Die zweite Anhörung des Ausschusses am 26. Oktober drehte sich um die Frage, ob die Grundsätze der Vertraulichkeit der Kommunikation durch den Einsatz von Staatstrojanern gefährdet sind. Geladen waren 5 Expert:innen, die sich nach ihren Statements den Fragen der Parlamentarier:innen stellen mussten.
Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.
- Date: 2022-10-26
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
Panel 1: Ángel Vallejo (Head of Institutional Relations THIBER), Jesper Lund (Chairman of IT-Pol, member of EDRi), Wojciech Klicki (Lawyer, Panoptykon Foundation)
Panel 2: Ioannis Kouvakas (Senior Legal Officer and Legal Coordinator, Privacy International), Achim Klabunde (Deutsche Vereinigung für Datenschutz e.V.)
- Links: Hearing, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editor: Emilia Ferrarese
Spyware and ePrivacy
Jeroen Lenaers (Chair): Okay. Dear colleagues, if everybody could take their seats, please, we will start the second part of our committee meeting today. The main point of this afternoon’s agenda is our hearing on spyware and ePrivacy. With this hearing, we wanted to have the discussion with experts covering the analysis of the respect of the principles of confidentiality, of communications and prohibitions of interception, listening, tapping, storage, etc., or surveillance of communications. Originally, we planned this for July. It has been postponed to allow the organisation of the hearing on Israel ahead of the mission. But we can now delve into this topic into great detail. We have a lot of time to do so and I want to thank the participants for making themselves available. This afternoon will have two panels.
The first panel will have three speakers. Ángel Vallejo, Head of the Institutional Relations at THIBER. Jesper Lund, Chairman of IT-Pol who’s a member of EDRi who will be participating remotely and of Wojciech Klicki, who is a lawyer from the Panoptykon Foundation.
The second panel this afternoon, we’ll hear from Ioannis Kouvakas, who is a Senior Legal Officer and Legal Coordinator of Privacy International and Achim Klabunde from the Deutsche Vereinigung für Datenschutz. So without further ado, I see I got a confirmation for my pronunciation of the German. Thank you very much, Hannah. We will start with Ángel Vallejo, who is the head of institutional relations at THIBER, a cybersecurity think tank based in Spain. You have the floor for 10 minutes, please.
Ángel Vallejo (Head of Institutional Relations THIBER): Okay. Thank you very much. Thank you for the invitation. It’s an honour to be here and thank you for having me. I’m the head of institutional relationships of the world. That’s a cybersecurity think tank basing in Spain. And we usually deal with cybersecurity issues, cyber strategy, social cyber development. And the think tank is composed by engineers, lawyers, social sociologists and political science practitioners. We are founded the think tank, and we wanted to apply a multi perspective and multidisciplinary approach to all this cyber environment in order to avoid a very kind of biased approach. And we’ve been working for, I think it’s about ten years now. Okay. So let me first let me first mention as a reference point the UN Commissioner for Human Rights Report of October 2022, which is addressing mainly three topics. First of all, is the abuse of spyware by state authorities. Second one is encryption as a potential right or a potential new right? And third one is abuse of surveillance in public spaces. We shall address the first one because this is the topic to be discussed today in the we can lift the other two for later stage if there’s some time left because they are very tightly related. Okay.
So because this was new, if there’s something new, it will know that this tool turns smartphones into 24 seven surveillance device. It’s it provides a zero click attack. So it’s kind of game changer in in which respects to the need of some kind of activation by the victim device. And we know it’s been sold this tool has been sold to some of the European countries. Without entering into detail of technicalities the game changing part of this tool – Pegasus – is the point of zero click attack, first of all. And secondly but not less important that it provides a. Practically an unlimited possibility and likelihood of exfiltrating or sniffing all and every single piece of information, voice and data who’s running through. Unto an out of the of the device. We can, of course, recall the hacking team issue. It was I think it was 2014. So it’s something important that after eight years we are now in a kind of similar situation which we encounter in 2014. In that case. In the case of Hacking Team, this tool provided by the mighty Italian company, it was not so pervasive. It was it was not so fully intervening the contents of the device. And it was, let’s say, a little more easier to detect than the Pegasus. So with this little frame of some technical or not technical features of this tool, we’ll have to we would like to address some ideas which we understand that SAC is very closely to the pressing status of the for the Pegasus a related situation.
First, we understand that it again, we have to stress the neverending bridge between the velocity of technology development and the velocity of regulation to control technical possible in the sale by products of this technology. It’s we all know we live in a world in which in which technology takes a pace which is almost impossible to follow by the authorities, by police and their intelligence agencies. And that’s posed as serious trouble in order to prevent or address the problems caused by caused by these devices and this. Or to say best this software and these tools. Second important idea I now repeating is the failure or not, but maybe not the failure, but the lack of the EU a possibility to intervene, ex-ante or ex-post on the national security issues of member states. And that’s, as you already know, that connects with the Article four, paragraph two of the Treaty of European Union, which mainly leaves the MOD all the matters referred to national security on the hands of any member state. It literally says that national security remains the sole responsibility of each member state. So that posts some frictions in order to try to prevent or regulate or enforce some laws issued within the European within the European Union. Following next big idea as a kind of remedy to the rule of non-intervention. Member states mostly share certain principles for wire tapping or intercepting communication or data flows. I think it’s almost the same for the main part of the countries of Europe. But, but it’s not exactly the same just to have a very brief a very brief reference being speaking in order to have a court authorisation, a court permission to intercept or intervene, some device affecting communications as far as it affects privacy rights, it’s in need of the evidencing of the necessity this intervention should have is necessary and affected by proportionality, exceptionality, suitability and speciality. And, of course, last but not least, this intervention, this wiretapping, this foreign intervention, always controlled by the judges, a should be set with the maximum duration. We said three months in with extensions in I’m referring to Spain.
Okay. So there are some cases in which the interception of communications so this kind of breach of privacy should or can be done without the intervention, without the order of a of a court of a judge. But even in that in those very, very exceptional cases is very important that the court making or carrying out the investigation, which it is obliged to control the previous interception of this communication. So. With this kind of restrictions in mind. Can we can we can see the Pegasus or the like tools can attach to those restrictions? Here we have to our understanding we have two different views in. In Europe the European data protection supervisor thinks that that’s not possible because of the features presented by Pegasus. We will enter into that very briefly in a moment as the fourth big idea. In Europe, we have a control of dual use products, including cyber surveillance products, which are subject to the export control legislation. But we haven’t got any pretty similar legislation to control imports. So let’s say that we European state members, we are kind of protecting third countries on the possibility of their governments receiving tools, very invasive or very intrusive. And for the for the affection of the of the communications. And we in Europe, we haven’t got this kind of export control which should prevent this the same thing happening in with it within Europe. That’s one of the well, another one of the of the points that the supervisor brings out in his report as a sixth idea. We will mention briefly the old controversy between security and business freedom. And we think that this is something to be addressed by with the use of citizen education. We know that all the electronic applications, mobile applications, no one of us read the terms and conditions. We should all do that. So we are very, let’s say, happily rendering or waiving up our rights in terms of privacy and security of communication to big companies. This is a point that we think should be addressed, which are to be ending, which are the main or couple of ideas regarding the use of intrusive hacking tools like Pegasus. We have this common, let’s say or let’s call it alibi from the state authorities. We use that to fight crime. That’s a dangerous but common statement. And just briefly, quoting the United Nations report, it’s a while purportedly being deployed for combating for combating terrorism and crime. Such spyware tools have often been used for legitimate reasons, including to clamp down on critical, on dissenting views and on those who express them, including journalists, opposition political figures and human rights defenders. Another very important idea if these tools were to be used, if the conclusion is that it can or should be used in some very exceptional cases, are there is a kind of a reliable last resort principle. And I will just quote again, the United Nations report, authorities should only electronically intrude on a personal device as a last resort to prevent or investigate this specific act amounting to a serious threat to national security or a specific, serious crime. So let me end just by saying that we perceive a kind of not like we can say, a contradiction between the positions of the commission and the position of the of the supervisor of the European Data Protection Supervisor with regards to what to do. The Commission considers that they cannot the board cannot intervene in this issues because its effect is affecting national security issues. On the other hand, the supervisor considers that a full ban of these tools should be forced. So I think that opens a lot of discussion and we have the open to comment after that. Thank you very much.
Jeroen Lenaers (Chair): Well, thank you very much for your for your presentation. And I think. Indeed. I think from this committee, nobody really agrees with the European Commission that this is a matter of national security, because we very much view it as a as a rule of law issue, especially given the fact that this kind of spyware has been used against activists, journalists, opposition politicians, prosecutors, judges, etc., so far. Well, I think that the European Commission is now slowly but surely embarking on a path where they also recognise that should we keep an eye on that? But many of the issues you mentioned, whether it’s on import export controls, whether it’s about last resort principles, are all very much also part of our debate. So I’m sure there’ll be many questions on that.
Before we do that, though, we move to our second guest of today who’s remotely connected. Mr. Jesper Lund, who was the chairman of IT-Pol, which is the I.T. Political Association of Denmark. It’s a Danish digital rights organisation that works to promote privacy and freedom in the Information Society. Thank you very much for joining us, Mr. Lund. And you also have 10 minutes to make your presentation. Thank you.
Jesper Lund (Chairman of IT-Pol, member of EDRi): Dear Members of the Pega Committee. Thank you for inviting me to speak about spyware and ePrivacy today. European Digital Rights is a network of civil society organisations that work to defend and advance its rights across Europe. I’m chairman of the Danish Member IT-pol and representing EDRi today.
In my intervention, I will first consider whether the existing privacy framework offers legal protection against spyware. Secondly, I will suggest possible ways forward for improving the legal protection against spyware by other instruments of EU law.
The main instrument to protect confidentiality of communications are in general. In EU law is, of course, the e-Privacy Directive. We are still waiting for the ePrivacy regulation to be adopted, even though the proposal was presented in January 2017, almost six years ago. The ePrivacy Directive applies first and foremost to providers of property developer communication services, and the Directive protects confidentiality of communications by requiring service providers to delete or anonymize communications, content and metadata after transmission of the communication. This is a main rule, with some limited exceptions. The Court of Justice has interpreted the Privacy Directive in a number of cases about national data retention doors and access to store data by public authorities. A common aspect of the cases decided so far is that the national laws in question impose obligations on private service providers to either retain data or disclose data to public authorities. Since these measures require processing by service providers, they constitute restrictions of the rights and obligations provided for by the Privacy Directive. The restrictions in question must, in national law must satisfy the conditions of Article 15, Paragraph one of the Privacy Directive interpreted in that of the Charter, including in particular Article 52. So this has the effect of bringing national laws within the scope of the Privacy Directive and hence EU law, even if the purpose of national law is safeguarding national security, which is noteworthy in this particular case. Member States cannot circumvent the protection under EU law by invoking broad definitions of national security. However, and this is important to emphasise the critical connexion here to the Privacy Directive is the processing obligation for service providers in paragraph 103 of the electronic. Asserting that ruling from October 2020, the Court of Justice specifically states that if Member States derogate from the protection of the township’s communications without imposing obligations on service providers, the protection of personal data is not covered by the Privacy Directive. In that case, it is only covered by national law, possibly subject to application after Law Enforcement Data Protection Directive.
