities.

• Does national legislation require any relationship between the data which must be retained and a threat to public security?
• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (e., witnesses)?

Article 9 of Law No. 61 of 2015

Prohibiting the installation of cameras and security surveillance in the stomach places to live or to sleep or physical therapy rooms or dressing and restrooms, health institutes and women's salons women or any positions contrary to put cameras where with personal privacy and shows in the Regulations rooms, may be a decision of the Minister to add other possibility

• Does national legislation provide for any exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)?]

Article 6 of Law No. 61 of 2015

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

According to Article 1 of Law No. 61 of 2015, the competent authority is the designation specified by the Minister of Interior.

• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

Article 7 of Law No. 61 of 2015

Owners of facilities and those responsible for managing maintenance of cameras and security surveillance and updated periodically and continuously, to ensure a good performance for its purposes, and the continuity of compliance with the technical specifications.

Article 8 of Law No. 61 of 2015

The employees who are appointed by the competent minister to adjust the violations set forth in this law, the status of law enforcement officers, and to them in order to fulfill their entry facilities and inspect and adjust the material irregularities and the subject of the offense and the liberalization of the necessary records and forwarded to the relevant point of the investigation.

Article 10 of Law No. 61 of 2015

In terms of the investigation or the court may consider registrations made by surveillance cameras and security devices, as a guide.

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
• Who should the individual address (see, Guarantee C)?
• Does the court/control committee have access to all relevant information, including closed materials?

According to Article 36 of Law No. 20 of 2014, 

I would refer to four pieces of legislation in Mauritius to elaborate on the nature of offences which may give rise to a surveillance or interception order:

• The Information and Communication Technologies Act 2001 (“ICTA”) provides for the following in Section 32:
• A public operator - that is, a person licensed under the ICTA, who owns or operates a public information and communication network, or who offers an information or communication service to the public - may intercept or withhold any message passing over the network, if the operator has reason to believe the message will fall under any three of the below categories:
• The message is indecent or abusive.
• The message is in any way in contravention of the ICTA.
• The message is of a nature likely to endanger or compromise State's defence, or public safety or public order.
• The operator withholding the message is then bound by the ICTA to refer the message to the Information and Communication Technologies Authority (“ICT Authority”).
• The Police or the Independent Commission Against Corruption (“ICAC”) may apply to a Judge in Chambers for an order authorising a public operator to intercept, withhold, or disclose the message to the Police or the ICAC. Such an order would only be made by the Judge where the latter is satisfied that the data is material to any criminal proceedings in Mauritius.

Link to the ICTA: https://www.icta.mu/docs/laws/ict_act.pdf

• The Computer Misuse and Cybercrime Act 2003 allows for real time collection of traffic data transmitted over an information and communications network by an investigatory authority under Section 15. This would be permissible only when a Judge in Chambers would issue such an order, further to application by the authority, where the latter has reasonable grounds to believe that any data would be relevant for the purposes of investigation and prosecution of an offence under this act.

Link to act: http://www.ncb.mu/English/Documents/Legislations/COMPUTER_MISUSE.pdf

• The Constitution of Mauritius, which is the supreme law of Mauritius, guarantees protection of fundamental rights and freedoms of the individual, for instance, protection for privacy of home and other property, as well as protection of freedom of expression. There was an issue regarding phone tapping being practised in Mauritius, which was raised by an opposition Member of Parliament [source: a local news article published in 2016, https://defimedia.info/phone-tapping-are-you-being-listened]. Reference was made in the debate to the aforesaid provisions of the ICTA, under which such a practice could only be permitted by a Judge’s order, and to exceptions under Section 12 of our Constitution which provides that freedom of expression could be curbed, inter alia:
• In the interests of defence, public safety, public order, public morality or public health; or
• For the purpose of protecting the reputations, rights and freedoms of other persons; or
• For the imposition of restrictions upon public officers.

Link to the Constitution: http://mauritiusassembly.govmu.org/English/constitution/Pages/constitution2016.pdf

• The Data Protection Act 2017 (“DPA”), enacted with the aim of uplifting and aligning local data protection laws with international best practices and the GDPR, tries to strike a balance between concerns of the Government and fundamental rights of individuals, mostly privacy rights. Section 44 of the DPA allows for exceptions to the act for:
• The protection of national security, defence or public security.
• The prevention, investigation, detection or prosecution of an offence.
• An objective of general public interest, including an economic or financial interest of the state.
• The protection of judicial independence and judicial proceedings.
• The protection of a data subject or the rights and freedoms of others.
• The issue of any licence, permit or authorisation during the COVID-19 period. (This sub-part was added in May 2020, via the COVID-19 Bill, to reflect measures taken by the Government during the lockdown period, for instance, allowing only those employees who possess a Work Access Permit to access their work premises. These permits were to be authorised by the Monitoring Committee – COVID 19, set up by Government.)

Section 44 of the DPA goes even further and exempts processing of personal data from all provisions of the DPA where, in the opinion of the Prime Minister of Mauritius (“PM”), same would be required for the purpose of safeguarding national security, defence or public security. In such a case, a certificate under the hand of the PM would be needed to constitute conclusive evidence of such an exemption.

Link to the DPA: http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Act-2017-.aspx

It can only be inferred that the categories of people that might be subject to surveillance are those who are suspected of being in contravention with the laws, or who are parties to criminal proceedings. However, it can also be inferred that anyone from the general public of Mauritius could be subject to surveillance if it concerns protection of national security, defence or public security. This is currently the case with the Safe City Project of the actual Government, whereby some 4000 video surveillance cameras, equipped with facial recognition, have been installed in public areas for the prevention of crime, and to aid in identifying and retracing criminals. Another example is the Online Content Filtering system put in place by the ICT Authority which filters attempts to access Child Sexual Abuse (“CSA”) sites by Mauritian Users and blocks those websites since year 2011 to date.

While the Safe City Project and the CSA filtering are here to stay, other cases of surveillance and inception orders would last once the investigation is complete and/ or the person is prosecuted for the offence committed. The ICTA specifies that an order of the Judge shall remain valid for a period not exceeding 60 days.

The legislative framework of Mauritius does bind collection, processing or storage of personal data with respect to interception or surveillance by the Government or Government Bodies to what is strictly necessary by specifying and limiting the scenarios in which these can be done. The main reasons are, as listed in detail above, for the protection of national security, defence or public security and for the purposes of investigation, prosecution or prevention of offences. As regards to what personal data may be stored, this would be subject to the reasons for which such surveillance or interception order is required; for example, an interception or preservation order falling under the ambit of part III the Cybercrime Act would include storage of traffic data and subscriber information, while interception under Section 32 of the ICTA only finds the latter describing the message which should be collected and stored, irrespective of what personal data the message could carry, as long as the message can reasonably be termed as indecent, abusive or likely to endanger public order and safety, amongst other reasons listed above. However, since legislative provisions do go hand in hand with one another, the principles relating to processing personal data, inter alia, to only collect data for legitimate purposes and to only collect data which is adequate, relevant and necessary for the purposes of processing, as listed in Section 21 of the DPA, should normally be followed while proceeding as per what other Mauritian laws lay down.

Concerning the Safe City Project, the question of data retention was raised by the then Leader of the Opposition as to how long the data captured would be stored. The vague response provided by the Government was “…for a reasonable time, depending on the circumstances.” We would most certainly require further precise information on this, either via the aforementioned Code of Practice to be issued, or via another specific law to be passed for this project, as requested by the Data Protection Commissioner to the Government. It is to be noted nonetheless that the DPA, in its Section 21(e) provides that data should not be stored for any longer than necessary for the purposes for which the data was processed. The ICTA talks more specifically about data which has been collected for the purposes of criminal investigations in its Section 17 and thereby does not allow for data to be used for any other purpose other than that for which it was originally sought unless the Court or a Judge ordered otherwise, or it has become necessary to do so in the public interest, or for the further prevention of offences and losses.

Under both the ICTA and the Cybercrime Act, the independent oversight mechanism rests on entrusting control to a judge at the first stage of surveillance, i.e. real time interception and collection of data may only be done by order of a Judge in Chambers, after the latter is satisfied that such an action is necessary for the investigation or prosecution of an offence. I would also highlight that the independence of the Mauritian legal system lies in the doctrine of separation of powers, upon which our constitution is based, where the Judiciary is separate and independent from two other organs of the State, which are the Executive and the Legislature.