I will now turn to the question of whether the e-privacy directive and the associated control from the Court of Justice is applicable to national laws on deployment of spyware by either law enforcement or intelligence services. So the first thing to note here is that spyware such as Pegasus from NSO Group is deployed by exploiting software vulnerabilities on the devices, for example, smartphones after persons targeted by this intrusive surveillance measure. To put it bluntly, by hacking their devices, the interference with the device is done without sorry. That interference with the device is done either directly by state authorities or with the assistance of a spyware winter such as NSO. In terms of the priority directive, the spyware vendors, architect providers of electronic communications services, and since the deployment of spyware is done entirely without any processing by a provider covered by the Privacy Directive. The case law of the Court of Justice would suggest that the Privacy Directive does not apply to the processing of personal data in this case involving spyware deployment.
However, there are other factual differences between the determined spyware and the cases considered by the Court of Justice so far. This creates an alternative connexion to the Privacy Directive, which does not require processing by providers of electronic communications services. Article five three of the Privacy Directive protects the user’s terminal equipment against interference, and the definition of terminal equipment also covers smartphone devices, often referred to as the cookie law. The storing of information or gaining access to already starting permission in the user’s terminal equipment is only endowed with the consent of the end user. The only exception to consent is if the processing is strictly necessary for an information society service explicitly requested by the user. The important thing here is that, unlike other provisions of the Privacy Directive, the scope of Article five free is not limited to providers of electronic communication services. It applies more broadly since turning to spyware, since the conditions in Article five free are clearly not satisfied for the deployment of spyware. It could be argued that the deployment constitutes a restriction of the right to protection of term equipment afforded by the Privacy Directive, and that this restriction is subject again to Article five sorry, article 15, paragraph one of the Privacy Directive. This would put national laws on spyware within the scope of the Privacy Directive similar to national data retention laws. So that’s sort of one argument in favour and one argument against the ePrivacy directive applying.
And very interestingly, there is a case pending before the Court of Justice which could perhaps resolve the legal uncertainty about the applicability of the Privacy Directive to spyware. The case number of 548 slash 21 from Austria is about extracting information from a mobile device with physical access. So not entirely the same as deployment of spyware, but the case is still similar in terms of the possible interference with a user’s German equipment and in particular the lack of processing obligations for service providers.
Besides the e-Privacy Directive, deployment of spyware could of course be regulated in EU law in other ways. And the first to consider here is the hopefully future e-privacy regulation, as the text currently stands with Parliament and council positions in trilogue negotiations. The Privacy Directive will have largely the same scope as the current Directive. This also means the same limitations with regard to possible protection against spyware.
Another option to consider is the recent proposal for the European European Media Freedom Act, which takes a much more direct approach to regulating deployment of spyware by member states. Article four of the proposal creates rights for media service providers, which include protection against deployment of spyware, though with some exceptions for member states. These exceptions, in my opinion, are rather broad and deep, basically so much discretion for Member States that the protection could easily be undermined. However, this part of the proposal could and should be strengthened with amendments and is starting to show us a way forward.
A similar and preferably stronger protection of the challenge of communications against a criminal spyware could be extended to all individuals in the European Union in a future data city proposal, and I will conclude my intervention by highlighting two reasons for the importance of having effective protection against spyware in EU law.
The first reason is the abuses of Pegasus and of the spyware uncovered by the investigations of civil society organisations, journalists and the work of this committee. National laws of Member States to simply not provide adequate protection and safeguards. EU law should address this and uphold the protection of fundamental rights.
The second reason is to counterbalance the increased information exchange between Member States in power facilitated by your door and EU agencies. The recently amended European Regulation allows Europol to receive and analyse large data sets from Member States for possible distribution to other Member States. Large data sets in this condition can include electronic communications data obtained from power collection operations involving spyware. The Encrochat investigation is an example of that. Unlike traditional wires having off telephone services, spyware can be easily deployed across national borders. This means that protection against spyware in national law can easily be undermined if other member states can deploy spyware, especially if done in an indiscriminate manner, and then share the information obtained through Europol or other channels to prevent a race to the bottom for fundamental rights. EU law should therefore set minimum legal standards for the deployment of spyware by member states. The Italy Position Paper on encryption, published last Friday on Encryption Day, offers concrete proposals on how state hacking, as we prefer to call it, can be regulated. This concludes my intervention. I thank you for your attention and look forward to your questions.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Lund, for your presentation. Also for putting some homework on our table with regards to the legislative files that this Parliament is already working on or will start working on very soon. I think that’s very helpful. Maybe also and this also goes for Mr Vallejo. If there are any written notes of your interventions available and if you would be willing to share them with us, that would be very helpful because there was a lot of information there and it would be good if we could read it back in, in in due time as well.
Now I turn to our third speaker, Mr Wojciech Klicki who is a lawyer representing the Panoptykon Foundation, which was established in April 2009 upon the initiative of a group of engaged lawyers to express their opposition to surveillance. Their mission is to protect fundamental rights and freedoms in the context of fast changing technologies and growing surveillance. So I would pass the floor for 10 minutes as well to Mr. Klicki, and I would also ask the members in the room who would like to participate in the Q&A session afterwards already indicated their willingness. We can make the speaker’s list. You have the floor for 10 minutes, Mr. Klicki.
Wojciech Klicki (Lawyer, Panoptykon Foundation): Members of the committee, thank you very much for inviting me here to speak. The use of spying technology against European citizens is of course, a huge challenge, particularly when it comes to private life law and the whole Democratic procedure. And so the work that you do as a parliamentary committee is particularly important here.
I’d like to start my presentation by saying a few words about the Polish context, particularly in light of the fact that this is a situation that I know best, but also some of the challenges facing both your committee and Europe as a whole. And then I’d like to set out some of the actions that I believe the commission could take.
Now, just to give you a bit of context and set out the scope of the challenge you’re facing, I’d like to tell you about Poland very briefly, because I think it’s a good starting point to look at some of the changes that we need. Currently in Poland. Certain European provisions are not covered by Polish law and nor is European Court of Justice case law. For instance, when it comes to protection of private life, there are certain provisions that exist when it comes to protection of personal data. This is a directive that is poorly implemented in Poland, if at all. There are some individual freedoms that are restricted in light of national security, but there are other areas that are totally excluded from this. The Central Bureau of the Anti-Corruption Bureau. The CPA has actually used the Pegasus software. For proper implementation of the Law Enforcement Directive. The European Data Protection Officer has actually quoted this example. The is another example that I think should draw your attention. Polish legislators. Ignores law coming from the Court of Justice when it comes to online confidentiality. So the Polish courts actually set out the authorities under which Polish authorities can have access to this type of data. At the same time, the courts say that. You can’t have a general ban on holding data. Whereas that is not in line with what is said by the Court of Justice. There is no control when it comes to access to data in Poland and there are no exclusions exemptions. So that’s briefly about Poland. I think it’s also important to look at what was ruled on by the Court of Justice last month. There were a number of cases against Poland. I was actually involved in these cases and the Court of Human Rights’ ruling. We’ll have to look at what Poland is doing and will have to either amend or develop its guidelines when it comes to state surveillance. We’ve seen this in cases against Russia, for example, and also Hungary.
I would like to also in my presentation speak briefly about the use of Pegasus and other spine, which are going to require both a national and European response at national level. We’re going to have to create some kind of special intelligence services which will be properly supervised by courts or appropriate bodies. And it’s also important to keep in mind that both the Court of Human Rights and the Court of Justice say that there should be mechanisms that surveillance authorities are subject to and that appeals should be possible in cases of abuses. I believe that what’s most important at European level is that we should be able to limit or at least take proper account of the challenges faced by national security. The Court of Justice is moving in the direction of saying that even though Member States may invoke the need to protect the state’s vital interests or national security. They must nonetheless provide for legal guarantees for peoples whose rights are infringed. And I would also like to say that this issue of national security as a criterion that can be used to limit the implementation of European law is also important when it comes to other fields of legislation, for example, artificial intelligence. So that was my first point.
Secondly, I believe it’s necessary to do everything possible to ensure that Member States are respecting the European legislation currently enforced. For example, the law enforcement directive when it comes to Poland. Furthermore, for a number of reasons, I believe that we need a regulation, not a directive, but a regulation on online security and protection. And this should be worded in such a way. That will ensure that surveillance of private communications and so forth can be done in line with most recent rulings from the courts, which say that the Charter of Fundamental Rights have to be respected. Fourthly, I believe that individual rights have to be strengthened in criminal law. Criminal law proceedings should not be using tools such as Pegasus. And here I would just mention the role of the European data protection officer who, based on the European treaties, has said that the EU could adopt minimal legislation when it comes to the rights of individuals in criminal proceedings, including when it comes to admitting admissibility of evidence. And so the question of admissibility of evidence obtained through the use of Pegasus is one that will have to be looked at. And then when it comes to the question of tools such as Pegasus and spyware in general, it’s part of a broader debate on the rule of law, independence of the justice system, the media. This is all linked to the use of Pegasus. There’s a lack of proper scrutiny when it comes to the application of certain tools. And it will never be properly affected. Effective, sorry. Unless there are independent and impartial courts, the rule of law crisis should be seen as a priority and should be seen in close link with spyware and the use of this type of software. Thank you very much. And I’m open to any questions you may have.
Jeroen Lenaers (Chair): Yes, thank you. Thank you very much. I’ll jump immediately into the question and answers with the members. We’ll take them. One question per member and then we’ll give all the panellists the opportunity to answer. I start with Bartosz Arłukowicz.
Bartosz Adam Arłukowicz (European People’s Party): Thank you very much. Thank you very much, Chair. I have a question for Mr. Klicki. Well, I have a number of questions, in fact. Your foundation, your organisation. It looked at the situation in Poland and in Europe. But I would just like to ask, do you know, have you heard of any legal proceedings? Were people responsible for terrorist acts or someone who has broken the law? Has been brought to court on the basis of information obtained through Pegasus. Are you aware of any case like that in Europe or in Poland? That would be my first question.
Secondly, again, on Poland. In Poland, Pegasus was used to spy on Jafta Frazer, who was head of the opposition’s election campaign. Do you believe that the use of Pegasus of Poland against lawyers and politicians, public prosecutors, magistrates? Could all of this have an impact on the results of the elections? Particularly European elections. Could this mass surveillance have any influence on the parliamentary elections and the European parliamentary elections?
And then thirdly. The fact that you can, for example, insert data into the person’s telephone. You could include a criminal paedophile images, for example. So could Pegasus have an impact on the way in which sentences are handed down based on information that had been created, fabricated and put on their phones through the use of Pegasus?
Jeroen Lenaers (Chair): There are three concrete questions to Mr. Klicki, but I think in general, especially the second and the third question is also very relevant in the broader context. I will also ask the other panellists to respond to that. But first, Mr. Klicki.