Sections 37 and 38 of the DPA list down the rights of data subjects, namely, the right of access and the right of rectification, erasure or restriction of processing. In the event, these rights are not respected, data subjects have a possibility to lodge a complaint with the Data Protection Commissioner. The latter is empowered under Section 6 of the DPA to:

• investigate the complaint,
• conduct a hearing,
• make orders for the person involved to produce materials relevant for the investigation, and
• make a decision relative to an amicable resolution by the parties concerned.

The nature of the offences which may give rise to an interception or surveillance order:

A definition of the categories of people that might be subject to surveillance:

A limit on the duration of the measure:

Section 14 of the Lawful Interception of Communications Regulations, 2019 provides that a warrant to intercept communication shall be granted for an initial period of 3 months, a lesser period or renewed for a maximum period of 3 month or a lesser period.

Section 6 of the Lawful Interception of Communication Regulation provides that intercepted communication shall only be stored for the duration of the investigation, and should be destroyed upon completion. The provision of the Regulation did not specify a timeline, but grants the Nigerian Communication Commission and law enforcement agencies the information from telecommunication companies. Further, Section 29(3) of the Terrorism Prevention Act, 2013 provides that an order made under the Section “shall specify the maximum period for which a communications service provider may be required to retain communications data”. Section 6(3) of the Lawful Interception of Communications Regulation provides that intercepted communications “may be” stored for 3 years and destroyed thereafter.

The procedure to be followed for examining, using and storing the data obtained:

The provision of the Regulation did not specify a timeline, but grants the Nigerian Communication Commission and law enforcement agencies the power to request for information from telecommunication companies.

Interception can be by warrant or without a warrant. An exparte application is made to the Judge in compliance with the relevant law. Section 38(4) of the Cybercrimes Act, 2015 provides that information obtained should only be used by the law enforcement agency for only legitimate purpose under the law. Further, Section 38(5) of the Cybercrimes Act prescribes that the law enforcement agency exercising this function should safeguard the confidentiality of  the  data  retained, processed or retrieved  for the purpose of law enforcement“. In addition, Section 6(3) of the Lawful Interception of Communications Regulation provides that intercepted communication shall be stored confidentially for the “purpose of investigation and prosecution in criminal proceedings in accordance with these Regulations“.

Section 18 (1) of the Lawful Interception of Communication Regulation imposes a duty of secrecy on the Agency and officials involved in the interception. The secrecy can only be waived subject to the derogations which are; if it is required for investigations of crime, required as an evidence before a court of law, if any person or any other person “who of necessity requires it in the performance of his or her function under these Regulations“.

The precautions to be taken when communicating the data to other parties:

Section 10(1) (c) of the Lawful; Interception Communications Regulations mandates licensees to provide safeguards for data during transmission. Similarly, Section 38(5) of the Cybercrimes Act prescribed confidentiality duty on law enforcement agencies.

Section 6(c) of the Guidelines for the Provision of Internet Service (the NCC Guidelines) by the Nigerian Communications Commission (NCC) requires internet Service Providers (ISPs) to provide information that may be requested by the Commission or any legal authority with respect to a user or the content of their communication.

The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

Interception can also be carried out in the absence of a warrant. According to Section 12 (4) of the :Lawful Interception of Communication Regulation, an authorised law enforcement Agency may initiate interception without a warrant where there is a risk of immediate danger of death or serious injury to any person, the activities threatens national security, or the activities has a characteristics of organised crime. Section 25 (1) of Terrorism Prevention Amendment Act specifies where there is a verifiable urgency, or a life is threatened, or prevention of crime. In both instances, a warrant must be sought within 48 hours.

The Guidelines above do not provide for any substantive or procedural conditions for access.

Is the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued?

In general, do the national laws impose such a limitation to what is “strictly necessary”?

Section 7(3) of the Lawful Interception Communications Regulation provides that a warrant can only be given for if it is in the interest of National Security, for prevention of crime, for protecting and safeguarding the economic wellbeing of Nigerians, in the interest of public emergency or safety, or giving effect to any international mutual assistance which Nigeria is a party. Similar conditions are found under Section 45 (3) of the Cybercrimes Act.

Further, Section 38(5) of the Cybercrimes Act and Section 2(e) of the Lawful Interception of Communication provides that anyone exercising the function under the law shall have recourse to the safeguard for right to privacy provided in the Nigerian Constitution.

Lastly, Section 37 of the Nigerian Constitution guarantees broadly the right to “privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected“. However, Section 45(1) provides derogations which include the interest of defence, public safety, public order, public morality or public health; or for the purpose of protecting the rights and freedom of other persons.

What objective criteria are used to determine which personal data of individuals are stored?

Section 7(1)(b) of the Lawful Interception Regulation restricts the data to what is disclosed, in the warrant of such intercepted communication.

There are no clear-cut processes or criteria to be observed before personal data of individuals are stored in any of these legislations.

Does national legislation require any relationship between the data which must be retained and a threat to public security?

Public security is one of the conditions allowed for interception of communication.

Does national legislation restrict the data retention in relation to …?

• Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
• Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

The law did not make any clear distinction on the basis highlighted above. Section 29 (4) of the Terrorism Prevention Amendment Act 2013 allows data intercepted outside the country is valid for evidence before the Nigerian Court. Section 6 of the Lawful Interception of Communication Regulation provides a period of 3 years to store data and which it must be destroyed thereafter.

Also, a warrant lawfully sought provides and limits the scope of the power that can be exercised under it. There are no clear systems of transparency that are built into these laws to ensure accountability.

Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

Yes. Section 16 of the Freedom of Information Act provides that a public institution may deny an application for information that is subject to legal practitioner-client privilege, health workers-client privilege, journalism confidentiality privilege and any other professional privilege protected by another Law.

Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

The Cybercrimes Act, the Terrorism Prevention Amendment Act and the Lawful Communications Interception Regulation provides that an application for surveillance should be brought before a Judge.

At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

It is initiated at the first stage. However, surveillance done without warrant still has to be brought under the review of a judge within 48 hours under Section 12(4) of the Lawful Interception of Communication Regulation. Further surveillance done without obtaining the warrant is considered unlawful.

Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

The Nigeria Data Protection Regulation provides for rights of data subjects. Article 3.1 (1) provides the right to access personal information held about them. Such data should be provided in an intelligible form and within one month of such request. Article 3.1 (11) of the Regulation also provides both right to rectification of data held about a data subject. Similarly, the Regulation contemplates the right to erasure.
Section 9 (6)(a) & (b) of the Credit Reporting Act provides for both right to access and rectification of personal information respectively.

Who should the individual address (see, Guarantee C)?

The National Information Technology Development Agency and the Central Bank of Nigeria. The data subjects also have the right to lodge a complaint before a court of law.

Does the court/control committee have access to all relevant information, including closed materials?

This laws are silent on access to all relevant information. However, Section 29(4) of Terrorism Prevention Amendment Act provides that all materials are considered valid as evidence before the court. Section 17 of the Lawful Interception of Communications Regulation provides that “the use of any information obtained pursuant to these Regulations as evidence in any prosecution, is subject to the consent of the presiding Judge in an application that such evidence be tendered by the party seeking to rely on it“.

To fully understand the extent of surveillance in Nigeria, it can only be appreciated through the Budgetary allocation for the function. Between 2014 – 2017, the country through the three Intelligence Agencies spent a combined sum of N127,987,715,414 ($418,260,507.89) on surveillance equipment and capacity development. This is in addition to the fact that Nigeria does not have a comprehensive and specific primary legislation on data protection.

1. Status of Surveillance in Nigeria: Refocusing the Search Beams. Policy Brief 009. Prepared by Tomiwa Ilori for Paradigm Initiative.
2. Stakeholder Report Universal Periodic Review 31st Session - Nigeria The Right to Privacy in Nigeria.
3. Tightening the Noose on Freedom of Expression 2018 Status of Internet Freedom in Nigeria.
4. Freedom on the net Report, 2018.
5. Constitution of the Federal Republic of Nigeia, 1999.
6. Credit Reporting Act 2017.
7. Terrorism Prevention Amendment Act, 2013.
8. Lawful Interception of Communications Regulations, 2019.
9. Cybercrimes (Orevention and Prohibition) Act, 2015.
10. Freedom of Information Act, 2011.