Wojciech Klicki (Lawyer, Panoptykon Foundation): Thank you for those questions. Firstly, have there been any sentences that have been ruled based on information obtained through the use of Pegasus? While this is a question being asked by all experts and there are a lot of discussions about this topic, personally I’m not aware of any such cases. Defence lawyers and other people who I’ve spoken to don’t have any information of this nature. However, to be quite honest, I do have to say that. People who have committed crimes or have been. Sentenced might not be aware of it. It could be possible that that lawyers don’t know that the tool has also been used, for instance, to monitor discussions or some proof could have been obtained through the use of Pegasus without people knowing. When it comes to Senator Brejzer, who was the former head of the main opposition parties election campaign, and what impact the use of spyware may have on elections. Well. Of course, I can’t give you a clear, unambiguous answer. The government governing party has acted. But was it based directly on information obtained through surveillance of Mr. Brejzer? For example, we know that he was indicted based on some information that was obtained through Pegasus. How much of an impact did that have on the elections as a whole? Well, it’s very difficult to say. Of course, we have to remember who the crime benefits, who could have drawn benefit from this if we know that information obtained through his phone could have been exploited and used by the governing party, then of course, we have to imagine that that would have had an impact on the elections. But if, again, this is not just about a protection of individual data, but also protection for the democratic process as a whole, then what about fabricated evidence or evidence that’s been installed through Pegasus operators on telephones? Again. I don’t know if any judges have handed down sentences based on this type of information introduced through Pegasus. I can’t say. I don’t know if this type of manipulation has taken place or if data has been put on people’s phones. But there is information available about. These types of tools been used to manipulate data and to compromise people. This has happened in India. I believe there have been two cases at least where this type of manipulation has happened and has been detected. Now, of course, it’s very difficult to clearly establish that certain material was fabricated or introduced through spyware. But there were a couple of cases where the those responsible, committed errors. What they include of the metadata in the fabricated data. So the documents were on the phone, but they were never opened or edited on that phone. So it couldn’t be used as evidence when trying someone.
Jeroen Lenaers (Chair): Do you also want to reply to the broader question on democracy, elections and the use of this kind of spyware.
Ángel Vallejo (Head of Institutional Relations THIBER): On the possible influence it could have on democratic processes. We know that in Spain, for example. They’ve raised the issue of potential contamination of certain electoral procedures and a certain influence. And that influence would. Based on. Potential surveillance carried out through spyware tools. We know that in Spain at the moment, there are certain investigations underway on this. But as far as I know, there hasn’t been any there haven’t been any rulings yet on this.
And then on the question about sentences, rulings not in the election procedure, but criminal proceedings. The criminal system in Spain is such that the prosecution has to establish both the source and origin of any evidence and when it was intercepted. If interception or a detection hasn’t been authorised by a judge or by a court or a judge investigating a specific crime. In about 99% of cases, then this evidence will be ruled inadmissible. And also if a court discovers that the source of some kind of evidence is obtained through Pegasus or another type of spyware, spyware software. It’s likely that. Again, this information will be deemed inadmissible. And particularly when it comes to handing down a sentence. So if it’s clear that information obtained through Pegasus or spyware tools has been used in a court, it’s likely that this will be taken out. It will not be admitted into the criminal proceedings.
Jeroen Lenaers (Chair): Thank you, Mr. Lund, if you would also like to add to this, but if so, you have the floor.
Jesper Lund (Chairman of IT-Pol, member of EDRi): Yes. Thank you. I would like to comment briefly on the topic of notification, which was raised by the by the question and in particular in relation to spyware. How does the person concerned become aware that he or she has been subjected to this intrusive surveillance measure, in particular, if there isn’t a criminal trial where information from the devices is introduced as evidence. And this is a situation where it would be really useful if the privacy directive also applied to the deployment of spyware, because the case law from the Court of Justice is very clear. There must be notification of the person concerned in all cases. So even if there isn’t a criminal trial in order to exercise the rights under the Charter of Fundamental Rights, including the right to an effective remedy, there must be a notification of the data subject. And if EU law does not apply to this case in principle, there is a similar requirement in a similar right to an effective remedy in Article 13 of the of the European Convention on Human Rights. But the case law from the European Court of Human Rights may give member states a greater a margin of appreciation as to not notifying the person concerned by the measure. But it’s and I think it’s a critical issue for the prime minister fibre, because this situation is different from traditional interception methods that no service provider who can perhaps insist on notification on behalf of the person concerned. So ideally of this should be ensured through improved oversight to ensure that notification is made in all cases. Thank you.
Jeroen Lenaers (Chair): Yes. Thank you. That’s a very, very useful addition. Thank you so much, Mr. Lund. Mr. López Aguilar.
Juan Fernando López Aguilar (Socialists and Democrats): Yeah. Thank you, Chair. My question also goes to Mr. Klicki, a Polish lawyer, a specialist on the legal aspect, on the legal dimension of this whole thing. Because the point I would like to raise is, yes, all legal systems are carefully designed to resist a certain level of non-compliance, a certain level of violation of its legal standards. Of its legal rules. But a certain level. A certain level. So it’s a matter of legal analysis to set the line in which a level of violation brings about a crisis, not only of efficacy, of efficiency of that legal system, but also credibility and legitimacy. And the narrative I heard from the Polish case. Wow, wow. That is something I’m mean non-compliance with the rulings of the European Court of Justice, non-compliance with the rulings of the European Court of Human Rights, and non-compliance with the rulings of the judicial system from within because of the of the experience of the big spyware. But the point I would like to make is, according to your knowledge, Mr. Glinski as legal analyst, expert on the matter. Have you have you taken a look to the comparative standards which are available throughout the European Union Member States landscape? Because there are some member states in which, yes, there are specific provisions. To offer ice. The interception of the confidentiality of data and private communications. Yes. Under judicial authorisation? Yes. With the legal mandate of eliminating all content. All data. Which have been intercepted, which have nothing to do with the subject matter of the criminal investigation. Of course, on very specific grounds, under justification, under motivation of the judicial resolution authorising it. And yet, more than that, there are also legal standards for exerting parliamentary scrutiny on the way those tools are actually used, the way those legal provisions are actually implemented. Is there any such thing as a as a as a reference in the in the comparative legal analysis by which we may assume that that kind of a spyware is not actually incompatible with the standard? Of protection, of confidentiality of data and private communications of the European Union, which is the highest in the world. The Charter of Fundamental Rights. Data Protection Regulation, law enforcement directive, the highest standard in the world, which is violated in such a manner by this by this spyware. The point I’m making, according to your view, is it compatible with the EU standard protecting the confidentiality of data or not? Because maybe we can conclude that if it’s incompatible, the only thing we can do is to rule out, to wipe it off, to make it illegal. If there is some way of making it compatible, we should think of a regulation better than the one we have, which is the suggestion you made. I would like to see your views and of course, if there’s any other comment from the other panellist, I would also appreciate it. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. López Aguilar and indeed, we’ll first pass the floor to Mr. Klicki for also the Polish context. But I think on the general question of compatibility, also very eager to listen to the other two speakers. So Mr. Klicki first and then we continue with the other two panellists. Mr. Klicki.
Wojciech Klicki (Lawyer, Panoptykon Foundation): Thank you for your question. I think that in each member state, there are certain tensions between the issue of protection of rights and freedoms of individuals. And the rise of the intelligence services and the police which possess more and more technology. Including Pegasus. The question on whether within the European Union there are examples of best practises. The best way to protect rights and liberties. Well, we could give examples of this. One example. In today’s meeting? Well, today’s meeting is an example. I heard a few minutes ago the situation in Spain. If I understand correctly, that the court checks if evidence has been obtained legally in Poland. The court can’t obtain this information. It may not know. What technology has been used to collect information by the services in the country. With regard to this, the solutions or inspiring examples? An example which you could take as a reference. Within the European Union. I think that we can best draw this type of comparison. Regarding the work of the agencies. They publish analyses. Showing is how all states of the Union. Provide guarantees. On protection of their citizens. Particularly concerning these risks we’re talking about. But in fact. Your role could be to standardise things. Regardless of standards it. Or other. Even if there are no standards we could inspire. We take inspiration from what he’s done in certain member states. It would be ideal for there to be standardisation. Of practises. So that. With regard to these standards and procedures, the European Union could come up with some mechanisms to apply minimum standards in all member states, but currently this doesn’t exist and the situation of Poland shows this. It shows that. Provisions which may provide sufficient protection. Well, these texts were simply not respected. And no one, not the European Commission nor any institution, has acted in an efficient way to change the situation. Thank you.
Jeroen Lenaers (Chair): …the general question of compatibility. You have the floor.
Jesper Lund (Chairman of IT-Pol, member of EDRi): Thank you. So the way spyware is currently deployed, especially Pegasus, that could potentially extract all possible kinds of information from your smartphone, which I agree with the Europe, the European data protection supervisor, that this is this is your entire life that is extracted. And this is likely to compromise the essence of the right to privacy, which means it is not permitted under European Union law. I also don’t think that as a member state in the European Union that has adequate legal protection and safeguards for deployment of spyware. So in the current situation, the right thing to do is a moratorium on the use of spyware in criminal investigations and national security intelligence. This is not to say that in the long run, proper safeguards can be developed. And I would again point to the encryption position paper that EDRi published last week where we actually set out 11 conditions for lawful use, the of government hacking, as we call it, on spyware in this case. And I would say one of them is ensuring that the information extracted is only what is relevant for the particular investigation at hand. So this cannot be ensured by technical means, because sort of by design, the technology would extract all possible kinds of information and all conversations from the from the smartphone. But it could be possible to have an a completely independent authority, say, a court that issues to the court order for photo to come to spyware. That that is the only entity that that receives the information and then feels that it is fair to say it and it is everything that is not relevant for the particular investigation that could that that is one of the 11 conditions in our position paper. And based on that and many other safeguards, including mandatory notification when it can no longer interfere with the investigation, could perhaps lead to a situation where spyware can’t be deployed in the rare situations where this is the option of last resort and absolutely critical for investigation of very serious crime or terrorism. Thank you.
Jeroen Lenaers (Chair): Thank you. Mr Vallejo, if you would like to add something as well.
Ángel Vallejo (Head of Institutional Relations THIBER): Thank you, Chairman. I would add two issues, one has to do with the concept. As mentioned by Jesper Lund. The supervisor considers that it is necessary to almost totally ban the use of these tools which can extract information on the people concerned. A less drastic option. As the rapporteur commented would be to take into account the intensity, in our opinion, the scale and the level of information that it’s able to extract. Theoretically, we think it’s incompatible with the standard for protection of privacy as it is. And probably with any sort of tool which is Pegasus would have an effect. An equivalent effect. If we want to go from a potential moratorium to a full ban. I felt to leave things off the air and confident in it that it’s just a tool, and if it shows correctly, then it could have positive effects. As the previous speaker said, there would be a third way or fourth way, which would be to reserve the use of tools such as Pegasus. And similar tools exclusively for the most serious crimes. And always. With authorisation right from the start by a judge. And here I am referring to the North American system. And the. P.S. The Foreign Intelligence Surveillance Act, which requires specialised judge. When the intervention is going to lead to interference in the information of the affected person. So the judge. There will be an independent court session and this would only be reserved for the most serious crimes under the North American system. Well, it’s had its pros and cons because it’s all in the hands of intelligence agencies. When we’re talking about this thought of two, we know that at least two undesirable effects. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Solé.