Lars Vinden - Privacy Lawyer

Yes. The legal basis for intercepting communications is found in the Criminal Procedure Act chapter 16 a section 216 a, whereas the basis for other seizures and surrender orders are given in chapter 16 and chapter 16 b to 16 d. Further rules for lawful intercept is provided in the he Lawful Intercept Regulation. The Police Security Service has additional legal bases for collecting data in the Police Act section 17d.

Yes. Ex ante oversight is conducted by the general courts that authorises surveillance measures (see Criminal Procedure Act chapter 16 to 16 d). Ex post / ex officio oversight is conducted by:

• KK-utvalget, a control committee for the Police’s lawful intercept (see Criminal Procedure Act section 216 h and the Lawful Intercept Regulation chapter 2, and
• EOS-utvalget, a control committee for the Police Security Service and the Intelligence Services (see Act on Control of the Intelligence, Surveillance and Security Services)

Yes. The right to be notified of surveillance measures are provided in the Criminal Procedure Act section 216 j and the Lawful Intercept Regulation chapter 3. Further individuals rights, such as the right to access, rectification or eraser is provided by the Police Register Act chapter 8.

The courts and oversight committees (see Guarantee C above) have full access to information to verify that any surveillance have been conducted in accordance with the law.

Public reports from the oversight committees are available at https://eos-utvalget.no and https://www.kk-utvalget.no/rapporter.473489.no.html (Norwegian only).

Ms. Tripti Dhar, Partner – Reina Legal

• B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
• Admitted to practice in India; enrolled with the Delhi Bar Council
• Certified CIPP/E
• Member of International Association of Privacy Professionals (IAPP)
• DSCI Certified Privacy Professional (DCPP)
• Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India

• The nature of the offences which may give rise to an interception or surveillance order;

According to Article 30 of Royal Decree No. (101/96) Promulgating the Basic Statute of the State, the freedom of correspondence by post, telegraph, telephone conversations, and other means of communication is protected and its confidentiality is guaranteed. It is not permissible to monitor, search, disclose the confidentiality of, delay, or confiscate the same, except in cases specified by the Law and in accordance with the procedures stated therein.

• A definition of the categories of people that might be subject to surveillance;

The existing laws in the region are silent on this subject.

• A limit on the duration of the measure;

The permission specified in Article 90 of the Penal Procedure Law promulgated by Royal Decree 97/1999, as amended (“CPL”) may only be issued by the Public Prosecutor, who would only permit audio or video recording of an individual if there is sufficient evidence of a an offence or misdemeanor punishable by imprisonment for a period exceeding three months. Once granted, the permission is valid for a renewable period not exceeding 30 days, during which the audio or video evidence must be obtained.

• The procedure to be followed for examining, using and storing the data obtained;

The existing laws in the region are silent on this subject.

• The precautions to be taken when communicating the data to other parties; and

The existing laws in the region are silent on this subject.

• The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

The existing laws in the region are silent on this subject.

• The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

The existing laws in the region are silent on this subject.

• What objective criteria are used to determine which personal data of individuals are stored?

The existing laws in the region are silent on this subject.

• Does national legislation require any relationship between the data which must be retained and a threat to public security?
• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?]

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?]

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
• Who should the individual address (see, Guarantee C)?
• Does the court/control committee have access to all relevant information, including closed materials?]

Ms. Tripti Dhar, Partner – Reina Legal

• B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
• Admitted to practice in India; enrolled with the Delhi Bar Council
• Certified CIPP/E
• Member of International Association of Privacy Professionals (IAPP)
• DSCI Certified Privacy Professional (DCPP)
• Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India

• The nature of the offences which may give rise to an interception or surveillance order;

Law No. 9 of 2011 (Law No. 9 of 2011 regulating the use of Security and Surveillance CCTV Camera and devices) mandates that surveillance cameras be installed in residential compounds, hospitals, malls, banks, hotels, warehouses and other locations, and is enforced by the MOI's Security Systems Department (SSD). However, these systems are prohibited in private areas like bedrooms, treatment or patient rooms in hospitals, changing rooms and toilets.

Article 19 of Law No. 3 of 2004 on Combating Terrorism grants the authorities extensive powers to conduct surveillance by any means for 90 days prior to any judicial review and to seize any forms of communication whenever this is useful in “uncovering the truth” regarding “terrorist crimes”.

• A definition of the categories of people that might be subject to surveillance;

The existing laws in the region are silent on this subject.

• A limit on the duration of the measure;

Article 6 of Law No. 9 of 2011, the Facilities shall keep the recordings for a period of one hundred and twenty (120) days, shall not make any adjustments thereto and shall hand them over to the Competent Department upon request. The Competent Department shall destroy the recordings immediately after the end of that period.

• The procedure to be followed for examining, using and storing the data obtained;

The existing laws in the region are silent on this subject.

• The precautions to be taken when communicating the data to other parties; and the circumstances and substantive and procedural conditions relating to the access of the competent authorities.

According to Article 7 of Law No. 9 of 2011, save as with the approval of the Competent Authority, the transfer, save, sending or publishingof any of the recorded data, shall be prohibited.

• The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

The existing laws in the region are silent on this subject.

• What objective criteria are used to determine which personal data of individuals are stored?

Article 6 of Law No. 9 of 2011, the Facilities shall keep the recordings for a period of one hundred and twenty (120) days, shall not make any adjustments thereto and shall hand them over to the Competent Department upon request. The Competent Department shall destroy the recordings immediately after the end of that period.

• Does national legislation require any relationship between the data which must be retained and a threat to public security?

The existing laws in the region are silent on this subject.

• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographicalarea and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

Article 8 of Law No. 9 of 2011

It shall be prohibited to install Surveillance Camera and devices in the bedrooms, physiotherapy rooms, toilets, changing rooms and places dedicated for women

• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?]

• “Who” is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?
• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?
• Who should the individual address (see, Guarantee C)?
• Does the court/control committee have access to all relevant information, including closed materials?

Ivan Milosevic, Partner JPM Jankovic Popovic Mitic and Andrea Cvetanovic, Senior Lawyer JPM Jankovic Popovic Mitic

I. The nature of the offences which may give rise to an interception or surveillance order:

A) Offences processed by criminal courts

In accordance with Article 162 para 1 of the Criminal Procedure Code ("Official Herald RS", Nos. 72/2011, 101/2011, 121/2012, 32/2013, 45/2013, 55/2014 and 35/2019) – “Criminal Procedure Code”)), special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined for the following criminal offences:

1) for which the competence of public prosecution of special competence is prescribed by special law:

a) Law on Organisation and Organisation of State Bodies in Prevention of Organised Crime, Terrorism and Corruption (“Official Herald RS" Nos. 94/2016 and 87/2018 – other law):

• criminal offence of organised crime;
  
  
• murder the highest-ranking officials of the state bodies (Art. 310 of Criminal Code “Official Herald RS” Nos. 85/2005, 88/2005 - correction, 107/2005 - correction, 72/2009, 111/2009, 121/2012, 104/2013, 108/2014, 94/2016 and 35/2019 – „Criminal Code“)) and criminal offence of armed rebellion (Art. 310 of Criminal Code);
  
  
• criminal offences against official duty (Art. 359 and Art. 361- 368 of Criminal Code) and criminal offence – giving and receipt of bribe in relation of voting (Art. 156 of Criminal Code);
  
  
• criminal offences against commerce (Art. 223, 223a, 224, 224a, 227, 228, 228a, 229, 230, 231, 232, 232a, 233, Art. 235 para 4, Art. 236 and Art. 245of Criminal Code);
  
  
• terrorism (Art. 391 of Criminal Code), public instigation to commit terrorist acts (Art. 391a of Criminal Code), canvass and training to commit terrorist act (Art. 391b of Criminal Code), usage of lethal device (Art. 391v of Criminal Code), destruction and engagement of nuclear facility (Art. 391g of Criminal Code), financing terrorism (Art. 393 of Criminal Code) and terrorist accouplement (Art. 393a of Criminal Code);
  
  
• criminal offence against state bodies (Art. 322 para 3 and 4 and Art. 323 para 3 and 4 of Criminal Code) and criminal offence against judiciary (Art. 333 and Art. 335, Art. 336 para 1, 2 and 4 and Art. 336b, 337 and 339 of Criminal Code), if these have been committed in connection to criminal offence stated in items i) – iv) above.