Jordi Solé (Greens): Thank you, Chairman. I have a question for each of the panellists. I will start with the question addressed to Mr. Klicki. So we are having this debate over whether the EU has competence or not to intervene somehow in the use or misuse of spyware tools in some member states under circumstances, as we have seen that seem to be find a way to have to receive any kind of justification within democratic societies. And in this sense, I would like to ask you whether you consider that the EU is falling short, not only addressing Member States, lack of independent investigation and remedies over the use of Pegasus, but also on addressing the infringements of the EU legal framework on data protection, especially the law enforcement directive, GDPR and eventually or potentially ePrivacy.
And then secondly, next question is to Mr. Lund. You have explained that that is legal and answer intended concerning the ePrivacy Directive, whether the current legislation protects against the use of spyware tools like Pegasus and the likes. You have put forward an argument in favour of that protection and one another against the protection according to the current current rules. So my question is what should be changed or improved in the current and ongoing negotiation to the new e-privacy regulation in order to make it an effective tool against the use of such spyware tools. But would be the necessary changes in the current legislation that we should see as the outcome of the current negotiation.
And finally to Mr. Vallejo. And for this I will switch into Spanish. It seemed and correct me if I’m wrong, that you were saying that in Spain, communication can be intercepted in specific exceptional cases without authorisation from the court. I would like to know. What are these cases? Can you give any examples? And if interceptions or spying with a political motive. As we know that there has been in Spain. Particularly with regard to the cattle and gate case, which some of us have been direct victims of. Would this come under these exceptions? We have the opportunity to explain. A few days ago, in the hearing of delegates, MEPs had been victims of spyware. A number of cases. And it seems that for. Uh, some of these cases had had legal authorisation and some hadn’t. So, I would like to know what these exceptions are. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Solé. We’ll take the questions in the order as they were asked and will start with Mr. Klicki on the EU competences and whether they are falling short on safeguarding those. Mr. Klicki.
Wojciech Klicki (Lawyer, Panoptykon Foundation): Thank you for your question. I’ll reply on a fairly broad level to also cover what was said by the previous speaker a few minutes ago. So here we are talking about maintaining the possibility to use tools such as Pegasus in situations which are very specific in the case of serious crimes. This is a bill we may leave open, which is quite dangerous. I can give you an example. A few days ago, the Polish Parliament was approving or looking at a legal proposal to broaden the definition of spying, which is a serious crime. But it was broadened to such a point that any communication of information to a foreign institution, such as your parliamentary committee where I am today, could be considered as a spying, which is a serious crime. The context concerning the rule of law and the impartiality of the court and of the intelligence services, the police, judges, etc., show that these are serious crimes. Can. Well, people who. And don’t have a criminal profile at all can be accused of these crimes. So I would respond to that. Yes. For me the use of Pegasus. In the broadest way possible is not subject to enough scrutiny in Poland. They should be taken very seriously by the EU bodies, and it’s an issue which is closely linked to the rule of law. Because for as long as we have even a possibility that these tools can be used in the electoral context. Well the results of elections in Poland will be subject to doubt. Were they for national or European elections?
Jeroen Lenaers (Chair): Mr Lund for the question on what should be improved in the ePrivacy, you have the floor.
Jesper Lund (Chairman of IT-Pol, member of EDRi): Thank you. So what I feel is speaking, if we want the privacy regulation to protect against crime of spyware, the most obvious way would be to clarify that the protection of the right to protection of the Internet equipment not just includes actions by commercial actors such as Google, placing cookies on your device, Wifi, tracking of your smartphone and so forth. But also deployment of spyware by commercial activity by governments, of course. And I think that’s sure that that could be done with fairly modest changes of the IP of the proposal and the positions of Parliament and council in trialogues. Although you’ll see what happens in trialogues, as you all know that the outcome is somewhere between the Parliament and council position. But even so there are some minor modifications of the recital for the interference with terminate equipment that may increase the probability of it. Also applying to spyware because the recital mentions the Charter of Fundamental Rights and the European Convention of Human Rights. And in another recital, so-called IMSI catchers for space stations used to exploit actually can be used to deploy spyware and wiretaps. Mobile communications are also mentioned as possible interferences. And this sort of takes us out of the normal commercial framework that at least characterises the current e-Privacy directive unless operations are imposed on service providers covered by the directive. And so the Privacy Future e-Privacy Regulation may applies where a wider set of interferences with the rights of privacy and data protection, including actions by governments deploying spyware. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Lund. I fully share your frustration with trilogues. Life would be much easier if the Council would just adopt the Parliament’s position in all cases, but unfortunately it’s what we have to live with. Mr. Vallejo on the specific cases in Spain without court authorisation.
Ángel Vallejo (Head of Institutional Relations THIBER): Okay. Thanks for your question. Firstly, I’ll answer the first two things that were asked.
Firstly, in what cases does the law provide for interception of communications? Without prior authorisation by a judge. I am not sure I remember all the details, but I’ll try not to get it wrong. There’s a certain article in criminal law which establishes that very serious crime, and those which have to do with a physical harm to people constitutes an exception to the need for prior legal authorisation. But there’s a caveat to this. What is ruled out is prior legal authorisation. That is to say that. Just afterwards. This intervention must be approved by the judge investigating the case. If the investigating judge considers that the intervention was not necessary, then they cannot use any information obtained in this way. It has to be ruled out. So that’s with regard to the exception to your prior legal authorisation.
The second question. About whether spying or the interception of communication for political reasons. There’s nothing to do with legal authorisation here. Why? Well, because if spying is for political reasons, then it’s going to fall into the case of serious crimes, which could constitute a serious threat to life of persons. To sum up, if there’s a political motivation. Well, it’s not subject to this authorisation. Not. And for intelligence agencies? No. In any other case. That is to say that in all cases, it falls outside the scope of some of these interventions.
Jeroen Lenaers (Chair): Thank you very much, Ms Neumann.
Hannah Neumann (Greens):
Thank you, Mr. Chair, and thank you all speakers. And I think we are slowly approaching the heart of the subject matter. This committee, as well as many of journalists and researchers, have clearly established that we have seen a misuse of spyware outside the European Union, but also inside the European Union. And as the chair pointed out, at least here, we agree that this is an issue of fundamental rights and as such part of our legislative competence on EU level. We know that Member States buy a matter of self-declaration. I consider this to be an issue of national security interests. The issue now is, I mean, we can, as a European Parliament, together with the Commission, do some legislation on the subject matter to better regulate, for example, the use of spyware. But the Council so member states can just block it because they leave it and they block it and they leave it untouched. And we remain stuck in trilogue. So we are in a deadlock while spyware continues to be misused.
So my question to the experts now is how do we get out of this deadlock? Is there a way out? And what happens with the spyware in the meantime? Is it automatically put on hold? Because we clearly established it’s being misused and there is no legislative framework to solve it? Or can they continue to use it? I mean, how do we deal with it from a legal matter? Because if it’s blocked legally, there’s just so much we can do as politicians. So here I would very much like to get your advice, I mean, if possible, on how we can make them stop using the spyware until we sorted out the legal mess.
Jeroen Lenaers (Chair): Thank you very much. Let’s start with the reverse order now, Mr. Vallejo, if you’d like to respond.
Ángel Vallejo (Head of Institutional Relations THIBER): Thank you for your question. I think that the key to everything we’re talking about is what you just said. In our opinion, the regulations that we have at European level. It’s enough to stop the use of these tools. That’s in general terms. For the motives. Stated by the data protection supervisor in any case. We have to encourage new legislation to perhaps add more levels of procedures. We need to know what the current legislation is to see if it can be banned which is the most extreme case. Or if there can be a moratorium on it. Something very concrete is the possibility or the scope of the action that the Pegasus two allows. It could be Pegasus or something with a different name. So the scope of the interception that this allowed may go against or. Go get the principals if and certainly you principals. So the argument that it’s just the truth and that it’s correct to use. Shouldn’t breach regulations is probably wishful thinking. Anything is possible. It could be used for good or ill. But. We know that these tools provide scope for actions. Which easier. In this case. And so. If new legislation could perhaps lead to a moratorium or a complete ban.
Jeroen Lenaers (Chair): Thank you, Mr Lund.
Jesper Lund (Chairman of IT-Pol, member of EDRi): Thank you. So in terms of legal avenues, if the European Union is not able to agree on legislation blocking this, sort of banning this throughout Europe, I mean, similar proposals could be adopted in individual member states. At least in theory, there might be the same opposition. Of course, individuals could also to actually take action before the European Court of Human Rights cases have been brought to the European to the European Court of Human Rights. A recent one in Bulgaria with the judgement in January, I think, where people essentially complained that they had no effective remedies against secret surveillance. And certainly the kind of spyware fits that even more accurately than traditional wiretapping of telephone services. These are both of these avenues are slow processes. So what might stop this or slow down the use of spyware in sort of short to medium term, I think is simply better technical protection for our devices, device manufacturers and especially software developers of the of the operating systems. And the services running on our devices should have better protection against spyware. I’m sure you have heard testimony from some of these companies before this committee. And there is a genuine interest for an agreement between them and their users that the protection against spyware should be as good as possible. Yes, this is used by governments for illicit purposes. The same software will not be IP, it can also be used for criminals. So it is really in everybody’s interest to a to protect that. What can be done there sort of at the political level is ensuring that governments and intelligence services, other government agencies do not stockpile vulnerabilities, but make them available to start for the developers and device manufacturers as soon as possible so that they can be fixed and people can be protected. And this will not completely stop the use of spyware, but it will certainly drive up the cost of finding new product, build up to this and make department of spyware more expensive, which usually has a way of ensuring proportionality in sometimes in similar ways to it took the way that the way that courts can do it. And these are just a couple of suggestions from my side.
Jeroen Lenaers (Chair): Thank you very much. And Mr. Klicki.
Wojciech Klicki (Lawyer, Panoptykon Foundation): Thank you very much indeed for your question. Indeed, you’re absolutely right. It’s very much a key issue. Indeed, it goes right to the heart of the problem. We do need to look at how we can improve enforcement. The member states may be making recommendations, but it falls down at the stage of enforcement. I’d have to say I quite agree with many of the points that have been made by the members today. It’s perfectly possible to carry out umpteen investigations. It’s possible to bring courts as possible to bring cases before the national courts and before the European Court of Human Rights. People who have been victims of phone surveillance or wiretapping can do this. But whether or not they will get any satisfaction when the case is finally resolved is a completely different question. So I think that we could be really witnessing a bit of an arms race here. It’s not just a question of technology. If you have the law, you need to enforce it. The laws are only as good as the enforcement, and without the law and the requisite tools, we won’t be able to. Scale back, let alone eliminate wiretapping and phone surveillance and all these other breaches of fundamental rights. So really, it’s a question of enforcement and ensuring that human rights, that individual rights and freedoms which are protected through these mechanisms of the rule of law are actually protected in the way that law intended. Thank you.
Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. I’d like to thank the experts, and I have to apologise to you that I had to be present in other committees. Therefore, I’ve not actually been able to hear the full presentations. But luckily my assistants have been and my colleagues have been following the entire hearing and they’ve kept me up to date. I think it’s very important for us to look at these issues. We’ve got to give people more rights to assert their rights in the case of the of surveillance and phone tapping, especially if it’s practised by a private company. There. This is really an integral part of the social contract which we have with our society, and we therefore have to ensure that we can implement it. We have to ensure that companies are operating for the best interests and in the best interests of their citizens. So there’s much that we need to look at here. We’re really talking about the rule of law, about judicial scrutiny, about international law, which should have a binding status and should be enforced. The. The points were made by and by Leo about the need to ensure that we have effective tools and that the force is really very valid. I think we have to act upon that as quickly as we possibly can and we’ve also to realise that, yes, there are questions of national security at stake, but the European Union has very real powers here and it really ought to be regulating this as effectively as it possibly can and ensuring enforcement, too. Thank you.
Ángel Vallejo (Head of Institutional Relations THIBER): Thank you very much for your points and your questions. What I would say is this. First of all, whether there’s a need for any new legislation. And whether that is really what we need to tackle Pegasus and all the implications that flow from it. First of all, I’d have to say I don’t actually think so. But let me expand on that a bit. The reality is that we have law in place. If it is enforced effectively to be enforced effectively, it has to be enforced to the ultimate. It has to go through all the tribunals and courts to the highest level. And I think often this is not possible. This has not happened. There’s a tendency for us to think that more regulation is the solution, and we sometimes make the regulations even more complicated. And that actually masks what the real problem is. And often the real problem is enforcing the rights that you have. Sometimes the legislation in itself would actually be adequate for people to invoke the right to take them to court and to be vindicated at the appropriate time in the appropriate jurisdiction. In terms of the national jurisdictions. I think that Article four two of the Treaty on the Functioning of the European Union does clearly say in terms of national security, that it’s in the purview, within the exclusive purview competence of the Member States. Therefore. What we might envisage would not be complicating this by trying to superimpose some level of European legislation here. This would not be the appropriate way to address this problem in the slightest. And just in conclusion, I would add to this that given the current debate about the treaty. We need to ensure that we. Don’t tread into the area of national security because it’s not within the confidence of the EU. Certainly not at the moment. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. I’ll just add a couple of questions of myself and then the other two speakers can also maybe reflect on the on the wider context of the question of Mr. Zoido. And then also, please feel free to me to make any concluding remarks the role in the previous contribution of Mr. Lund. You spoke about stockpiling of vulnerabilities, which is something we’ve discussed on several occasions already. Do you think sort of making an end to stockpiling of vulnerabilities that something like that is feasible with European wide legislation, or would we need other instruments for that? How do you see in that regard also the trade in vulnerabilities? Is there something we can do to regulate that? And the same goes for minimum standards. And you say that we need to protect our technology better. Do you think there is any value in having sort of minimum standards for technological applications, both in terms of software and hardware? Then a second question is it’s not, of course, only a European issue. And we talk a lot about European legislation, which might be very helpful in in addressing the situation in Europe. But it’s very much a global issue. And is there any way we can do it? At the at the global level? We’ve spoken about the Wassenaar Agreement on a number of occasions. What would need to be done in that regard to not only address this in in Europe, but also globally? And is there a risk that if we adopt certain legislation in the European Union, but not outside the European Union, that we don’t solve the issue, but we simply move it to outside of the EU. And then I had two more questions. One, we spoke a lot about judges, national courts. Also, victims should address themselves some natural to national courts or the European court. The question is, of course, in the context of rule of law, issues in certain of our member states, is a procedure for a national court really a realistic scenario? And even if we have rules on judicial approval or judicial authorisation, is that really an appropriate checks and balance in the case of certain member states where we see huge problems with independence of the judiciary? And then last question. We spoke a lot about victims as well. What is the legal standing also with the current regulations and laws of indirect victims? Just I mean, we spoke to Mr. Giertych from Poland. He was the lawyer also for Mr. Tusk. So by spying on Mr. Giertych, they could have also spied on the president of the European Council at that time, journalists who have been targeted, that might have been indirectly also been spying on their sources. We have here in the European Parliament a number of colleagues that were targeted, which means that either of us that were in conversation with these people could have been indirect victims of the use of this kind of spyware as well. So what is the legal context of such indirect victims of spyware? Let me maybe also take the reverse order. So we start with Mr. Klicki and then also feel free because we were running towards the end of our hearing at this part of a hearing to make any additional concluding remarks that you would like. Mr. Klicki, you have the floor.
Wojciech Klicki (Lawyer, Panoptykon Foundation):[beginning missing] …whether the courts have sufficient scrutiny in in Poland, for example, there is a real need to consider this because we have rules that govern the courts, of course, and we have rules on admissibility of evidence. So if evidence has been collected clearly through the deployment of Pegasus, it can't be deemed admissible in court. Having said that, although it's been unlawfully obtained, it can't be completely excluded from the consideration of her case because this evidence has been obtained through the commission of a crime. So there is an issue there as to what to do. We need to think about different types of surveillance and how they should be regulated in this in the Polish system. The judge will have all these questions referred to him or her but will ultimately have to make a decision and give a ruling. And we'll have to make a decision which resolves the case. And it will be based on. The need to. Ensure that there is ongoing scrutiny over the but the companies or the operators or the bodies which have allegedly been carrying out the wiretapping because they cannot possibly be allowed to continue this unhindered and scrutinised. So despite the evidence obtained being inadmissible because it was lawfully obtained, it is nevertheless something which has to be followed up separately because there is an issue of a criminal act. And of course, all of this is very relevant to the whole question of the independence of the judges and their ability to carry out their mandate. I would like to make a few further remarks, if I may. There are various members have spoken about the European law context within which we are operating. And of course, it is complex because if you look carefully at the court of justices case law. Then you would possibly infer that the court cannot. Intervene in the internal matters of a member state pertaining to national security because that is purely within its sovereignty. But at the same time, if this national sovereignty argument is adduced in defence of imposing obligations on a telecoms company and forcing it to do certain things, then the European Union absolutely should have the right to intervene. And it does have the right to intervene because it is entitled to act. On the way in which the intelligence services and the telecommunications companies operate. That is within the purview of the European Union. And this is where an information control. Body or an information scrutiny body could actually legitimately intervene. So there is this grey area, but there is one in the same time, very much a door which opens up an opportunity for the European Legislature and the European supervisory bodies to. Play an effective role. And. Require accountability. It is, of course, essential. To be able to have some comeback against those who are using Pegasus and other such programmes to obtain information unlawfully and to tamper with people's devices. And indeed, it is absolutely right that the European Union, because of the principles of fundamental rights, should provide adequate redress for individuals. And this is one of the most effective ways in which we can actually tackle the abuses which are going on, making sure that the victims do have absolutely cast iron guarantees of rights of redress and compensation. Jeroen Lenaers (Chair): Thank you. Thank you, Mr. Klicki. And we pass the floor to Mr. Lund.
Jesper Lund (Chairman of IT-Pol, member of EDRi): Thank you. On the question of stockpiling vulnerabilities. As I mentioned, this is important for ensuring that that vulnerabilities in software are fixed as soon as possible so that cybersecurity attacks, including spyware deployment, is made ideally not made possible. Let’s not buy it by exploiting these vulnerabilities. And I think there are very good cases to be made that governments should not stockpile this phone, such as vulnerabilities and these cases. These arguments are not just connected to fundamental rights that that we are discussing today, but also economic arguments, because cybersecurity attacks using software vulnerabilities is a huge cost for the for the I.T. security sector in the European Union. We have adopted the this directive followed by the in this too directive networking to maintain security directive in. And I’m sure that there’ll be more because this is a huge issue and something like the WannaCry ransomware that that was spreading a couple of years ago that was actually based on a structure and vulnerability stockpiled by the NSA and then leaked from the NSA to criminals and exploited by criminals for ransomware purposes. If there had been a responsible disclosure policy in place, the NSA’s would not have stockpiled this information but are informed in this case Microsoft, so that it could be fixed and these fixes could be implemented on unsecured I.T. systems throughout the world. And the second question is this. This is this is not an EU issue. It is a global issue. The Internet is a global space. But that is not to say that your actions or even your actions alone would be in vain because they depend about this, not start cutting businesses losses, but disclosing them to software vendors instead matters. It only needs it only requires a single, responsible government to disclose the information rather than stockpile it for the vulnerability to be fixed and everybody to be safe and protected, even against a rogue state that would never inform the software vendor after viability if I’d rather stockpile it and use it as well as cyber criminals, of course. So the more the better. But even if the European Union just did this on its own, it would have it would have an effect. And if we are also discussing a moratorium or partial moratorium on deployment of spyware, combined with the economic arguments in favour of not stockpiling vulnerabilities, but rather responsible disclosure and informing the staff about Windows, that would be a good start and it would be a good start for doing treaties with other responsible governments and the United States government in South Canada, I government in South America and Australia, so forth. Possibly even China might have an interest in this because China also has a huge sector that is threatened by, at this point the ABC. So it’s not entirely the same situation as Virginia where you’re sort of controlling the controlling information. That is always difficult. This is about making information available to software vendors so that security vulnerabilities can be fixed as soon as possible.
On my closing arguments, I would like to add, since the issue of international law was brought up in one of the last questions, I would like to mention that so that the deployment of spyware actually affects international law because it’s done across borders and in effect, member states that are deploying spyware in other member states or in other states are really taking actions on the territories of other states. And normally we would not accept this. So within the European Union, we have of measures on judicial cooperation where sometimes this is permissible but only in accordance with EU law. Otherwise it would be seen as a violation of state sovereignty. And in principle, this, in my opinion, is the same for deployment of spyware against persons on the territory of another state. So there are also international law issues to consider here.
And finally, my concluding remarks, the way forward, I think, is a mix of possible solutions, technical solutions. Improving cybersecurity practises, combined with responsible disclosure and not stockpiling vulnerabilities can do a lot. And we need to couple that with wherever possible, legal measures, ideally legislation at the European Union level protecting the confidentiality of communications against the kind of spyware which would also apply against national security, because that would be interfering with a right provided for by EU law and possibly in some Member States complaints to the European Court of Human Rights, which would be appropriate if the domestic legal framework is completely lacking safeguards against data from the spyware. Then it might be possible to take cases directly to the European Court of Human Rights. Thank you.
[01:44:12] Jeroen Lenaers (Chair): Thank you, Mr. Lund. Last but not least, Mr. Vallejo.
Ángel Vallejo (Head of Institutional Relations THIBER): Thank you. Re the questions.
Judicial independence, first of all. In principle. We consider this whole area to be more a political issue than one for experts. But we are clear about a number of points. If, for example. There is no real separation of powers between the executive and the judiciary. Then there is an issue which we would need to look at. We would be clear that if there isn’t. Proper judicial independence, then the government would have to resolve that. And if it’s not possible to have judicial intervention, which is independent, then there is a serious issue which has got to be resolved in order to provide a fair redress for potential victims. One of the members asked about redress for individual victims. Now there are rights to privacy which should be protected. And there are clearly direct victims of a breach of privacy, but not necessarily as yet an indirect victim of a breach of privacy. This is not something which so far has been identified. The person who’s being investigated or surveilled is the person who is a direct victim of the abuse. But there is not an indirect victim, and therefore there is no separate definition of that. In Spain, the victim of such a breach would actually have some. Direct address. The indirect victim to the extent that they existed, would have only indirect channels through which they could try to assert their rights because the breach of their rights has taken place indirectly through the medium of somebody else’s rights being breached.