• criminal offences prescribed by Art. 370 – 384 and 385 and 386 of the Criminal Code;
  
  
• grave breaches of international humanitarian law committed on the territory of Former Yugoslavia prescribed in Statute of International Criminal Tribunal for Former Yugoslavia;
  
  
• assistance to offender after committing criminal offence (Art. 333 of the Criminal Code) if committed in connection to criminal offences stated in item i) and ii) above.

2) aggravated murder (Art. 114 of Criminal Code), abduction (Art. 134 of Criminal Code), presenting, procuring and possession of pornographic material and exploiting a minor for pornography (Art.185 para 2 and 3 of Criminal Code), robbery (Art. 206, para 2 and 3 of Criminal Code), extortion (Art. 214 para 4 of Criminal Code), abuse of position by responsible person (Art. 227 of Criminal Code), misuse in public procurement (Art. 228 of Criminal Code), receipt of bribe in performing business activities ( Art. 230 of Criminal Code), giving bribe in performing business activities (Art. 231 of Criminal Code), counterfeiting money (Art. 241 para 1-3 of Criminal Code), money laundering (Art. 245, para 1-4 of Criminal Code), unlawful production and putting into circulation of narcotics (Art. 246 para 1-4 of the Criminal Code), compromising independence (Art. 305 of Criminal Code), compromising territorial integrity (Art. 307 of Criminal Code), attack against the constitutional order (Art. 308 of Criminal Code), sedition on a violent change of the constitutional order (Art. 309 of Criminal Code), diversion (Art. 313 of Criminal Code), sabotage  (Art. 314 of Criminal Code), espionage (Art. 315 of Criminal Code), disclosing a state secret ( Art. 316 of Criminal Code), instigation national, racial and religious hatred and intolerance (Art. 317 of Criminal Code),violation territorial sovereignty (Art. 318 of Criminal Code), conspiracy for unconstitutional activity (Art. 319 of Criminal Code), preparation acts against the constitutional order and security of Republic of Serbia (Art. 320 of Criminal Code), grave offences against the constitutional order and security of Republic of Serbia (Art. 321 of Criminal Code), unauthorized production, possession, carrying and transport of weapons and explosive materials (Art. 348, para 3 of Criminal Code), illegal crossing of state border and human trafficking (Art. 350, para 2 and 3 of Criminal Code), abuse of official duty (Art. 359 of Criminal Code ), influence peddling (Art. 366 of Criminal Code), receipt of bribe (Art. 367 of Criminal Code), giving bribe (Art. 368 of Criminal Code), human trafficking (Art. 388 of Criminal Code), endangering persons under international protection (Article 392 of Criminal Code) and criminal offence under the Art. 98, para 2 - 5 of Data Secrecy Law.

3) prevention and impeding collection of evidences (Art. 336 para 1 of Criminal Code) if committed in connection with criminal offences under points a) and b) above

4) special evidence collecting – secret surveillance of communication can be determined for the following criminal offences: unauthorized use of copyrighted work or other work protected by similar right (Art. 119 of Criminal Code), damaging computer data and programs  (Art. 298 of Criminal Code), computer sabotage (Art. 299 of Criminal Code), computer fraud (Art. 301 para 3 of Criminal Code) and unauthorized access to computer, computer network or electronic data processing (Art. 302 of Criminal Code).

B) Actions processed by Ministry of Interior (police departments)

 special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching criminal offences for which sentence to imprisonment of 4 years or longer period and warrant has been issued (Article 60 of Law on Police (“Official Herald RS" Nos. 6/2016, 24/2018 and 87/2018) – “target search measures”.

 “special measures”: i) secret surveillance and recording of communication regardless the form and technical means by which measures are implemented or surveillance of electronic or other address; ii) statistical electronic surveillance and information systems to obtain data on communication or location of used mobile terminal equipment; iii) secret surveillance and recording of communication at public place and at places where access is limited or in closed area; iv) computer search of processed personal and other data and their comparison with data obtained in items i) – iii). Along with “special measures”, secret surveillance and recording of places, closed areas and subjects, including devices for automated processing of data and equipment where data are stored or where electronic records can be stored can be determined in case where reasonable grounds to suspect exists that actions directed against security of Republic of Serbia are performed or planned and where circumstances of the case indicated that such actions could not be discovered, prevented or proved or where it would cause disproportionate difficulties and grave danger (Art. 13 and 14 of Law on Security-Informative Agency, “Official Herald RS” Nos. 42/2002, 111/2009, 65/2014 – Decision of the Constitutional Court, 66/2014 and 36/2018)

Military Security Agency shall collect data by means of special procedures and measures when it is not possible to collect data otherwise or when their collection involves excessive risk to life and health of people and property, i.e. excessive costs. Special procedures and measures are implemented primarily for the purpose of prevention, i.e. with the aim to prevent threats against the Ministry of Defence and the Serbian Armed Forces (Law on Military Security Agency and Military Counterintelligence Service (“Official Herald RS” Nos. 88/2009, 55/2012 – Decision of the Constitutional Court and 17/2013).

Special measures and procedure can include the following measures: i) secret surveillance of persons in the open space and in public places by applying technical means; ii)secret electronic surveillance of telecommunications and information systems in order to collect data on telecommunication traffic and the locations of the users without the insight in the content; iii) secret recording and documenting of conversations in the open space and in the closed areas by using technical means; iv) secret surveillance of the content of letters and other means of communication including covert surveillance of the content of telecommunications and information systems; v) secret surveillance and recording of the interior of facilities, closed areas and objects.

II. A definition of the categories of people that might be subject to surveillance:

Pursuant to Art. 161 para 1 of Criminal Code Procedure, special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined against a person for whom reasonable grounds to suspect that she/he has committed criminal offence prescribed in Art. 162 of Criminal Code Procedure exists, if evidences for criminal prosecution cannot collected in other manner or their collection could be have significantly exacerbated.

In accordance with para 2 of the same Article of the same Law, as exception, special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined and against a person for whom reasonable grounds to suspect that she/he has committed criminal offence prescribed in Art. 162 of Criminal Code Procedure exists and circumstances of the case indicate that criminal offence could not be discovered, prevented or proved or this would cause disproportionate obstacles or significant danger.

In accordance with para 3 of the same Article of the same Law, when deciding on determination and duration of the said special evidence collecting, the body which is responsible for the procedure shall in particular, evaluate whether the same result could be achieve in the manner by which rights of citizens are less limited.

In case by execution special evidence collecting material on criminal offences and offender of criminal offence which/who have not been covered by decision on such special evidence collecting  has been collected, such material can be used in the procedure only if it is related to criminal offences prescribed by Art. 162 of the Criminal Procedure Code (Art.164 of the Criminal Procedure Code – accidental finding).

To arrest and bring a person to competent authority in case of reasonable grounds to suspect that a person has committed criminal offence for which a sentence of imprisonment of four year or more is prescribed and for whom a warrant is issued and under assumption that police officers cannot arrest this person applying other measures or actions, i.e. when such arrest is connected to disproportionate difficulties, “target search measures” can be determined against such person as well as against other persons for whom reasonable grounds to suspect exists that these persons assist such person to hide.

Special procedures and measures can be implemented against person, group or organisation 

“Special measures” can be determined against a person, a group or an organisation in case where reasonable grounds to suspect exists that actions directed against security of Republic of Serbia are performed or planned and where circumstances of the case indicated that such actions could not be discovered, prevented or proved or where it would cause disproportionate difficulties and grave danger.

D) Categories of people that might be subject to surveillance to by Security Military Agency

Special measures and procedures are applied against a person, a group or organisation to prevent threats against the Ministry of Defence and the Serbian Armed Forces.

III. A limit on the duration of the measure:

Secret surveillance of communication and secret tracking and interception can last 3 months and can be prolonged for another maximum 3 months due to necessity of further collection of evidences.