Then ultimately, I think that sometimes people lose sight of a number of points, which is that the right to privacy is extremely relevant throughout many different aspects of life, and we have to look at it offline in the same way. So we have to look at it online. It’s much more than simply the violation of a law because it has a direct impact on the whole spirit and principle of the European Union and the principle of the rule of law. And if citizens feel that there is surveillance, which is not under any sort of control. Then they lose their faith and trust in the Constitution, in democracy, and in the principle of the rule of law. Because if they think that there is any type of surveillance going on with the connivance or even just condoned or the lack of knowledge of this of the state through inaction, then, for example, they start to lose faith in the state and they question things such as the free press, and there can be a real domino effect and that’s extremely worrying. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Vallejo, thank you very much, Mr. Lund and Mr. Klicki. It was a very, very informative and very substantive session this afternoon. You’ve given us a lot to digest also in the in the upcoming months of our work in this committee and as a parliament as a whole on some of the legislative files. So thank you very much for your contributions. Thank you for your willingness to exchange with us. It was very useful. And we hope that you will stay involved. You’ll be willing to stay involved in our investigation, in the work for the remainder of our mandate. Thank you. Thank you very much. This is very much appreciated.
Jeroen Lenaers (Chair): And we then move to the second panel of today. I invite Mr. Klabunde to make it to the podium. On the second panel today, we have two speakers, Mr. Ioannis Kouvakas, who is a senior legal officer and legal co-ordinator of Privacy International, a UK based registered charity that defends and promotes the right to privacy across the world. Mr. Kouvakas is with us remotely, so I immediately give you the floor for 10 minutes while Mr. Klabunde makes his way to the to the podium. Mr. Kouvakas, you have the floor for 10 minutes.
Ioannis Kouvakas (Senior Legal Officer and Legal Coordinator, Privacy International): Great. Thank you. Thank you very much. I also have a presentation I don’t know if it’s possible to be able to display at the same time.
Jeroen Lenaers (Chair): Yes. Mr. Kouvakas, we’re ready for you.
Ioannis Kouvakas (Senior Legal Officer and Legal Coordinator, Privacy International): Okay, great. So thank you very much for offering Privacy International the opportunity to give evidence before this committee for a second time. Privacy International or PI is a London based non-profit that researches and advocates globally against government and corporate abuse of data and technology. For years we have been tracking the surveillance industry, challenging unlawful surveillance before both national courts, as well as the European Court of Justice and the European Court of Human Rights.
My opening statement today I will first briefly touch on the obligations the Privacy Directive imposes on service providers and states, as well as the national security exemption. Second, I will try to explore the question whether the Directive can apply to the use of spyware by a member state authorities and accordingly trigger the applicability of the EU fundamental rights framework. Finally, I will provide a series of recommendations by Privacy International that seek to assist this committee in strengthening the rule of law and upholding the rights of millions of individuals in the EU. If we can move to the next slide, please.
First of all, what we refer to as ePrivacy is directive 2002/58, as we probably know, and its subsequent amendments which protect the confidentiality of communication and lays down rules regarding tracking and monitoring. The Directive should be considered as complementary to other EU laws concerning the protection of personal data, namely the data PR ePrivacy seeks to impose obligations for communication service providers to ensure the security of their services, while it also requires Member States to adopt laws that guarantee the confidentiality of communications. Accordingly, and measures taken by national authorities that allows them, for example, to access data held by communications service providers would limit the protection afforded by the Directive. Therefore, it would also constitute an interference with the rights to privacy as well as the right to the protection of personal data in certain cases. Next slide, please.
Article 15 of the directive indeed allows for such restrictions in the form of legislative measures that can be adopted by member states. These restrictions need to be tailored to specific aims, such as the prevention or detection of crime, for example. And they also need to meet certain criteria laid down by the Directive and more generally, EU human rights law, such as necessity and proportionality. This will also be the case even if the measures adopted by Member States pertain to national security purposes. A topic that has been already widely discussed in this committee, even though several member states, including Poland and Hungary, have in the past sought to exclude them from the ambit of EU law by relying on Article four, paragraph two of the Treaty of the European Union. They will still fall under the ambit of the directive. Next slide, please.
Recently, in a case brought by Privacy International, the Court of Justice clarified that national security measures imposing data retention obligations on service providers would still fall under the Privacy Directive because they would require the processing of data by service providers. According to the Court, the crucial element is whether Member States are imposing processing obligations on companies. In other words, in order for these companies to provide the data to government, they would have they would first have to process them under their directive obligations. And this confirms that EU law would still be applicable in this case before the data is transferred to the relevant governmental authorities, for example. This brings me to my second point, which is somewhat arcane but rather interesting. Could the Privacy Directive still be relevant when spyware tools are used by national authorities of member states? The crucial issue, according to the case law and as Mr. Lund flagged in his presentation earlier, seems to be the processing of data by service providers. Spyware, however, as we know, does not always require the involvement of providers of electronic communication services because they allow for remote real time access to terminal equipment, to the user, to the devices of users. Next slide, please.
Article five of the Privacy Directive, also known as the cookie provision, might help answer this question in the affirmative. Paragraph three of the article prohibits the storing of information. And perhaps more crucially, the access to information already stored on devices of users without their consent. So there could be perhaps an analogy that we could draw here to apply spyware even under this provision of the privacy directive. However, this approach has not been tested in court yet, and it will be interesting to see what stance the Court of Justice of the EU will follow in a preliminary question referred to it recently by an Austrian court. Additionally, we could perhaps take a theological interpretation of the directive in the rights it seeks to protect and argue that the deployment of spyware would somehow still involve the passive processing of communications service providers. As the device is infected with spyware, it would still be running on their networks. And as mentioned earlier, the directive requires providers to take all necessary measures to ensure security of their networks, which would therefore be a compromise through the deployment of the spyware tools. What further adds to this legal uncertainty is the fact that these rules are contained in the directive and not a regulation. This means that to a certain extent they are subject to member state discretion in how to transpose or enforce them. A similar situation was observed by Privacy International with regard to provisions mandating data retention in 2017. We surveyed the legislation of 21 EU member states on data retention and we examined their compliance with fundamental rights standards. Out of the 21 member states we examined. None was then found to be compliant with the standards set by the Court of Justice of the EU in two landmark judgements tailored to Watson and data rights Ireland. And this perhaps also answers the question posed by Mr. López Aguilar earlier on comparative standards. Nevertheless, it should be noted that regardless of the applicability of the Privacy Directive, the use of spyware by Member States might still be governed by other EU law instruments such as the Law Enforcement Directive or international human rights law, such as the European Convention on Human Rights, which were mentioned quite often already in this hearing, as well as the Convention on Noite. Spyware tools have an extremely intrusive nature and pose dangers for the security of both individuals as well as the Internet as a whole. We believe that their deployment violates the essence of the right to privacy and the protection of personal data, and thus sets the manner they may never be able to be compatible with human rights laws. Next slide, please.
Finally, with regard to what the EU should do, there are three recommendations that we urge you to adopt. First, it is vital that any new legal instruments that seek to protect the confidentiality of communications provide for robust guarantees and even more robust enforcement. Notably, any national security exemption must be strictly applied, especially when the rights of individuals are engaged in the context of mass surveillance or government hacking. To paraphrase the case law of the European Court of Human Rights, measures that seek to protect national security may undermine or even destroy democracy under the cloak of defending it. Moreover, this Parliament must refrain from adopting proposals that seek to undermine one of the best defences against surveillance and encryption by pursuing well-intentioned but flaws policies such as those contained in the European Commission’s proposal on combating child sexual abuse material. Second, proposals that seek to establish EU wide databases such as data retention must prioritise strong security to protect personal data. They must ensure that the collection of data is minimised and retained only for the shortest time necessary for the purpose. This is not only due to the several issues they raise with regard to their compatibility with human rights laws, but also due to the threats they present for the security of evidence data. Incidents like the WannaCry and not Petya. Cyber attacks stemmed from the exploitation of similar vulnerabilities and escalated to compromising European infrastructure operators in their areas of health, energy, transport, finance and telecoms. Third, the EU must mandate long term software support for connected devices. Our research has revealed how existing practises of device manufacturers around security updates failed to meet the expectations of the vast majority of consumers. At the moment, there are two important legislative proposals discussed in Parliament the Directive on empowering consumers and the EU Cyber Resilience Act. It is imperative that both these texts ensure that people’s devices do not become vulnerable to malicious third party attacks. In sum, I believe that this committee is presented with a unique opportunity to uphold the fundamental rights of millions of citizens. We are confident that it will live up to its challenging task and promote democracies where people are free to be human, both offline and online. Thank you for your attention and I am looking forward to your questions.
Jeroen Lenaers (Chair): Thank you very much. Mr. Kouvakas Thank you also for already referring to some of the questions from the earlier part of our hearing. That’s very, very helpful. And I invite Mr. Klabunde to do the same. You have 10 minutes to take the floor. You represent the Deutsche Vereinigung für Datenschutz, which is an independent civil rights association, have campaigns for data protection issues in Germany and in Europe. And I would ask the members who would like to participate in the Q&A session, too, to indicate so, so we can make the speaker list. Mr. Klabunde, you have the floor.
Achim Klabunde (Deutsche Vereinigung für Datenschutz e.V.): But I will speak in English, not in Dutch or German. Thank you, Mr. Chair. I’m here representing Deutsche Vereinigung für Datenschutz, which is an NGO of which I have been a member for a number of years. And I want to open by making a personal disclaimer, because I’m sure some of those watching this session have seen me here in this Parliament in a different role when I was working for the European Commission or the European Data Protection Supervisor, I am retired in the meantime, and I’m not going to refer to anything relating to my previous work, but exclusively to matters of my own research in a personal capacity. And of course in that office team, most expert colleagues from don’t have any room for definitions. Next slide, please.
And just to I think DVD hasn’t been so often present in the European Parliament. Please allow me to give a few words on this organisation. It’s a civil rights organisation. It would be under French terms it wouldn’t be or and for anything else under Winston, I suppose in terms it’s a non-profit finance exclusively by the contributions of its members and proceeds from its quarterly publication. Datenschutz News, here’s data protection news, which is unfortunately available only in German. It’s founded in 1977. So at the same time, when Germany received its first national data protection law and highlights of the organisation’s advocacy work, its participation in the German version of browser awards annually, and its cooperation with other European organisations in this field in the context of entry and other connexions. Next slide, please.