In case of criminal offences for which the competence of public prosecution of special competence is prescribed by special law is prescribed, secret surveillance of communication can be exceptionally prolonged two times for 3 months. This special evidence collection shall be terminated as soon as reason for its application cease to exit. 

Computer data searching can last maximum 3 months and can be exceptionally prolonged two times for 3 months due to necessity of further collection of evidences.  This special evidence collection shall be terminated as soon as reason for its application cease to exit.

“Target search measures” can last maximum 6 months and can be prolonged for another six months.

“Special measures” can last 3 months and can be prolonged three times for three months if necessary to discover, prevent or obtain evidences.

Special measures and procedure can last 6 months and can be, upon new proposal, prolonged for another 6 months.

IV. The procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; the circumstances and substantive and procedural conditions relating to the access of the competent authorities; Assessment whether the number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued

A) Procedure before administrative bodies

Personal data obtained and processed by applying measures are secret data. This means that only persons who are issued security certificates can examine or use data, i.e. access data. Security certificates are issued by the Office of the Council for National Security and Protection of Secret Data. This Office is obliged to establish and maintain records on us issued security certificates. The contents, form and manner to maintain records for access to secret data are provided for in Decree on Content, Form and Manner to Maintain Records for Access to Secret Data (“Official Herald RS” No. 89/2010).

Data Secrecy Law (“Official Herald RS” No. 104/2009) prescribes that a public authority shall apply general and special protection measures under law and regulations adopted under law, with a view to protecting secret data in its possession.

General measures for the protection of secret data shall include: i) determining the classification level; ii) assessing classified data security threat; iii) establishing the manner of using and handling classified data; iv) designating a person responsible for keeping, using, exchanging and other forms of classified data processing; v) designating a classified data controller, including his security clearance depending on the classification level; vi) determining special zones, buildings and premises intended for classified data and foreign classified data protection; vii) classified data handling control; viii) measures for the physical and technical protection of classified data, including the installation and set-up of technical means of protection, determination of a security zone and protection outside that zone; ix) protection measures for information and telecommunication systems; x) crypto protection measures; xi) protection regime for jobs and formation posts, under any internal acts on job classification and systematisation; xii) establishing special educational and training programmes required for the protection of classified data and foreign classified data; xiii) other general measures prescribed by law.  

Some special protection measures can be regulated in more detail by an act of the competent minister or the head of a special organisation, under the Government act. Moreover, it is prescribed in Art. 84 para 1 of Data Secrecy Law that the head of a public authority shall be responsible for internal control of the implementation of this Law and regulations adopted based on this Law.

It is prescribed that para 2 of the same Article that special post shall be allocated in the ministry responsible for internal affairs, the ministry responsible for defence and in the Security Informative Agency, and, as necessary, in other public authorities, for internal control and other professional tasks concerning secret data classification and protection, or else an existing organisational unit within the ministries or the agency shall be entrusted with performing the mentioned activities and tasks.  

To enhance effective implementation measures for protection of secret data, Serbian Government enacted Decree on Special Measures on Handling of Secret Data (“Official Herald RS” No. 90/2011). This decree obliges the head of public authority to determine authorised persons for regular and sudden checks of manner of implementation of measures for control of secret data.

Moreover, the Serbian Government rendered Decree on Special Protective Measures of Secret Data in Information-Communication Systems (“Official Herald RS” No. 53/2011), system must fulfil conditions ensuring: i) protection from unauthorised access, which assumes identification and secure guarantees of identity (authentication) of persons which have access to system; ii) control and maintenance of records on access to system; iii) continual recording (automated, manual and combined) on security condition of the system (security logs), activities of the system and change of condition of the existing system; iv) examination of security logs by authorised persons; v) determination authorisations to users in regard to security of systems; vi) determination authorisations to users in regard usage of system; vii) ensuring secure manner for indication level of secrecy; viii) identification of user who executes amendment, printing, re-taping and deletion secret data; ix) recording amendments, printing, re-taping or deletion secret data by user; x) protection important and program elements, system possibilities and functionalities of system; xi) obtaining back up archives of secret data in case of loss of existing archives as well as maintenance of records on access to archives.

In accordance with Decree on Manner of Maintenance of Records, Processing, Usage, Protection and Deliverance Information and Documents on Affairs in the Competence of Security Informative Agency  (“Official Herald RS” 68/02), direct access to documents can be achieved only under written authorisation. Regardless the forms and type of carrier, documents are records are kept in protected boxes or cupboards, worked out for this purpose, placed in specially secured areas. Transfer of documents and records is performed applying special measures and in manner to be protected from potential loss, theft or destruction. Manner of maintenance of records, processing, usage, protection and deliverance information and documents to competent state bodies is to be defined by internal instructions of the Director of the Agency.

Law on Records and Processing of Data in the Field of Internal Affairs (“Official Herald RS” 24/18) defines obligations of the Ministry of Interior in regard to personal data protection in the field of internal affairs, purpose of processing, rights and protection of rights of persons whose data are processed, types and contents of records, duration of period of processing, exchange of data, storage, protection and control of data and other issued which are important for processing of personal data in the field of internal affairs.

In accordance with Art. 60 para 12 of the Law on Police, upon completion of “target search”, personal data obtained shall be delivered to the President of Supreme Cessation Court or authorised judge who is obliged to destroy them and draft record on this fact.

In accordance with Art. 31 of the Law on Military Security Agency and Military Counterintelligence Service, Military Service Agency shall create and keep the records and registers of personal and other data and documents on those data. Military Security Agency shall create and maintain collections and registers of date within the scope of its work. The records and registers of data and documents shall be defined as secret data in compliance with the law regulating protection of secret data. In case both services come in possession of data in the competence of other security services or police, these will be delivered other security services if these are related to national security affairs, where, if these are related to criminal offences, these will be delivered, in accordance with provisions of Criminal Procedure Code governing special evidence collecting.

In accordance with Rulebook on Requirements for Devices for Legitimate Interception of Electronic Communications and Technical Requirements for Fulfillment the Obligation of Retention of Data on Electronic Communications (“Official Herald RS” No. 88/2015), competent body shall maintain record containing decision of the court which represents legal ground for access or deliverance of retained data and date and time of access/deliverance.   

Furthermore, in accordance with same Rulebook, in case when state body is not in the position to have access to retained data without access to premises or electronic communication network, accompanied devices or electronic communication equipment, operator is obliged to maintain record on received request for access or deliverance of the requested data which particular contains: identification the person which accessed the data/whom data are delivered, court decision which serves as legal ground for access or deliverance and date and time of access and deliverance.

Decision of the court defines by which the measures is approved contains the following data: the indication of the measure, data on person/group/organisation to whom/which a measure shall be applied, reasons for application the measure, place and duration of the measure.

Under assumption that:

• Persons having access to data/whom data are delivered possessing security certificates;
• persons are granted internal authorisations to access the data;
• the information systems of state bodies/operators record date and time of access to data;
• data are accessed/delivered by/to person by making a reference to court decision which represent a valid legal ground for access to deliverance the data  

an assessment may be made that number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued.

B) Procedure before Criminal Courts

Data on requesting, deciding on and application the measure are secret data. Other persons who in whatever capacity, learn about these data are required to keep them secret.

Depending on the particular measure, order of the court contains: available data on person to whom the measure is determined, legal title of criminal offence, indication of available telephone number/address, authorisation for  reasons for suspicion, indication of premises, place or transport vehicle,, authorisation to enter and placing devices, description of data to be searched and processed, indication of state body which is obliged to perform search of requested data, manner of application the measure, scope and duration of the measure.

Proposals for measures and order are recorded in special court record and are stored together with material on applied measure in special court file with indication “special evidences collecting” and indication of level of classification in accordance with Data Secrecy Law. 

Order is applied by Ministry of Interior, Security and Informative Agency or Military Service Agency applying procedures under Section “Procedure before administrative bodies”.

In case the public prosecutor does not initiate criminal procedure within 6 months upon the moment when he has been familiar with the file or states that he will not use it in the procedure or will not request criminal procedure against the suspected person, a judge for preliminary procedure shall order decision on destruction the collected material.

Upon the termination of measure, the authority which executes order shall deliver to the judge for preliminary proceedings recordings of the communications, letters and other parcels and a special report which contains: the time of commencement and termination of the surveillance, data on the official who conducted the surveillance, a description of the technical means used, the number and available data on the persons encompassed by the surveillance, and an assessment of purposefulness and results of the application of the surveillance.

The judge for preliminary proceedings shall in the opening of letters and other parcels take care not to damage seals and to preserve the covers and addresses. A record shall be made of the opening. All the materials obtained by the application of the secret surveillance of communications shall be delivered to the public prosecutor. The public prosecutor shall order the recordings obtained through use of technical means to be transcribed in full or in part and to be described.

Upon the termination computer data search the public authority, or the legal person which implemented the order shall deliver to the judge for preliminary proceedings a report containing: data on the time of commencing and terminating a computer search data search, data searched and processed, data on the official who conducted the computer data search, description of the technical means employed, data on the persons encompassed and results of the implemented computer data search. The judge for preliminary proceedings shall deliver the said report to the public prosecutor.

• In general, do the laws of your country impose such a limitation to what is “strictly necessary”?

Data can be processed to accomplish the following goals:

1. On the ground of court order to collect evidence to initiate criminal procedure for serious criminal offences. Court order specifies which data, for which purposes will be processed, manner of processing and duration of processing – special evidence collecting to initiate criminal procedure. State bodies applying measure must act in accordance with court order;
   
   
2. Special measures applied by Security Informative Agency must be approved by the court, following the proposal of the Director of the Agency with rationale. Proposal contains legal title of the measure, available data on person, group and organisation to which the measure is to be applied, reasons justifying application of the measure, scope of measure and its duration. Extension of the measure must be approved by the court; in case the court does not approve extension of the measure, collected data are deleted;
   
   
3. Special measures and procedures applied by Military Security Agency must be approved by the court - following the proposal of the Director of the Agency or authorised officer with rationale. Proposal contains legal title of the special measure/procedure, data on person, group or organisation to whom/which measure is to be applied and place and duration of the measure;
   
   
4. Target search measures applied by the Ministry of Interior/police departments shall be approved by the President of Supreme Cassation Court or authorised judge. In case of urgency, director of the Police can order measure subject to oral consent of the court, whereby the court must deliver decision in writing with 24 hours upon receipt of oral consent.
   
   When deciding on the measure, it shall be particularly considered whether the same result can be achieved in the manner by which rights of citizens are less limited.

• What objective criteria are used to determine which personal data of individuals are stored?

In accordance with Article 5 of Serbian Law on Personal Data Protection (“Official Herald RS” No. 87/2018) which transposed provisions of Directive (EU) 2016/680 prescribes that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Further, Article 7 of the same Law prescribes that personal data collected by competent state bodies for special purposes shall not be processed for the purpose different than initial one, except in case when further processing is prescribed by law.  

Purpose of processing different than one for which personal data are collected is allowed only in case the following conditions are cumulatively met:

1. Controller is authorised to process such personal data for other purposes, in accordance with the law;
   
   
2. Processing is necessary and proportionate to other purpose, in accordance with the law.

• Does national legislation require any relationship between the data which must be retained and a threat to public security?

No.

• Does national legislation restrict the data retention in relation to …?
  • Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?
  • Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?

No.

• Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

Judges, prosecutors and doctors must report preparation of criminal offence for which sentence of five years imprisonment or harsher sentence is prescribed (Article 331 of Criminal Code). They must report criminal offence for which sentence of five years imprisonment or harsher sentence is prescribed and offender for which they learned in the course of performance of their duty (Article 332 of the criminal code).

Lawyers have right to disclose professional secret in case it is necessary to prevent serious criminal offence (Codex of lawyers’s professional ethics).

• “Who”: Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how?

Judges are responsible for overseeing surveillance measures. Judge are independent in performance of their duties.

• “When”: At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

The judge issues/approves order for application of surveillance measures and terminates the order.

In case the public prosecutor does not initiate criminal procedure within 6 months upon the moment when he has been familiar with the file or states that he will not use it in the procedure or will not request criminal procedure against the suspected person, a judge for preliminary procedure shall order decision on destruction the collected material.

• Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data?

Yes. In accordance with Article 32 of Law on Personal Data Protection, in case that competent bodies process personal data for special purpose, data subject has right to erasure and controller is obliged to erase personal data without undue delay if provisions of Art. 5, 13 and 18 (data protection principles, lawfulness of processing by competent body and processing of special categories of data)  have been breached by such processing and personal data shall be erased due to legal obligation of controller.

In accordance with Article 34 of the same Law, if the processing is performed by the competent authorities for special purposes, the controller is obliged to inform the data subject in writing about the refusal to correct or delete his personal data, i.e. restriction of processing, as well as the reasons for refusal or restriction.

The controller shall be completely or partially released from the of notification to the extent that such restriction is a necessary and proportionate measure in a democratic society, with due respect for the fundamental rights and legitimate interests of data subjects, in order to:

1. avoid obstructing the official or statutory collection of information, investigation or proceedings;
2. enable the prevention, investigation and detection of criminal offenses, prosecution of perpetrators of criminal offenses or execution of criminal sanctions;
3. protect public safety;
4. protect national security and defence;
5. protect the rights and freedoms of other persons.

The controller is obliged to inform the person to whom the data relate that he can file a complaint to the Commissioner for Information of Public Importance and Protection of Personal Data, i.e. a lawsuit to the court.

The controller is obliged to inform the competent authority about the correction of inaccurate data since these data were obtained.

If personal data have been corrected, deleted or their processing has been restricted, the controller is obliged to inform the recipients of this data about their correction, deletion or restriction of processing.

Recipients of data notified are obliged to delete the data in their possession, delete them or limit their processing.

• Who should the individual address (see, Guarantee C)?

The Commissioner for Information of Public Importance and Protection of Personal Data.

Data subject has the right to file a complaint to the Commissioner if he / she considers that the processing of his / her personal data has been performed contrary to Law on Personal Data Protection. 

In the complaint procedure, the provisions of the law governing inspection supervision in the part related to the handling of petitions shall apply accordingly.

Filing a complaint with the Commissioner does not affect the right of this person to initiate other administrative or judicial protection proceedings.

The Commissioner is obliged to inform the complainant about the course of the proceedings, the results of the proceedings, as well as the right of the person to initiate court proceedings.

The data subject, the controller, processor, or other natural or legal person to whom the decision of the Commissioner, made in accordance with this Law, has the right to file an administrative dispute against that decision within 30 days from the date of receipt of the decision. . Filing a lawsuit in an administrative dispute does not affect the right to initiate other administrative or judicial protection proceedings.

If the Commissioner within 60 days from the day of filing the complaint does not act on the complaint or does not inform the complainant about the course of the proceedings, the results of the proceedings, as well as the right of the person to initiate court proceedings, data subject has a right to initiate administrative dispute.

Data subject has the right to judicial protection if he / she considers that, contrary to Law on Personal Data Protection, the right prescribed by this law has been violated by the controller or processor by processing his / her personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection proceedings.

The lawsuit for protection of rights may require the court to oblige the defendant to:

1. provide information referred to in Art. 22 to 27, Art. 33 to 35 and Article 37 of this law;
2. correction, i.e. erasure of data on plaintiff from Art. 29, 30 and 32 of this law;
3. restriction of processing from Art. 31 and 32 of this law;

The lawsuit for protection of may request the court to determine that the decision relating to the plaintiff was made contrary to Art. 39 of this law.

The lawsuit shall be submitted to the higher court in whose territory the controller or processor or their representative has a permanent or temporary residence, or in whose territory the data subject has a permanent or temporary residence, unless the controller or processor is authority.

Revision of the final decision made on the lawsuit is always allowed.

The provisions of the law governing civil proceedings shall apply in the court protection procedure, unless otherwise provided by this law.

• Does the court/control committee have access to all relevant information, including closed materials?