So I would like to not enter into a legal, deeper legal analysis also for the simple reason that I can fully endorse the contributions to this respect of mysterious balloon from Denmark, who was in the first panel and the very excellent presentation of two colleague from Privacy International we all just heard. I didn’t think I found a single point in these presentations which I couldn’t fully endorse. However, I would like to make a few remarks about the wider context of see a privacy directive as it is the current instrument. Just to remind, and I think this is quite important that the e-Privacy Directive is not only specialising and detailing the data protection reviews, but that it is the most important secondary law instrument implementing the fundamental right to privacy and to confidentiality of correspondence or communications, depending on whether you follow the wording of the European Convention on Human Rights by the Council of Europe on the wording of the European Union Charter of Fundamental Rights, Article seven. And of course, it acts within the context of the Treaties and treaty on the European Union and the Treaty on the Functioning of the European Union. And. Yes, I know that. You know, the e-privacy directive, which is still in force, pulls its definitions and some of its rules from originally Directive 9546 to the old data protection directive, which was like the sister of Privacy Directive, because the original laws both were proposed by the Commission in 1990. And as you see, that 95, 46 took five years to pass the legislative process. And the first predecessor of the Privacy Directive was Directive 9766. So it still took even seven years to come into law. So with the current legislative process now and it’s six this year of continuation, you can still beat the initial benchmark of adopting a instrument to ensure confidentiality of communication. So not all is lost, but both the parent instruments, as I used to call the Data Protection Directive and the Framework Directive from the Electronic Communications Framework, which is the other legal source of privacy definitions, have in the meantime been replaced by a new instrument. The data protection thereafter, as we all know, suggested by the GDR and also the electronic communications framework has been rewritten and is now mostly contained in the Directive establishing the European Electronic Communications Code. And so there was good reason to start the review and the new instrument for confidentiality of communications was the ePrivacy proposal in 2017. But the difficulty of coming to a conclusion between the European Parliament and the Council is of course very present in everybody’s mind here. However, what is particularly frustrating in this process is that still the co-legislators found. The time to cut into the substance of the Privacy Directive is due to the changes in the electronic communications framework. The scope of the services covered by the Privacy Directive increased with the entry into force of the CAC Directive, which meant that now services like email, which arguably was always covered, but also messenger services like those of a company which is currently trying to reinvent its name and service and type of service are now also covered. So and because these messaging services historically provided a different interpretation of confidentiality of communications and those used in the Privacy Directive, they got permission, Pfizer co-legislator to continue scanning the news that say transport in the context of combating child sexual abuse material, which was unfortunately the only element of a reaction of the change in the electronic communications framework, in the context of privacy, rather than moving ahead towards the comprehensive solution that is provided, we see a privacy regulation. I just noticed there was a typo on this slide. Next slide, please.
So. In order to find a position regarding the actions that this committee established to investigate and to put this in the context with the structures and elements of the ePrivacy Directive, I refer to a few keywords. The main one, of course, is the confidentiality of communications, which is not just a technicality, but it is a fundamental right in its own capacity. It’s in this effect. I mean, it’s the historically much older than the right to data protection. It’s basically here in Brussels. A historical reference is to you former railway station tunnel taxes, which was historically a nodal point in a non electronic communications network and network of transporting letters. And I heard and I haven’t investigated and researched this, but the fact that this service was operating under the instruction not to open every letter and read it, but to distribute it without taking knowledge of the content of the messages. Transferred was basically the reason for its great economical success, which is still reflected in historical sites like the former railway station. What I want to say here is that the fundamental right to secrecy of communications correspondence is not only a civil right, which enables all the other things like free speech and association and all the other things. But it is also a very, very important economic factor that it was the absence of confidential communications. Many businesses cannot operate, so it will also affect the economy. But anyway, this this fundamental right is already important for hundreds of years in Europe. We have. The elements of interference or tapping. And just to record here, that interference is not only the illegal listening or recording or whatever monitoring, taking knowledge of the content, but the interference may also lead to modifying the content of messages. My tribute to previous panel speakers in particular the colleague from Panoptykon, already mentioned that interference with devices always communications can also lead to creating false evidence and incriminating persons for things they never did. And so the integrity of devices is of a strong importance. And I think this is also a field where we see high risks. In Germany, at least, there is a strong debate about the management of vulnerabilities, which are a weak points in the electronic in the software of all hardware of communications devices, which may be used to create things like Pegasus or other spyware tools which are based on security holes which are often not intentionally but by by mistake. And I already mentioned the fundamental rights and important context in the context of national security is the rule of law, which is fundamental for the European Union and for democracy as such. And. The idea that a government or a national security service just decides what is national security and is not subject to any scrutiny, is, of course, incompatible with the concepts of democracy. Next slide, please.
So what I would ask you to do is, of course, to insist on adoption of a meaningful e-privacy regulation, not to give in to extreme lobby driven demands by national governments to allow for all kind of funny reasons to process communication data. Please stop to accept further exceptions from fundamental rights on doubtful grounds. Nobody is opposing the fight against child sexual abuse material, which we have just learnt in a different context in the video analysis that the basis for the claims that the measure might help this fight is just based on advertising of the provider. So that’s not the basis for a legal, I think, and insist on the technical integrity of networks and devices, of course, to see what in the information security framework can be done to avoid stockpiling of vulnerabilities. And the last point is something where I could congratulate the European Parliament because by saying governments must be held to account and in the field where judicial redress is difficult, parliamentary scrutiny is the means of doing this. And so in particular, in those countries where as a national parliament is not given the powers to scrutinise what national security services are doing, it is very important that this Parliament and this committee look into these matters to give at least some public scrutiny and some pressure on services that might otherwise think that they are entitled to impunity on the services. And next slide, please. Thank you for your attention and for the invitation.
Jeroen Lenaers (Chair): Thank you very much for the presentation. Thank you also for the encouragement of our work. Thank you very much for your hopeful outlook that we can still beat the previous adoption of the privacy regulation by even a year if we if we do our best. So thank you for the optimism. We move to the questions and the Q&A session of this hearing. And I pass the floor first to our rapporteur Sophia in’t Veld.
Sophie in ’t Veld (Renew): Thank you, Chair. And I would like to thank the speakers and also apologise to the previous speakers because I was really unable to attend the first part of the meeting as I had to chair a meeting somewhere else. A first question on the. The Article 15 of the ePrivacy directive, which is essentially a kind of, uh, exemption or exception to the rule. But if I remember correctly, the ECJ has ruled that, um, that does not mean that. When governments are using this exception, the Charter of Fundamental Rights still applies because they would say it does not apply because national security is strictly a national competence and therefore the Charter of Fundamental Rights doesn’t apply. But if I understood correctly, the ECJ has ruled that that is not correct, because when they are, for example, in the case of data retention, which is still difficult topic but also other programmes that may use Article 15, the judge should because they base himself from Article 16 or 15, they’re actually using the ePrivacy directive, which is EU law, and therefore the Charter of Fundamental Rights reply applies. And that would mean that not only data protection and the right to privacy apply, but also things like a right to a fair trial, for example. I would like to hear your views on that. Secondly, can you say something about unlike conventional wiretapping, the use of spyware doesn’t only concern communications and it doesn’t only concern real time communications, but it’s actually giving access retroactively to metadata, to messages, to documents, to images, to whatever, basically retroactively. Which also means that, for example, judicial authorisation loses its meaning because judicial authorisation for wiretapping is usually for a particular date from date. Today, for the next two months or so. But this is retro retroactive. So I would like to hear your views on that. Then I heard I don’t know if the other speakers are still here. I don’t believe so. But I heard the last speaker, Mr. Vallejo, say something which I, I don’t know if I understood correctly, but he basically said people who are part of the bycatch. In other words, they’re not the direct target, but the indirect target that they would have equal legal standing to the direct targets to go to court. That’s a very interesting premise, because I’m not aware that there is any such case, but I’ve been asking myself the question if that is if you’re, let’s say, your very close colleagues with, I don’t know, Mr. Androulakis or Mr. Solé, for example, you’ve been exchanging emails, working on documents together. Whatever you share videos, then you’re part of the bycatch. So even if you have not been targeted by the government of your or of that particular country, you could still go to court. Would you agree with that assessment? I hope I wasn’t. I was clear. I mean, this is all quite complex.
Jeroen Lenaers (Chair): I think it’s clear. If not, we have room for follow up questions. And on the question of the indirect victims, I asked those questions. And if I understood Mr. Vallejo correctly, he said that technically, yes, there should be a standing for indirect victims Bill. But he was not aware of any case where this had happened already. So. But maybe let’s, let’s take the original speaker order! We first pass the floor to Mr. Kouvakas and then Mr. Klabunde to you. You can add to that, Mr. Kouvakas.
Ioannis Kouvakas (Senior Legal Officer and Legal Coordinator, Privacy International): Thank you and thank you very much for both questions. They’re quite interesting indeed, and it’s worth clarifying a few points on those. First, with regard to the exceptions contained in Article 15 of the Privacy Directive and whether the Charter applies. It’s worth noting that, first of all, for the European Charter of Fundamental Rights to be applied, it has to be in the context of EU institutions carrying out activities, which would of course be under EU law, but member states as well, when it has to do with EU law. So the whole debate has been around whether the ePrivacy directive can somehow be applied, because if it is applied, then we have the applicability of EU law and accordingly the Charter comes into place. And if the Charter comes into place, what comes with it is all the human rights, the fundamental rights you mentioned, as well as the guarantees of necessity, proportionality, respect for the essence of rights and so forth. So basically the relatively recent jurisprudence of the Court of Justice of the EU has highlighted that when a state actor is imposing an obligation, when a state, for example, adopted laws that impose an obligation on my phone, my phone company, a communication service provider to interfere with data, retain them, provide access, store them, transfer them to another party. It is doing so in a contravention of the Privacy Directive because the Privacy Directive seeks to protect the confidentiality of communications and these forms of processing that transfer the storing whatever to the provider does can only be in certain cases prescribed for by the directive. However, when the state requires a communications service provider to do this, which is something else which is outside of the directive, it still falls under the applicability of the directive because the process that the provider will develop, the process that the, the, the, the communication service provider will do in order to provide access to the data will be governed by their obligations under the Directive. So somehow it’s like saying that, yes, article 15 of the Directive provides for exceptions, but they still render what the order wants within the framework of EU law, which brings the Charter into play in the applicability of the principles I mentioned. It’s a very, I think on several occasions the Court of Justice of the EU has made a very interesting remark when adopting these conclusions, saying that if we were to adopt that such measures, although prescribed by the Directive as derogations for outside the scope of EU law, it’s like depriving the directive of its essence because essentially it’s like saying that the directive provides for these exemptions and it wants to regulate these exceptions, saying it’s okay for the exemption to be outside the scope of this instrument. It’s okay to have a data retention obligation on certain service providers as long as you respect EU law. So if a state is arguing that this would fall outside, it’s like depriving the directive of any meaning because essentially there is no point for the exceptions to be applied. Now when it comes to the second question around the intrusiveness of spyware, and this is a really interesting remark because spyware internally, tools that have been deployed in the context of government hacking that we have been looking into for years are all highlighting pretty much the same conclusion of how intrusive these methods are, especially nowadays when our address books are diaries, our personal notes are our credit cards have all been replaced by mobile devices. Pretty much everything is kept on the phone nowadays. It’s really it’s really enormous. It’s really an enormous access that these being provided to the parties that deploy spyware and government hacking techniques. This is why I think that before going into judicial authorisation and safeguards that you rightly mentioned, which would come into play when examining whether emails are going to be strictly necessary for the purpose it seeks to achieve and then proportionate. It’s worth spending a bit more time on another condition that is imposed by the Charter of Fundamental of the EU, and that is the essence of rights. Respect for the essence of rights essentially would mean that we can impose restrictions on certain rights that are not absolute, like privacy or the protection of personal data. As long as those do not interfere, do not harm the very core, the very essence of these rights. Accordingly, a similar consideration has been made by the European Court of Human Rights when it refers to the essence of rights. When it refers to dignity. The human dignity being the essence of all rights prescribed in the European Convention on Human Rights. So to echo the remarks that were also made by the European Data Protection Supervisor in his remarks dated February 2022, it’s very unlikely to see how it’s very, almost impossible to see how spyware, like the ones we have seen deployed by NSO Pegasus, could comply with a principle to respect the essence of these rights, considering their vast intrusiveness, their ability to destroy out their data, introduce new data, and essentially gain and gain them an immediate look into a person’s very intimate aspects of their life. Because as we said, although it might be targeted to a single person, let’s say you just want to get access to the mobile phone of target named X. This access would still immediately open the door to all aspects of their private life. It’s not that they just want to read one email of target. They immediately I’m getting all their data immediately. It’s like I’m full. I’m following that around or I have been following their armouries. You rightly mentioned with retroactivity point for the like for the past right now and probably for the future. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Klabunde.
Achim Klabunde (Deutsche Vereinigung für Datenschutz e.V.): Thank you very much. On the as I already said earlier, I can repeat this. The legal interpretation of my colleague from Privacy International seems to be totally correct to me, so I would fully endorse it and not change a single word in particular on the interpretation of Article 15, one of the directive on the retroactive aspect of wiretapping or spyware as opposed to wiretapping. That, of course, depends on what you what you do retroactively. I mean, it was one of the I think Caspar Bowden. So that Caspar Bowden needs to be credited with the observation that the data retention instrument was like a time machine for the security services because they can look half a year back in our communications where this just happened. So this is not totally unique to spyware. And of course, it depends on the technical features of the device and the spyware, which is I really can go how far back they can go. I mean, information which isn’t in the device is lost. Of course, I would like to at point on the what you call the bycatch, it’s clear that in every interference with the communication, this interference concerns both parties to the communications or as we have multipoint communications, all the parties to the to the communications and not only the one that is targeted, but every girlfriend, service provider, car dealer or other contact that they are in communication, which they are all affected by this. And all of their confidential information is taken into the net that is pulled out as a point of comparison. In Germany, there is a law which allows unfortunately to put box listening devices into private homes under certain circumstances. But this law was, as one of the few successes of defendants of civil rights, contained a provision that they must stop listening when they enter into the very core of private life in the course of a tapping operation. So, I mean, this is a very bad situation, which doesn’t become much better. But I think really that for the for the Parliament, a wholesale solution is not possible. But to add internal safeguards to what is requested by security services and additional checks and balances. Democracy is about checks and balances everywhere. And we just need to have effective redress accountability in in the system. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Saskia Bricmont.
Saskia Bricmont (Greens): Thank you and good afternoon. Evening. Thank you for your interventions. I also try to be clear, but I have to be honest, it’s sometimes difficult to see clear between is the legal framework, the current EU legal framework sufficient and is it basically not applied or there’s an abusive use of some concept such as national security, for instance, by our member states, and then the gap between the framework and the political will to act. National security is the argument used by the four member states we know they have been using the spyware. Wiretapping illegally. Do you have a view on this national situation? Do you have any comments when it comes to the respect of proportionality and necessity? I ask you that because this is the official reason given by the governments that have answered to us, either to the commission or not to us yet. And at the same time, the commission basically seems to hide after this concept as well to barely have no reaction. I hear there are several pieces of legislation that could be used to act even when this concept of national security is mobilised. EPrivacy Charter of Fundamental Rights. So. So basically, if a member state evokes the national security argument, the Commission doesn’t act on the EU legal basis that that we have what is remaining for the victims? What can they do? Go to the courts directly. And that’s basically all the only means that they have in their ends to have legal redress knowing. And it has already been mentioned before, earlier in the exchanges that we can doubt about the independence of some tribunals in our member states. Previous speakers mentioned so that the current framework is sufficient. Do you agree with that? This is a question to both of you. And do you think do you have any insights on possible future uses? Thank you.
Jeroen Lenaers (Chair): Thank you very much. Let’s start with Mr. Klabunde.
Achim Klabunde (Deutsche Vereinigung für Datenschutz e.V.): Thank you. Thank you and thank you for the throw for the question. Ms Bricmont. Well, I think is the current framework is so, of course, insufficient in its current form with the lack of stronger protections of the ePrivacy regulation proposal and with the exemption for the purpose of child sexual abuse detection is not justified. The current framework is insufficient in its dealing with the security of devices, the absence of such vulnerabilities, the obligation for providers to fix vulnerabilities. The obligation for state authorities to ensure that vulnerable vulnerabilities are fixed with the providers and not used by the services itself. So I think these are all our points which can still be addressed in in current legislation. I find it difficult to predict what the European Court of Justice may make of the interpretation of the Charter and secondary law to prosecute or to in in the prosecution of spyware cases in in member states. My colleague from Privacy International has explained the difficulty of bringing your charter into law in its dispute into a case when it’s disputed was as a member state was in this specific activity in the course of European law. But I think clarification of the scope of European law might help here, in particular in the field of vulnerabilities, of devices. I think there’s still space and I view security and common market regulation to do more for security. And also considering the liability of device providers and software providers, there has been a long tradition of exempting software from normal liabilities. And I think this this is certainly a point, a future misuse. Yeah, well, I think this will never end, but it’s unpredictable what they will table include. But when we see I saw a number today of 21,000 vulnerabilities which have been detected since the beginning of this year. So the number of this loophole is huge and will still be used by smart developers in the future and be sold and used by governments with tendencies to escape from scrutiny. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Kouvakas.
Ioannis Kouvakas (Senior Legal Officer and Legal Coordinator, Privacy International): Thank you. Thank you very much. To a big extent, I will echo what Mr. Klabunde already said, with which I totally agree. And I would just like to add only a few remarks.
First, with regard to the national security context, there isn’t. I don’t think that’s the case for just a few member states or just a few countries around the world, to be precise. We have seen national security being used as an elastic concept where governments try to accommodate all sorts of concerns, especially in the context of mass surveillance. We have seen, for example, mass surveillance being carried out with national security always being the number one reason. And we have seen these being claimed as a very effective solution to tackle crime, to tackle threats such as terrorism, which are all legitimate reasons. However, we have barely seen and speaking of experience, I have not seen a single case that we brought where governments were able to demonstrate the efficiency of these by bringing in specific cases where specific threats to terrorism were tackled. Of course, even in a, let’s say, nondisclosure context, not with specific details, but based on the reports we’ve seen in the case studies, we are still I think it’s quite doubtful whether we need such a big umbrella restriction as national security has been in these currently being used by member states to justify interference, severe interferences with individuals, fundamental rights. If it’s interesting because it also reminds me and I think this also answers your second question of a specific case before the European Court of Human Rights against Hungary. It’s the case of trouble in Vichy versus Hungary, a case heavily relied on by the European Court of Justice in surveillance case law, especially the data retention context and the case where Hungary was found to be in violation of Article eight of the European Convention on Human Rights, which protects the rights, the right to privacy because of the mass surveillance measures it was implementing or so to implement, were failing to adhere to strict necessity principles articulated by the Court. On another point and what those affected are individuals being victim victims of the deployment of spyware and what they could potentially do. We should also not overlook the role of companies who are facilitating these communication services. And this also reminds me of the WhatsApp legal claim that has been brought in the US against NSO group WhatsApp bringing a lawsuit against NSO as it was used to target internally through human rights defender who used their services. So perhaps this also signals to a sort of stronger obligation on companies to take security and integrity of their systems, as most of them already do, and will guarantee their due to be able to fight such abuses and perhaps take action. These will also be really necessary in the cases of vulnerable communities and victims that belong to certain groups or minorities where they might not be able to seek redress for the harm or damage they have suffered.
When it comes to the other question and whether I believe the directive is enough or is sufficient legal instrument. Again, echoing Mr. Klabunde there, I would have been more inclined to say yes. I believe it is enough to regulate the deployment of spyware by member state authorities. But my answer will also be no, because first we are talking of a directive and as I said, this brings up certain difficulties with each state choosing their own ways to transpose it, meaning that it might slightly deviate from a certain interpretation, then another slate might slightly deviate a bit more. And this goes on. So imagine like all the member states we have and how hard it might be to find a uniform or consistent approach, or how often the European Court of Justice would have to come into play with preliminary questions. And the second reason I would say no is the data retention experience. As I mentioned in my opening remarks, where more than 20 member states in 2017 were found to be in non-compliance with the interpretation that even the EU gave around standards in data retention. So it is quite questionable how much they took these landmark judgements and the rules that the Luxembourg Court set out into account. And also it shows us an example of perhaps having a judgement by the European Court of Justice being handed down and then states not necessarily implementing it, adopting their laws or fixing the problem. Another remark I would like to make, which brings me to the. Sort of, again, state obligations, but from a different dimension is that of positive obligations, which basically means that states, state authorities are also obliged to guarantee the confidentiality of communications, as we saw one of the main aims of the directive on privacy being that as well as effectively guarantee the right to privacy, the exercise of the right to privacy of individuals and the means to do so. And an interesting remark were there would be as most communications nowadays will happen in a digital context, the measures that states need to undertake to ensure confidentiality, integrity of systems and security. And we see we see various instances of this sort of positive obligation being present in very in various EU law instruments, for example, the needs directive or even data protection instruments such as the GDPR, the LED Law Enforcement Directive governing the processing of data by police and criminal authorities, where the providers of these systems or controllers, if we say it in a data protection context, are obliged to maintain integrity of systems, avoid data breaches, and make sure that they don’t compromise the security of systems. Now, it’s hard to see whether these obligations could still be abide if, let’s say, a police authorities deploying spyware, which relies on vulnerabilities in essentially target systems that can compromise the security, not only of that specific device, but, as we know, the security of the Internet as a whole and the whole network, because knowing a certain vulnerability in mobile application X, it’s not going to mean that I’m only going to target user that very user of the application. I will essentially create an open door for third party cyber criminals to just gain access and possibly use the vulnerability and affect the millions or billions of users that specific application might have. So it’s like the crossover sort of effect. And yes, I think these are my three remarks to your questions. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Kouvakas Now, we have almost concluded the sixth hour of our hearings today. Thank you very much for all the presentations on the topic of e-Privacy and the use of Pegasus. It’s maybe not as clear cut as we would have hoped. I join a bit of the confusion of Saskia Bricmont in that regard, but at the same time, the lack of clarity is also an encouragement for our own legislative agenda, I guess, in order to provide that clarity in the future. Thank you very much. Mr. Klabunde Thank you very much. Mr. Kouvakas. Thank you very much for the Die Hard colleagues who have spent 6 hours with us today, both from the members and the staff. So thank you very much. And we meet each other again tomorrow morning at 9:00 for the next session. Thank you all very much. I wish you a nice evening and see you tomorrow.