The nature of the offences which may give rise to an interception or surveillance order:

Under the Federal Law N144-FZ of 12.08.1995 “On operative investigation activity” (hereinafter referred to as “OIA Law”), these are only offences of a criminal nature, i.e., leading to criminal liability (as opposed to either administrative or civil liability). However, it is not necessary to commit a criminal offence to face interception of communication as this measure may be lawfully applied for the purposes of detection and prevention of crimes, as well as to identify individuals preparing them (i.e., before a crime is actually committed). The only exemption the OIA Law specifies in this relation is that wiretapping of telephone and other conversations cannot be applied in relation to individuals suspected or accused of committing minor crimes, as well as individuals who may have information about such crimes (however, this exemption does not cover surveillance itself and written communications for unknown reasons).

The above description appears too broad and thus leaves significant room for abuse (despite the fact the OIA Law formally sets out the law enforcement agencies’ obligation to respect the right to private life, personal and family privacy, and privacy of correspondence). Indeed, almost any individual may arbitrarily be regarded as an offender who, e.g.,, appears to be preparing a crime only to be subsequently prosecuted on formal grounds and to initiate investigation activities, including surveillance and interception of communication. On top of that, the OIA Law allows operative investigation activity (including surveillance and interception) to be carried out covertly which (by its nature) leads to a lack of transparency and control over how the respective data is collected and further processed by law enforcement agencies and their officials.

It should also be noted that surveillance and interception of communications are also lawful in cases not directly connected to offences (with the exemption mentioned above), e.g., if used for obtaining information about events or actions (resp. omissions) that pose a threat to the state, military, economic, information or environmental security of Russia. This entails the same issue of potential abuses coupled with a lack of control and transparency as described above.

There are also other legal grounds set out in the OIA Law that might be relied upon (see Articles 2 and 7 of the OIA Law).

A definition of the categories of people that might be subject to surveillance:

The OIA Law generally lays down that citizenship, national origins, gender, place of residence, property, official and social status, membership in public associations, religious and political beliefs cannot be deemed as an obstacle to conducting operative investigation activities (including surveillance) in respect of individuals, unless otherwise provided by Federal law.

At the same time, specific laws may provide for exemptions from this general rule, e.g., under the Law of the Russian Federation N3132-1 of 26.06.1992 “On the status of judges in the Russian Federation”, judges are inviolable, which includes secrecy of correspondence and other forms of communication; inviolability also applies to the communication of a deputy of the State Duma of the Russian Federation or a member of the Federation Council (under the Federal Law N3-FZ of 08.05.1994 "On the status of a member of the Federation Council and the status of a Deputy of the State Duma of the Federal Assembly of the Russian Federation"). In such specific cases, a special procedure must be followed to obtain the respective measure.

A limit on the duration of the measure:

There are no specific rules on this. From the general provisions of the Federal Law N152-FZ of 27.07.2006 “On personal data” (hereinafter referred to as ‘Data Law’) (backed by the overall logic of the investigation legislation) it can be concluded that the respective measures may be applied for as long as necessary to achieve the purpose of its application.

The procedure to be followed for examining, using and storing the data obtained:

There are only isolated and unsystematic legislative provisions in this regard.

Examination of the obtained data is not addressed in the applicable legislation and is thus left to the discretion of law enforcement agencies and their officials.

As for the use, the OIA Law only contains a very broad and generic list of ways of how the results of operative investigation activity may be used. For example, the data may be used to conduct operative investigation activities, to search for fugitive offenders, for the purposes of tax authorities, as well as factual grounds to initiate criminal proceedings, etc. (Article 11).

Storage of the data obtained seems to be unsystematically and broadly regulated in the same manner, giving individuals insufficient control over whether their data is stored and for how long. Under the OIA Law (Articles 5 and 8):

(i) The materials obtained as a result of operative investigation activities in respect of individuals whose guilt in committing a crime has not been proved are stored for one year and then destroyed, unless official interests or justice require otherwise. Phonograms and other materials obtained as a result of wiretapping or interception of other conversations of individuals against whom criminal proceedings have not been initiated shall be destroyed within six months from the date when the interception ends.

It stems from the above that there are only retention periods in particular cases which have been specified and not storage conditions themselves. In addition, in fact, this means that the data might potentially be uncontrollably stored by law enforcement agencies for an indefinite amount of time, hiding behind unclear ‘official interests’, with no possibilities to exercise control over such storage.

(ii) If a criminal case is initiated against an individual whose telephone and other conversations were wiretapped, the phonogram and the hard copy of the recording shall be transferred to the investigator as material evidence. Under the Criminal Procedure Code of the Russian Federation (hereinafter referred to as ‘CPC’), such phonograms and hard copies:

1. are stored sealed in conditions that exclude the possibility of familiarizing third parties with the information contained and that ensure their safety and security of the information;
2. shall be returned to their rightful owner after inspection and other necessary investigative activities, if it poses no harm to the investigation.

However, there is no further guidance as to whom the terms ‘third parties’ and ‘rightful owner’ are meant to describe and how the degree of possible harm shall be evaluated which again raises the issue of insufficient clarity and a lack of transparency.

The precautions to be taken when communicating the data to other parties:

No specific measures and/or precautions identified in the applicable laws.

The circumstances and substantive and procedural conditions relating to the access of the competent authorities:

Under the OIA Law (Article 8):

- investigative activities restricting constitutional rights to the secrecy of correspondence, telephone conversations, postal, telegraph and other messages transmitted over electric and postal networks are allowed based on a court decision, providing that there is information on prepared or committed illegal acts, on individuals preparing them, or on events or actions (omissions) that pose a threat to the state, military, economic, information or environmental security of Russia.

- in urgent cases that can lead to committing a serious or particularly serious crimes, as well as where there is information on events or actions (inactions) that pose a threat to the state, military, economic, information or environmental security of Russia, the investigative activities are allowed if conducted on the basis of a reasoned decision of one of the heads of an investigative body, followed by the mandatory notification of the court (judge) within 24 hours. The court decision must be obtained within 48 hours, otherwise, the respective investigative activities shall be discontinued.

The above provisions were initially designed as an expression of the system of “checks and balances” with courts supervising competent investigative authorities and ensuring the rule of law. However, at this stage of the legal and social reality in Russia, courts unfortunately tend to embody a formal rather than a real line of defense, often serving the interests of investigators and glossing over inadequacies in investigating practices.

The same is true for the right set out in Article 5 of the OIA Law, under which investigative activities might be appealed to a superior body carrying out investigative activities, to the procuracy or the court.

Is the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued?

This principle is not fully met. Interception of communications or surveillance may be lawfully performed by investigatory authorities upon requests of other investigatory authorities, with superior bodies, courts, and/or the procuracy being ad hoc involved in this process. This implies the involvement of multiple officials and employees (including those performing solely back-up tasks) in the data processing lifecycle with no strict distribution of roles in terms of data access. Thus, within the law enforcement system, access to the data stored can overall be seen as uncontrolled and unmanaged rather than otherwise.

With a higher degree of certainty, we can conclude that the respective data cannot be accessed by third parties outside the law enforcement system. At the same time, as long as there are no specific precautions taken when communicating data to other stakeholders (including external), this cannot be said with absolute certainty. Nor can the formal confidentiality obligation under Article 5 of the OIA Law (‘investigatory authorities are forbidden to disclose information concerning private life, personal and family secrets, dignity and good name that became known in the course investigative activities, without the consent of citizens, except in cases provided for by federal laws’) be deemed as an effective safeguard.

‘Limit to what is strictly necessary’ is a general principle outlined in the Data Law. However, this principle does not have any specific understanding in the context of investigative activities, nor is it further supported by specific legislation (incl. the OIA Law). From ‘Guarantee A’ section it can be seen that the legal grounds for obtaining (using, storing, …) data are broadly and vaguely (rather than clearly) described without easily understandable ‘building blocks’ of the notion of the ‘strict necessity’. It becomes clear that we cannot speak of an effective implementation of this principle in the specific investigation laws.

What objective criteria are used to determine which personal data of individuals are stored?

The Data Law declares the ‘data minimization’ principle, i.e., the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are stored. In other words, the storage must not happen purposelessly. But, here again, this general approach is not supported in the specific investigation laws which identify no further criteria. In practice, investigative authorities tend to adopt an approach that can be roughly described as ‘let’s keep it and then see if we need it’, arguing that there might appear intelligence-related (or similar) purposes in the future that they are unaware of at the moment of collection.

Does national legislation require any relationship between the data which must be retained and a threat to public security?
Statistically, in most cases, the data obtained in the course of investigation activities are retained for the purposes related to, in one way or another, public security. However, this is not typically a legal requirement as most investigation activities (e.g., interception of written communications) may lead to the data being obtained and stored amid the absence of a clear threat to public security (e.g., investigation activities performed for the purpose of deciding on providing an access to the information constituting a State secret).

At the same time, in some cases, the connection to the issues of public security is required: e.g., as mentioned in ‘Guarantee A’ section, wiretapping of telephone and other conversations must be connected to a crime of a particular gravity, either committed or suspected (i.e., there must be a particular degree of threat to public security).

• Data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime?

• The retention (storage) limitations described in the ‘Guarantee A’ section are the only ones reflected in the investigation laws (which, as can be seen, in many cases are reduced to the setting out of retention periods). There are no other specific provisions regarding the retention restrictions in relation to the above.
  
  

• Persons who could, for other reasons, contribute, through their data being retained, to fighting crime (i.e., witnesses)?
  

  No, this is out of the scope of the applicable laws.

Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)?

No. The laws only set out several professional categories whose representatives may not be interrogated in the capacity of witnesses under an obligation of professional secrecy (judges, attorneys, priests, etc.).

Surveillance measures are supervised by a judge. A court decision is generally required to commence the respective activities and get access to the data (unless this is a matter of urgency, see ‘Guarantee A’ section for more details in this regard).

Judges are formally declared independent and are bound only by law. However, as described above (see ‘Guarantee A’ section), in practice they are unlikely to be seen as a real line of defense for those under surveillance. Rather, in the investigation context, a judge in a contemporary political and social environment is often a part of the investigative mechanism with a formal approach, instead of being an epitome of various guarantees characteristic of a democratic society.

Thus, in the context of ‘Guarantee C’, it seems unlikely that there is a clear and really independent system of judicial controls over how surveillance measures are applied.

At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio?

It takes place before and is a formal prerequisite of the investigation measure (i.e., processing operation), unless there is a matter of urgency.

There are no other oversight stages as such.

Under the OIA Law, the validity period of the respective court decision may not exceed six months, unless otherwise specified in the decision itself. If there is a need of an extension, the judge makes a new court decision based on the newly submitted materials.

Traditionally, there are only isolated and unsystematic legal provisions in this regard.

Under the OIA Law, an individual who was not found guilty in a criminal offence has a right of access to data concerning him or her. However, this right is only applicable:

(i) if the individual believes that his or her rights were violated—thus, literally, the right of access may not be effectively exercised in the ordinary course of events when no violations occur;

(ii) to the extent allowed by the requirements of secrecy and excluding the possibility of disclosure of state secrets—such blurred categories with barely defined boundaries leave room for arbitrary discretion and various abuses.

From the description above it becomes clear that the applicable laws do not address:

(i) the notions of the right to rectification and the right to erasure as such;

(ii) the situations when the data was obtained by investigation authorities outside the context of a committed or suspected criminal offence (e.g., when deciding on providing access to the information that constitute a State secret).

Thus, the right of access exists on a very limited scale, while the rights of rectification and erasure are not addressed at all and theoretically (rather than practically) can only be derived from the general Data Law.

Who should the individual address (see, Guarantee C)?

The respective investigation authorities storing the data should be approached. The refusal may be appealed to the courts (although, as described above, this is mostly a formal guarantee, amid the absence of real independence of judges).

Does the court/control committee have access to all relevant information, including closed materials?

No restrictions are established in this relation. Upon request, a judge must be provided with all the information related to the refusal being appealed, unless this involves information on officials infiltrated into criminal groups, regular undercover employees of agencies that carry out operative investigative activities, or individuals who assist them on a confidential basis.

Overall assessment

Based on the observations outlined above it would be fair to conclude that none of the described Guarantees A-D are fully met in the applicable legislation and judicial practice. The existing provisions cannot be deemed as clear and precise, nor do they epitomize principles of necessity and proportionality in terms of an interference with the right to privacy and the protection of personal data. At the same time, existing oversight mechanisms are of limited nature and cannot be seen as truly independent and efficient in a democratic society. Remedies and rights to redress set out therein are insufficient and have rather formal (than enforceable) character.

Remark 1.

Telecommunications providers are a “willing companion” of the respective investigation authorities as they are under a legal obligation to store (Article 64 of the Federal Law N126-FZ of 07.07.2003 “On communications”):

(i) information about the facts of receiving, transmitting, delivering and (or) processing of voice information, text messages, images, sounds, video or other messages sent by users of communication services (retention period: 3 years);

(ii) text messages sent by users of communication services, voice information, images, sounds, video, and other messages sent by users of communication services (retention period: up to 6 months).

The information described above must be provided to the investigation authorities, when prescribed by the applicable laws.

In the media, the law introducing the legal obligations of telecommunications providers described above is often mentioned as the “Yarovaya Law” (passed in 2016).

Remark 2.

For a better understanding of the context of how surveillance, resp. interception of communications works, it is recommended to study examples of real criminal investigations.

One of the most known cases is the case of Oxana Sevastidi accused of high treason in 2016. She was sentenced to seven years in prison for texting in 2008 about a Russian train full of military equipment heading toward the Georgian breakaway region of Abkhazia during the short war between Russia and Georgia. Subsequently, she was pardoned by the President of Russia. Allegedly, the case was politically motivated.

To learn more: https://www.rferl.org/a/russia-sevastidi-released-text-georgian-war-jailed/28364651.html

The case of Oxana Sevastidi was not the only one based on the arbitrarily intercepted text message as a Georgian citizen Ekaterina Kharebava was accused of the same crime (formally of espionage) in 2014 and subsequently sentenced to six years in prison. She was recognized as a political prisoner by the human rights organisation “Memorial”.

Remark 3.

To access the Russian legislation in English language, the following online resource can be used: https://english.garant.ru Subscription is available for a fee.

___________

Please note that according to a recent legal study published by the European Data Protection Board "on Government access to data in third countries", the researchers found that in Russia, "[...] [personal data protection] enforcement and the application of the legislation has serious drawbacks. In addition, Russia has a striking record of violating the European Convention of Human Rights (ECHR)."

Ms. Tripti Dhar, Partner – Reina Legal

• B.A., LL.B. (Hons.) from NALSAR University of Law, Hyderabad, India
• Admitted to practice in India; enrolled with the Delhi Bar Council
• Certified CIPP/E
• Member of International Association of Privacy Professionals (IAPP)
• DSCI Certified Privacy Professional (DCPP)
• Technical/policy expert at AI Policy Exchange, National Law School of India University, Bangalore, India

• The nature of the offences which may give rise to an interception or surveillance order;

The Article 40 of Saudi Arabian Constitution, protects the right to privacy, although it states that correspondences “may not be confiscated, delayed or read, and telephones may not be tapped except as laid down in the law.

Article 9 of the Telecommunications Law and Regulations states that the privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening or recording the same is not permitted, except for the cases stipulated by the relevant Acts.

Article Nine of Telecom Act Royal Decree No. (M/12) dated 12/03/1422H:

The privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening or recording the same is not permitted, except for the cases stipulated by the relevant Acts.

Privacy-related offences under Article 3(1) of the Anti-Cyber Crime Law include:

'spying on, interception or reception of data transmitted through an information network or computer without legitimate authorisation'

• A definition of the categories of people that might be subject to surveillance;

Chapter 10 : Violations and Penalties Article Thirty-seven of the Telecom Act Royal Decree No. (M/12) dated 12/03/1422H states that Any of the following actions by any operator, individual or a juridical person constitutes a violation Interception of any telephone call or data carried on the public telecommunications networks in violation of the provisions of this Act

• A limit on the duration of the measure;

The existing laws in the region are silent on this subject.

• The procedure to be followed for examining, using and storing the data obtained;

The existing laws in the region are silent on this subject.

• The precautions to be taken when communicating the data to other parties; and

The existing laws in the region are silent on this subject.

• The circumstances and substantive and procedural conditions relating to the access of the competent authorities.

The existing laws in the region are silent on this subject.

• Furthermore, please assess whether the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued.