Der PEGA-Untersuchungsausschuss im Europaparlament hat sich am 28. Februar wieder mit Griechenland beschäftigt. Bereits im November reiste eine Delegation nach Griechenland und Zypern, um den Vorwürfen von Hacken und Abhören vor Ort nachzugehen.
Im ersten Teil der Anhörung waren Konstantinos Menoudakos (Präsident der griechischen Datenschutzbehörde) und Christos Rammos (Präsident der griechischen Behörde für Kommunikationssicherheit und Privatsphäre) zu Gast. Beide berichten, was sich seit November in Griechenland getan hat. Nikos Androulakis, Europa-Abgeordneter und Opfer staatlicher Überwachung in Griechenland, dankte den Gästen:
Ich danke Ihnen von ganzem Herzen für Ihre Bemühungen. Sie haben sich bemüht, herauszufinden, was in diesem Fall in unserem Land geschehen ist, das uns international in Verruf gebracht hat. Meiner persönlichen Meinung nach hätten wir nichts erfahren, wenn es Sie nicht gäbe. Wir würden im völligen Dunkel tappen.
Im zweiten Teil der Sitzung war Michael O’Flaherty von der EU-Agentur für Grundrechte Gast. Er stellte neue Entwicklungen im Bereich der „Überwachung durch Nachrichtendienste: Grundrechtsschutz und Rechtsbehelfe in der EU“ vor. Die Originalstudie stammt aus dem Jahr 2017, weshalb O’Flaherty in seinem Vortrag zunächst die Entwicklungen seitdem in den Fokus stellt. Seitdem wurde unter anderem die Datenschutz-Grundverordnung eingeführt.
Das Fazit: Im Bereich der staatlichen Überwachung hat sich seit 2017 nicht genug getan. Nur fünf Mitgliedsstaaten haben seit 2017 Geheimdienst-Überwachung gesetzlich reguliert. O’Flaherty fordert eine umfassende Rechtsprechung, eine unabhängige Behörde sowie ordentliche Kontrolle vor und nach der Überwachung, um unrechtmäßiger staatlicher Überwachung vorzubeugen. Zudem fehlen Rechtsbehelfe für Betroffene und jene die es gäbe, werden häufig nicht in Anspruch genommen.
Insgesamt zieht die Grundrechte-Agentur ein eher ernüchterndes Fazit, dass auch Berichterstatterin Sophie in ’t Veld aufgreift:
Ich muss sagen, dass ich nach Ihrem Vortrag ein wenig deprimiert bin. Ich denke, Sie haben so ziemlich das bestätigt, was auch wir beobachtet haben. Nämlich, dass es nur sehr wenige Fortschritte bei der Verbesserung der Aufsicht, der Rechtsbehelfe und so weiter gibt. Und es gibt tatsächlich sehr wenig politischen Willen, die Dinge zu verbessern.
Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.
- Date: 2023-02-28
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Experts Panel 1: Konstantinos Menoudakos, President of the Hellenic Data Protection Authority and Christos Rammos, President of Hellenic Authority for Communication Security and Privacy
- Experts Panel 2: Michael O’Flaherty, Director of the EU Agency for Fundamental Rights
- Links: Press Release, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editors: Anna Seikel
Panel 1: Spyware use and privacy in Greece
Jeroen Lenaers (Chair): Good morning, colleagues. Welcome to our PEGA committee this Tuesday morning in Brussels. We have interpretation in the following languages: German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian. If there are no comments, I consider the agenda of today’s meeting adopted.
We have two sessions today. First, an exchange of views with Mr. Christos Rammos, the President of the Hellenic Authority for Communication, Security and Privacy, and Mr. Konstantinos Menoudakos, who is the President of the Hellenic Data Protection Authority. And then afterwards, we’ll also have an exchange of views with Michael O’Flaherty, who is the director as well of the European Union Agency for Fundamental Rights.
So we will start with point two on our agenda, which is, as I said, the exchange of views with Mr. Christos Rammos, who we have met already earlier this year in a session of our committee here in Brussels. And we also had an exchange of views with during our mission in Greece some time ago. So it will be good to hear from him again on any new updates and developments in Greece. And we will meet also with Mr. Konstantinos Menoudakos, who is the president of the Hellenic Data Protection Authority. This exchange of views was requested by a great majority of coordinators during our meeting on the 24th of January. So I’m pleased that we could organise it in such a short notice.
I will pass the floor first to our two invited guests. Both of them are connected remotely. They will have the floor for about 10 minutes and then we will take the Q&A in the usual format. And I would like to ask members who would like to take the floor during the Q&A to already indicate so to us during the speeches of the two speakers so that we can draw up the speakers. I see in my screen, that Mr. Rammos is with us, so I will give you the floor immediately, Mr. Rammos for about 10 minutes, and it’s good to have you again.
Christos Rammos: Good morning, thank you for the invitation. I’ll be brief. I will not use all 10 minutes. I think it’s more important to make a speech and then to answer your questions. Last time that we met in Athens, it was the beginning of November, if I recall well. I had informed your committee, I had replied to questions concerning the developments concerning the confidential character of the communications. The situation we had then. After that date, we had some developments in our authority, ADAE, of which I’m the president, advanced concerning its competences. According to the Constitution and the law, we implemented our authorities, we made controls and checks concerning complaints of citizens, Complaints concerning the lifting of the confidentiality of the communications for legal wiretapping of phone calls and various complaints, less in number.
Concerning spyware, the Predator spyware, these procedures advanced at a normal rate in spite of some problems and some frictions that we had to face. And I would like to add at this point that concerning the predator spyware, our authority, the authority for protecting the confidentiality of communication of which I am a president, has restricted authority, according to the Greek law, authority for making controls, controls concerning to see if there is a spyware on a mobile phone, on a mobile phone of somebody who submits a complaint because the legislation says that their authority ADAE can control the networks of the providers of telecommunications, it can control providers. And as it’s well known, this spyware does not move through networks. However, ADAE has examined some cases, has found some things, and has informed the criminal justice and the authority that makes the investigation concerning these issues. The prosecuting authority, ADAE, our authority, is unanimous in this approach. We have decided after the new legislation that passed in December in our parliament, 5002 of 2022. This legislation was voted by the Parliament that we can perform controls, we can continue performing controls after a complaint, but after our own initiative as well. And we are moving in this direction. These are the few words I would like to express initially. It will be more productive, I feel, and more interesting to reply to specific questions later. Thank you very much.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Rammos, for a very brief introduction. But I fully agree with you that, you know, there is going to be probably some questions from our colleagues and you can further elaborate on those when they are when they are asked. So immediately I pass the floor to our second speaker, who is Mr. Konstantinos Menoudakos, who is the president of the Hellenic Data Protection Authority. You also have the floor for about 10 minutes.
Konstantinos Menoudakos: Thank you very much for your invitation. I’ll try in these 10 minutes, since it’s the first time that I speak to your committee in PEGA, we try in 10 minutes to explain the actions of our authority for the Personal Data Protection Agency.
Our authority, after its own initiative, began an investigation concerning spyware used in Greece, and especially concerning the predator spyware. This took place after we saw there was an attempt to install on the phone of the MEP, Nikos Androulakis, because it was the second such event, such case of installation of spyware. When we learned about the second event, there were misgivings that the use of Predator, the spyware, it wasn’t used in a single case, but maybe it was used more widely. I should underline that up to then in our authority of data protection, we didn’t receive any complaint concerning this malware.
So in the framework of this investigation, the authority, the Data Protection Authority, it was the end of July of 2022. So authority requested and got the report of the Special Commission, Committee of the European Parliament concerning the terminal of Mr. Androulakis, the device from Mr. Androulakis. And also we received a copy of his complaint that was submitted to the Greek High Court. Mid-September of 2022 we got information from Mr. Christos Spirtzis, this a member of the Greek parliament when Mr. Spirtzis, because he found that there was an attempt to tap his mobile phone.
Complementing what Mr. Rammos said concerning the competence for controlling the use of malware of the spyware, this malware our authority for data protection follows the general regulation for data protection. But we also move, according to the special legislation ePrivacy concerning personal data, the legislation for personal data for the protection of personal data in electronic services.
I would like to clarify, I would like to say that the Data Protection Authority in Greece does not have the competence to control whether lifting of confidentiality ordered by state authorities is something legal or not. This is in the competence of ADAE. Concerning the investigation concerning the predator spyware the authority has created an investigating team and we have already done investigations and I am going to present them briefly to the extent that I will not undermine the investigations of our authority and the investigation of the prosecuting authorities that are doing investigations at the same time.
At the first stage, we controlled Intellexa, a company that’s in Greece since 2019, as we know, and this company in some publications appears that is involved in constructing and selling the use of Predator. After we did local investigations and other controls, the authority concentrated and still concentrates data and facts in order to reach some conclusions, conclusions concerning the relationship of this company or of other companies as well with activities of installation of spyware. I will not mention specific data that have been collected, is an investigation that is still in development. I would like to say that already on Intellexa we have imposed a fine of €50,000 because they didn’t cooperate with the authority, and this non-cooperation was expressed with a very delayed submission of data that were requested by the authority and also they didn’t submit some of the data requested already after this decision. Together with the fine we imposed on Intellexa, this company, the obligation to bring some missing elements or missing data. And after the decision the company has given many documents. This took place approximately two weeks ago.
We are examining the data by the investigating group of the authority from the investigation we guess that in some way, and we’re investigating this. We think that other companies are also involved. Within the European Union, but also from outside the European Union, companies possibly cooperating with Intellexa that is established in Greece. And this is a ?. Now the investigation of the authority is still going on. And I must say that the authority used and will use in the future the cooperation procedures and visits by the General Regulation for data protection.
A second aspect of our investigation concerns understanding how this spyware is functioning, how it works, how predator is working. We had information coming from investigating bodies and private companies, and our authorities came into contact with them. With academic laboratory, Citizen Lab of Canada, and it analysed, this institute, analysed how this spyware works, but concerning the technical characteristics without mentioning specific cases.
We have requested data from Meta and from Google as well. We did this because these companies had publicly mentioned that they observed predator functioning in many countries. Among these countries was Greece. From these companies, we have taken some initial information, we estimate. At least we hope that we are going to receive more useful information. Although I must say that there is some difficulty concerning direct communication with these companies.
A third aspect of our investigations concerns the use of various web pages and web spaces, and through this use we see these spaces where used for installing this spyware so that through these domain names to see who was the person responsible for this action. We have spotted some domain names that it appears that were used and we try to spot who are the owners of these Web pages. It seems that to a large extent, companies are used that have been established outside the European Union, cities is outside the European Union. And since this is the case, there is a problem, difficulty concerning the efficiency of the authority. The investigation maybe will not be completed having specific conclusions to the extent that we have companies that are established outside the European Union. In the case of companies that are established in a member state of the European Union, the authority can send an application for cooperation, for aid, and we intend to do this. At this stage, we are collecting various facts and data. And in one case that was also presented publicly and concerned a great company we didn’t find that was some relationship of this company with the Predator spyware.
A last aspect I would like to mention concerning our investigations concerns the method used for sending the SMS through which the users were fooled or they made an effort to be fooled? To go to a false Web page and have the spyware installed on the device, on the terminal device. We moved in that direction as an authority. When, from our investigation, we were certain in our findings that these messages were not sent through the traditional mobile phone network. For which we can implement the legislation for the confidentiality of communication. It wasn’t a communication between two subscribers, but through a network application, an Internet application for sending SMS. So this the ones that are used very frequently by various companies in order to send very many SMS messages at the same time.
So we wanted to find the initial source of the malware and in this framework we addressed the companies that send SMS through Internet connections. Out of these companies through this investigation we saw that these messages, many of these messages were related to the Predator spyware. As with communications through the Internet an SMS could be delivered to a provider after going through a chain, through various centres of intermediary companies. Of intermediary companies for SMS. And a message could be transmitted through various many stages and various centres for sending messages until it arrives to the receiver’s device. The authority requested from these companies for sending a message to inform us concerning the messages that were sent and contained various domain names that were related to the Predator spyware.
At this moment, the investigations are continuing. And we tried to find the identity of those who receive the SMS and the various prosecuting authorities know about these actions we’re following. And we also gave instructions for non-destruction of data addressed to various companies, specific companies, after we found the points through which these SMS were sent. After we spotted the centres through which the messages were sent, we widened our investigation and we tried to find all the SMS that appear to be related to the predatory spyware. We also tried to find the accounts, user accounts through which these messages were sent. With this method up to now, to this moment and the investigation has not been completed yet, we have confirmed that according to the first estimates, we have approximately 300 messages that have been sent. 300 SMS is addressed not to 300 receivers, but approximately 100 receivers because many were sent to the same receiver.
At this stage. The authority tries first of all, to confirm to see who are these receivers of the messages, to spot all of them. All of these receivers of the messages. And after doing this, to see how and in which way these people can be informed, receivers can be informed, and to find who are the senders of these messages. That’s what I would have to say, Chairman, in this first presentation, and I thank you very much.
Jeroen Lenaers (Chair): Thank you very much, Mr. Menoudakos. That concludes the introductions from both our guests. And we move to the Q&A session with the members present here. Like I said, if people want to take the floor, please indicate. So we start our round as per tradition with our rapporteur, Sophie in ’t Veld.
Sophie in ’t Veld (Renew): Thank you, Chair. And I would like to thank both our guest speakers for their availability for this exchange of views. I have many questions and many more after listening to your presentation and I’m just going to fire them at you very rapidly in random order. But I think first of all, it’s also important to realise that amongst all the targets, there are at least two of our colleagues, Mr. Androulakis, sitting next to me and Mr. Giorgos Kirtsos, and maybe more. Who knows?
First, I would like to go into the powers you have and the cooperation you get from the government and government bodies to investigate. The general prosecutor, Mr. Dogiakos, is disputing the powers of ADAE to investigate. I would like to hear your views on that. Of course, we already know a little bit what you feel, but what’s the state of play and does his opinion, Does that mean that you get less cooperation from government bodies? Is there obstruction? And when do you expect your investigations can be concluded.
Then under the new law, 5002 I understand, but correct me if I’m wrong, ADAE no longer has the power to notify the targets of surveillance because that power has been, let’s say, shifted from ADAE to a kind of three headed committee in which you, yourself, Mr. Rammos, are represented as well as the head of the EYP, the Secret Service, as well as the in-house prosecutor of the EYP, which is already strange because that means the two out of three who are going to judge whether a target can or cannot be notified are the secret services and the authorising prosecutor themselves. So that doesn’t seem very independent to me, but I understand there is no operational framework. So if somebody would want to make a request, uh, you know, how does that person go about it? Is there is, there is a procedure, is there an address? And if not, then what avenues, what remedies are open?
And then I was listening with great interest to the presentation by Mr. Menoudakos. I hear you say you have confirmed some 300 different SMS messages that have been sent and approximately 100 persons who have received such messages. That number is already a lot more, a lot higher than we heard so far. And they have been sent through sort of intermediate companies. But you also mentioned that these companies are partly located outside the European Union, but they are still, they’re still operating on the European markets and therefore have to comply with European law. They have to have a in particular, when you’re looking at GDPR, they have to have a legal representative in the European Union. How is it possible that companies are conducting this kind of activity, considering that they’re not covered by EU law?
Then do you have, a question to both of us, Do you have sufficient capacity to investigate this, including technical capacity? And would it be possible for you to invoke the assistance of the Europol Cybercrime Unit where they have considerable expertise?
So Mr. Rammos, you mentioned irregular activity on the telco networks. Initially you said that spyware is not sent via telco networks, but the text messages which are being sent, which are meant to lure somebody to, you know, to click on them, they are sent through to the telco network. So can you say something about that?
And I’m going go to my last question. So now we know there is a list of people who’ve allegedly been targeted with spyware. We also know there is a list of people who have been put under, let’s say, regular surveillance by the EYP, including, to my surprise, high profile politicians and even some persons in the very highest ranks of the military, which I think is remarkable. And the two lists seem to contain, to a certain degree, the same names. What does that tell you? And what does that mean for the different powers you have to investigate in in both cases?
And then finally, my final question. Spyware can be a very powerful instrument in the hands of a political party, in particular a government party. And it can be used or it gives a considerable and unfair advantage over political opponents, and in particular when it’s being used that way deliberately. I find that a reason for concern in a democracy. That is why we are conducting these investigations. Would you agree with me that this matter of the spyware has to be resolved urgently in order to lift any shadow of doubt over elections? Thank you.
Jeroen Lenaers (Chair): Thank you very much. We’ll take the answers in the same order as the question. So we’ll start with Mr. Rammos.
Christos Rammos: Concerning Mrs. in ‚t Veld questions, first of all, concerning the opinion of Mr. Isidoros Dogiakos ,the prosecutor of the 7th of November 2023. This opinion was published after a request of a company, a mobile phone company, a provider, of Cosmote. And in this opinion of the prosecutor. The prosecutor is of the opinion that after voting the new law, the new legislation covering, lifting the confidentiality of communications and other issues concerning EYP, i.e the law 5002 of 22, ADAE has no power to perform controls concerning the complaints and applications submitted to the authority and concerns the requests of citizens to learn whether they have been surveilled, under surveillance after an illegal way, after an order of a prosecutor if their phones are being followed, have been tapped and this opinion continues and it says that we have to be very careful on these issues because there is a possibility, because there are sensitive issues.
Those who do not follow the legal point of view expressed in the opinion of the prosecutor to commit very serious criminal offences such as the violation of spying and violating national confidential rules. I communicate with all the members ADAE, with administration of ADAE, and publicly I announced, I made an announcement, a communication and insist on what I said then. And the communication says. That the intervention of highest authority of justice in the functioning of an independent authority the preliminary intervention is not allowed, according to the Greek constitution, because the independence of independent authorities in view of the executive power has to be independent from the executing authority and the injustice. We do not want to say that we are above the law as authority. But if ADAE is illegal somebody can go to the to court and go against our authority if we moved legally or not. And this cannot be decided in advance by a prosecutor. And if we violate the law, of course, criminal law will be implemented on us. I say this because either on purpose or through carelessness, this was not implemented. And we are accused that we are claiming that we are above the law. And this is not the case. We are very careful in implementing the law, the legislation, and this is the main error of the opinion of the prosecutor of the High Court. We have a procedure to inform the damaged party. We follow a separate procedure, It always was a separate procedure. And according to the law, 2225 of 94, the previous legislation before this law. And is a power that is different of the power that ADAE has the law 3115 of 2003, a law that still is valid. It has not been amended. It has not been abolished. Directly or indirectly according to this legislation ADAE has the power to control the providers, the EYP either after a complaint or either through its own initiative, and to control whether the legislation on confidentiality of telecommunications is obeyed and to conform to our authority. That comes from Article 19-2 of the Constitution. What is our power? We had a legal disagreement. This was publicised, this disagreement. Many constitutionalists and both of lawyers submitted our point of view with some variations. And after this event as I stated repeatedly, they will implement the legislation. The opinion of a prosecutor is something we have to respect. It has legal arguments, but it’s not binding because only the decisions of the court are binding and not the opinions after that ADAE continued. Normally. In spite of this problem. Because you must understand that when you lead in an opinion. Things about legal responsibilities, criminal responsibilities, a certain climate that is created. Concerning other people, Not me. Because I wasn’t shaken by this text. I respect the text, but there was not convinced by what the prosecutor said. I wasn’t scared by the text of the prosecutor. But in spite of all this ADAE with a decision that was taken with a majority. We continue normally our controls without any problem.
Now, on your second question. When the controls will be completed, investigations will be completed. The answer is the following. We have dozens of complaints. We have many complaints that have been accumulated. We chose a legal framework. Our powers are always restricted. The change of the legal framework created uncertainty concerning how the controls can be continued and what’s the correlation of the procedure of controls. With the procedure of informing the citizens. And this created the need for exchange of letters between ADAE with the ministers responsible? Those who propose the Bill of Law and with the prosecuting authorities, to see the various procedural details, how we will inform the citizens for the lifting of confidentiality for according to Article 4.7 of this new legislation. There are various issues pending here. When this request will be sent, Which body will decide this body. Because we have the power as ADAE to inform the citizens when the lifting of confidentiality and when surveillance took place in order to establish very serious offences. And we have not lost completely this power now concerning the whole regime. That is same for the information. We have a law from 2021 and the information of citizens was prohibited there. For reasons of national security concerning surveillance. And this has changed. And we have the new law now.
When we learned about the Bill of Law. Because there was no consultation with us. We expressed objections concerning the power of a three partite body to decide who sit with citizen, who can be informed, who cannot be informed, or whether we have problems concerning the confidentiality of communications. We had expressed objections during the three-year period because the law says that this takes place three years after the surveillance has ended. We thought that this power should be given to ADAE, it’s an independent authority ADAE and a tripartite body in which the prosecutor is participating, the prosecutor, the prosecuting authority. Who is within the EYP service. This creates a problem whether a body can control its own actions. They did not listen to us, and the final law as it passed is as follows. And Mrs. in ’t Veld, I should underline here, allow me that the director of EYP does not participate in this board in this body. The prosecutor is participating, the prosecutor issuing the act. The prosecutor who is seconded to EYP, the second prosecutor. Because now the legislation for the lifting of confidentiality has been signed by a second prosecutor and the president of ADAE. He’s in the minority, but this is the legislation and we are going to implement this legislation. We have no intention or possibility not to implement the law. Now, how this will be interpreted in practice, it’s very early to tell because we have very many complaints on our hands at this moment and we have procedural details to clarify.
Now, concerning the spyware, you’re right, Mrs. in ‚t Veld. You’re right. These SMS are sent by a false number. Let’s say it’s a virtual number from which they are sent. In two cases that we have investigated or other in one case, We had conclusions similar to the ones presented by Mr. Menoudakos. That means we controlled, we checked the phone number of the provider from which the phone number belonging, for which the link came the link that was carrying the spyware, the predator spyware. And after some controls we found a specific number. We advanced and we found the person. We found the account number, the bank account number of the person who used it. We informed the authorities, the active authorities for the violation of confidentiality, of communications. And we continue the investigation to find more data. We do not have many cases with the Predator spyware. We have only two cases concerning your question about the two lists concerning targets and the use of spyware. And also surveillance by the EYP. What I know is that they read in the press, I saw in the press various publications, very specific persons are mentioned as targets. Target of spyware. But also targets from the prosecutor’s orders for lifting the confidentiality. As ADAE we have not, we have established only in two cases this happening. In other case, we saw that the specific person, a specific complainant. Was a target of the spyware, but also by an order for lifting the confidentiality. Maybe we will find some other cases during our investigations.
Now, concerning the spyware, this spyware is an enormous danger for the confidentiality of communications and for democracy. This is no doubt by anybody. It is clear that such a spyware at the hands of a state body or in the hands of a private person can cause, can create a society in which blackmail, extortion will work. Information would be collected illegally concerning some person and in some cases maybe also the political game can be influenced. This is a problem and nobody in Greece denies this. That’s why criminal justice has taking some action. You can ask the prosecuting authorities for more information. We tried to find some conclusions concerning the use of this spyware. This is what they have to say for the time being. And I thank you very much.
Jeroen Lenaers (Chair): Very much, Mr. Menoudakos.
Konstantinos Menoudakos: On the specific questions of Mrs. In ’t Veld. When we are going to complete our investigations. Unfortunately, we cannot define this time. It’s a difficult procedure. You see that one conclusion leads to further investigation. That’s how we began having a timetable in our mind, a two month timetable. Having spotted a small number of SMS, now we have 300 SMS and we reach 300 because after each investigation, we were led to a next investigation. In order to have a full picture, in the framework of our powers and our capabilities and legal capabilities we are going to move step by step. So I cannot predict or calculate in general how much time we need for our investigations. If we want to have a complete investigation and to reach conclusions after a full investigation, complete investigations.
Now obstacles concerning our work. I’m talking about the personal Data Protection authority we no obstacles from the moment that we began our investigations. In 2022 were moving normally. Nobody interfered. Nobody said anything. Nobody told us to do something more or to hide something. We are moving based on our powers. At least this concerning the Data Protection authority and this not only for this investigation, but also for previous investigations during the six years I’ve been president here, that’s the situation. And during the previous periods, no such problems.
Now if I could control the companies outside the European Union. It’s certain that we do not have the power to control these companies, but we can request information if these companies are active. Within the European Union without a representative. This in itself is a serious violation and leads to sanctions imposed by the authority. We had this with Clearview, with a Clearview company, the Greek authority and other corresponding authorities of the European Union have imposed fines. Within the European Union, when we have a company established within the European Union and this company has to be controlled, there is a procedure. The control cannot done by the national authority, our authority directly. We have to follow the cooperation, cooperation that this broad envisaged by the regulation for data protection.
On Europol, we do not have the authority to request cooperation with Europol. This is a competence of the prosecuting authorities. These were the questions, I think. I don’t know if there’s something else that I did not answer to. Thank you.
Jeroen Lenaers (Chair): I think that very well answered the questions posed by Mrs. in ‚t Veld and we move to our next speaker, Mr. Zoido on behalf of the EPP. Please.
Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. And thank you, Mr. Rammos and Mr. Menoudakos. Firstly, I am going to start with certain personal opinions and comments which might seem more like electoral interests. I’m going to spare you that. I’m just going to give you some questions on facts and some information that I got.
Firstly, I have some questions for Mr. Rammos. Firstly, Mr. Rammos, as a president of the independent authority in charge of protecting electronic community and privacy. Is the Greek government participating with you in investigations of other politicians?
Now, a few days ago, there were some terrible accusations made about the state of the rule of law in Greece. And they even questioned the integrity of the upcoming election in Greece. What is your opinion on these accusations?
Thirdly, do you accept the accusation that the government interferes with the judicial system in Greece?
Fourthly. What do you think about investing as the government might have used software like Pegasus? And then according to your legislation of your country, are you really going to take away confidentiality or do the people have to inform their hierarchies? If they’re going to take away confidentiality.
Then Greece has said that they’ve have nothing to do with illegal software, but the investigations led to conclusions to the contrary in November. The ? mentioned some people that it had said that they were spied on and they reported on it. Were those reports of these people being spied on true?
And then I have two questions for Mr. Menoudakos. When did you start the investigation on Intellexa and who were clients Intellexa? And then can you really deny that the spy attacks on the software came from within the country? Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Zoido. We start with Mr. Rammos.
Christos Rammos: Thank you, Mr. Alvarez. I’m president of an independent authority. As you understand, I cannot express evaluations or judgement concerning the Greek government. I cannot enter into such thoughts. You asked if Justice Independent. Clearly. Yes. No doubt about this. Greek justice might have some problems. Like all mechanisms of justice in the European Union. But Greek justice is independent.
From thereon these questions could be addressed to other bodies that have more specialised knowledge on this. For 38 years I was in the High Court and I can tell you that it’s an independent system, the justice system.
Now, this spyware. Predator. If it’s related to the EYP. Do we have any proof? No, we do not have any proof on this. We are investigating. Justice is investigating, but proof. We have none. You said you talked about confidentiality. If the director of the EYP knows about it. From what I understood. What the legislation says in Greece, the Greek legislation envisages the following, that lifting confidentiality takes place after a decision of a prosecutor of second degree, of second level court. And we have, according to the new legislation, a second prosecutor. He has also to approve this. So the director of EYP does not interfere or the counter-terrorism service, which is the second service who can issue orders for lifting confidentiality for reasons related to national security concerning the offences.
Lifting confidentiality for offences. Big offences. This is the second category on this. We need a decision of a three member council. Of prosecutors. Of a first level of justice, and this is a part of criminal justice. Prosecutors only can decide on this. Now, on the list of the documents that you mentioned, I have not read this. I have not read the full catalogue. The number is huge, is a very large number. I cannot confirm or deny anything on this. I do not even know the full list.
Now, if this spyware comes from Europe or from outside Europe. We have not discovered something that leads to a source outside Europe. We have restricted a possibility to investigate these issues concerning spyware. We’ve made some controls, but we do not have many complaints on this. And up to now, we haven’t found a source outside Europe, but nothing can be excluded. However, this is what I have to say. And thank you very much.
Jeroen Lenaers (Chair): Thank you, Mr. Menoudakos.
Konstantinos Menoudakos: The data we started Investigation Predator in August 2022. Mr. Alvarez. That’s the first question. The second question of Mr. Alvarez. If we have proof or indications for cooperation of Intellexa with other companies, we have some indications, and that’s what we are investigating. That’s why we requested full data from Intellexa, and that’s why we are asking a completion of the data sent to us initially. With the decision that we issued. One of the basic objectives of the investigation is to see with what other companies within the European Union or not within the European Union Intellexa was cooperating. Two weeks ago, they sent us a large number of data and a voluminous document, and we’re investigating the data. For the time being, I must say we have indications only. No, we do not have proof for the cooperation with other companies and with which companies. There was some form of cooperation. Thank you very much. Those were the two questions, I think, raised by Mr. Alvarez and addressed to me.
Jeroen Lenaers (Chair): Thank you very much, Mr. Menoudakos. And we continue our Q&A with Mr. Androulakis on behalf of the S&D.
Nikos Androulakis (Socialists and Democrats): Good morning, Mr. Rammos. Mr. Menoudakos. It’s a great honour and pleasure because it’s the first time that I have the possibility to address you and to thank you from the bottom of my heart for the efforts you have made. Efforts to learn what happened with this case in our country that has exposed us internationally. In my personal view if you did not exist, we would have learned nothing. We would be in full darkness. And that’s what I say in your honour. The objective of the Mitsotakis government from the outset was coverage. The shadow state created by the government. And this is proven by two elements.
First of all, after the surveillance of Koukakis, we have a legislation that does not allow the information of victim targeted citizens. They don’t know about being under surveillance. And after the revelations concerning me, the attempt with the predator spyware and the surveillance of my mobile phone. We have a law passed, although the government said it wants transparency, and according to this list legislation, information is allowed and in some cases three years after, i.e. after the national elections. And this proves that the target is covering the whole case and not revealing the, you know, the guilty people. And this mechanism in any democratic country where the rule of law is working normally, people would be called by justice to explain what they’re doing. And Mr. Dimitriadis, the nephew of the prime Minister, and Mrs. ?, who is the prosecutor and then director of EYP, Mr. Kontoleon. And it’s obvious that after this violation of human rights and of the Constitution, Mr. Mitsotakis would not be able to stay in his position as a prime minister.
Instead of all this what we are living and we are experiencing is an incredible reaction of the philosophy of the establishment. Instead of showing who are guilty and to be taken to justice, the victims, the targets, and the judges who are trying to publicise what happened, the judges themselves are targets of moral attacks, trying to undermine them and try to kill them politically. Mr. Rammos was a target during the previous period by specific media and ministers of the Government because Mr. Rammos is doing his job. Me personally. You know why I’m here, because in a in a very soon in the committee in Jury committee, after my request in November, we have to judge whether my immunity has been violated by the violation of my mobile phone. For the last one and a half months the media supporting the government mainly so present this legal move I’m making that are making this move. Because I’m afraid that my immunity will be lifted by the European Parliament and presenting me as an agent of foreign forces by China, by Russia, by Turkey, by Arab countries, that I am an agent of these countries trying to cover this shadow state that they have created.
In a few minutes, in a short while in the JURI committee, we are going to judge whether my immunity has been violated. And the journalists are tools of the government. They should apologise for all these cases of conspiracy they presented in the press and they presented me in this way.
Something else, Mr. Menoudakos said, or rather Mr. Rammos said that the bank account was found that paid for the message and the message was sent in order to trap my device and the data were given to justice. When did this take place? To know how quickly Greek justice is moving? After eight months, we should evaluate this as well. From the moment that the data have been given, so do we learn who is the holder of this account? The account that sent all these messages, messages trying to trap people with this spyware used in our country, the predator spyware. I would like to thank you again, Mr. Menoudakos and Mr. Rammos, because your efforts are those who are keeping the prestige of our country still standing up. And thank you. Because even in this way, being abroad, I had the chance to address you these few words. Thank you very much.
Jeroen Lenaers (Chair): As there was not really a concrete question to either of the gentlemen in there, but I will, of course, give, if you so desire, the floor to Mr. Rammos and Mr. Menoudakos to respond. Mr. Rammos.
Christos Rammos: Thank you, Mr. Androulakis. We only performed our duty. Nothing more. Concerning when the data was sent. Let’s say they was sent. A few weeks ago. Because we gradually found this data. We sent data to justice, but at the same time, we’re continuing our own investigation. These are difficult issues because, as I mentioned I do not have my technician next to me to explain details, technical details. Mr. ? as I had programmed. It’s difficult to find the true identity. Many procedures have to be followed for identification, lifting confidentiality, banking, confidentiality procedures that need time. Unfortunately, that’s what I would like to say. Nothing more to add. Thank you.
Jeroen Lenaers (Chair): Mr. Menoudakos.
Konstantinos Menoudakos: On the occasion of what I heard from Mr. Androulakis. I said before that the Data Protection Authority has not suffered any intervention, any effort of interference by anybody. I would like to say that what happened with Mr. Rammos is unacceptable in a democracy. An attack, not corresponding to the image of a judge for 40 years of Mr. Christos Rammos And I would like to support him against this attack he received. An attack which was against the institutions and it was an unjust attack. One can judge our actions, but in this way. This way of attack shakes the the feeling of justice, the trust of the citizens towards the institutions. Now, on what Mr. Rammos said. I remembered that we have spotted elements of payments data about payments. These payments have to be analysed because these centres are hidden and those who pay. We have spotted four payments and the data have been sent to the prosecutor recently. Thank you very much.
Jeroen Lenaers (Chair): Ms Bricmont for the Greens.
Saskia Bricmont (Greens): Good morning and thank you Mr. Menoudakos and Ms. Rammos for the discussions with us and this Inquiry Commission Committee. I’d like to thank you for the work you’re doing in sharing the information with us and also like to know a little bit more about the magnitude of the revelation of the cases and certain people who will be impacted by this type of surveillance. To my mind, the public authorities are not reacting as much as they should to what they’ve learned to these discoveries. So in the bodies that you have at home, are you planning to go further in your investigations? Can you do this proactively? Are you going to do it on all the people who have been mentioned or only react to complaints which have been filed and not if no complaint have been filed? And if so, can you explain that so few complaints have been filed?
And then how do you see things happening afterwards? Do you think your reports will be followed by action or will this just be some reports, just initial report that on these dossiers, have you had discussions with the judicial authorities with what will happen if indeed violation of private life and data protection has been established, as well as other illegal aspects that you find in your investigations?
And then how can we in this inquiry committee help you with respect to helping your data protection authorities? The EYP? What kind of recommendations could you make to us, as well as to your Greek national deputies and your members?
Now, specifically for Mr. Rammos, you said that having public and private stakeholders use this type of tool might lead to serious consequences. Now, based on your inquiries, do you think that private bodies might be involved in this type of market in Greece?
And for Mr. Menoudakos. Do you have any information about other European countries which might be involved and linked to some of these events, of the surveillance discovered in Greece and then through your work, how many companies might be implicated in Europe? And do you think the Greek authorities will facilitate cooperation with third countries?
And then finally, Mr. Menoudakos, you mentioned the complaint filed on our colleague, Mr. Androulakis. Can you tell us a little more about the dossier linked to the journalists that were also spied on? Thank you.
Jeroen Lenaers (Chair): Thank you, Ms. Bricmont. And we’ll start with Mr. Rammos.
Christos Rammos: I thank Mrs. Bricmont. I would like to say the following. The investigations concerning lifting of confidentiality in communications by ADAE investigation that are confidential by law, the law prohibits to Mention names. Or to mention a real a true event. It’s something I’m not allowed to do and I will not do. I cannot expand and mention who are the complainants, what we found. What I can say is that we have examined many complaints by political persons, by journalists. By ordinary citizens. All complaints are examined equally by us. We are advancing following the order in which they have been submitted. What we are planning to do is to complete these investigations at our level and an ADAE level. But ADAE, maybe you know this, can control the EYP. We are going to exhaust all the margins given by the law to investigate and find out what happens concerning the lifting of confidentiality of communication. According to the law, ADAE can examine the files of the EYP and we intend to do this, and I hope we will have the relevant reaction by the EYP.
How do you explain the small number of complaints? That was the other question. It’s not a small number. Every day we have approximately ten new complaints and now for the last month, it’s not a small number at all. People become more sensitive on the issue after the various publications, and this has led to people wanting and requesting information from us, independently of what information we can give. We are not the most competent authority. We have this three year period problem and procedural details that have not been yet clarified, unfortunately, and this makes some people impatient. They want a quick answer and they’re impatient. Now we have contacts with the judicial authorities. I have submitted twice. I have gone to the prosecuting authorities in Athens. I have been a witness there. And I went into discussions as well with the higher authorities in the prosecuting authorities. We constantly informed them concerning issues arising. Issues arising from lifting of the confidentiality of communications or by spyware.
Now, concerning private bodies, I imagine that the question of Mrs. Bricmont concerned the spyware. Because the lifting of confidentiality takes place after an order of the prosecutor. No private person can be implicated in this. If you mean that we have some business interests involved or businessmen, we haven’t found something like that. You see, there is no transparency concerning how this spyware is working. We cannot find easily some identity on the spyware to be able to give some reply on this, no matter how much we investigate. It’s a dark area there. And other countries, from what I know, at least, have not managed to investigate and find out who are really hiding behind this. And they are hiding and did not want to show themselves. That’s what I have to say. If I forgot something, I’m going to answer at another stage. Thank you.
Jeroen Lenaers (Chair): I think that was very comprehensive. Mr. Rammos, thank you very much. I will pass the floor to Mr. Menoudakos.
Konstantinos Menoudakos: I would like to answer the questions as briefly as I can. If we have information concerning the use of Predator in other member states, we have information. And serious indications I would say that it’s working, at least in two other member states, two other member states of the European Union. I do not exclude that it works in other countries as well. We are investigating it. We have serious indications for at least two member states of the European Union where this spyware is working. The cooperation between these surveillance authorities is something envisaged by the regulation. Of the surveillance authorities of the member states. This is envisaged by the regulation. But here we have an inherent difficulty, I would say. In most member states, the surveillance authorities have limited powers. This happens also concerning the Greek authority. We see that in the annual reports, but also it’s valid for most of the national surveillance authorities, controlling authorities of the European Union.
Cooperation with third countries. Cooperation with third countries can take place only through a judicial cooperation. This concerns the prosecuting and the judicial authorities. If we have various cases with journalists. I cannot give more analytical information on this compared to what I already have mentioned. I would like to say it is not excluded that also journalists were the targets of attempts for surveillance through Predator. I cannot say more. However, complaints from journalists we have not received. We have no complaints in general for the use of predator from public persons we have two complaints only. Coming from non-public persons. And we have also the reports of Mr. Androulakis and Mr. Spirtzis. All these are included in the general investigation that is taking place on our own initiative for people for which we have complaints. Very few cases. Or. To examine the extent of the use of Predator. At the end of the investigations. And after we confirm, who are the victims? Who are the targets of this spyware and to the extent. To find the initial senders. All these will be included in our conclusions. For the time being, we have no other reports because I heard the MEP, the lady, asking for information on our own reports. We have not prepared any reports even concerning the first stages of our investigations. Thank you.
Jeroen Lenaers (Chair): Ms. Novak.
Ljudmila Novak (European People’s Party): Thank you to both gentlemen for their interesting reports and good answers to our questions. I would have a question to Konstantinos Menoudakos. You mentioned a company you fined with €50,000 because they fail to provide the data. I would like to know on which legal basis you defined this fine. Was this on a national legislation basis or on the European legislation?
And the second question, what is the content of these 300 text messages sent to about 100 receivers? What was the content? Is it important, were they important as a content or were they sent just as a trigger which would enable installing spyware? So does content matter at all or not?
And then another question about companies established outside the European Union. Mr. Rammos, you mentioned sanctions and fines in case of the breaches of European law. I would, it would help us a lot if we learned from you what are the deficiencies you established in the European legislation which need to be improved in order for you to carry out your work with greater ease? I would like both of your authorities to be made independent as possible and to be as efficient as possible in the future. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Since the first questions were to Mr. Menoudakos, I propose also to first give the floor to Mr. Menoudakos.
Konstantinos Menoudakos: Now the fine imposed on Intellexa was imposed based on the General GDPR. Article 31. Imposing to the person responsible for processing the data to communicate the fact to the authorities. It’s a violation that leads to a fine. Based on the GDPR, we imposed the sanction.
The contents of the SMS differs. The contents is different. It varies. It was an effort to make the receiver press the link to press on the link. In order to have the spyware installed. The contents was, let’s say, friendly advices. Praise. Invitations for a specific action for a specific event. The characteristic was that they were cleverly worded SMS so that they could trap the receiver. This concerning the question of Mrs. Novak, thank you.
Jeroen Lenaers (Chair): Please.
Christos Rammos: Thank you, Mrs. Novak. ADAE covers cases concerning the lifting of confidentiality for national security issues. National security issues are the exclusive competence of the member states. They are not covered by the European legislation. That doesn’t mean, of course, that we do not implement in the cases of national security, the rules of the primary law and here are mentioning the Charter of Human Rights, of Fundamental Rights of the European Union. Article seven. That we protect, we have to protect privacy. And that’s why ADAE implementing the Greek legislation and in all of the interventions made by us before voting the law, we will always move within the spirit of the maximum possible protection of privacy. So that the ? we make between protecting public interest and national security on the one hand, and the protection of privacy on the other hand. All this to do to be implemented with the principle of proportionality, a principle of the European Union as well, in order to achieve the maximum possible protection. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Heide.
Hannes Heide (Socialists and Democrats): Thank you, Chairman. And thank you also to both of these gentlemen for their very thorough information, especially to Mr. Menoudakos, who said that the attack on Nikos Androulakis was unacceptable. Now, my question is the two cases that both these authorities are dealing with? They talk about two cases in both of these authorities. Mr. Menoudakos talked about 300 SMS in 100 cases. Maybe both of these gentlemen could explain who is responsible for what, and why these numbers are so different from each other.
Jeroen Lenaers (Chair): Thank you, Mr. Rammos.
Christos Rammos: I would like to thank Mr. Heide. We have two cases we are investigating. I don’t remember the exact number of SMS. The receiver where the sender was trying to install the spyware on his phone, received the message behind the message was a false identity. And from there on, we had a chain of investigations that led into finding an initial number. We spotted their banking card data. And this could help, this data could help our investigations, and especially it can help justice to find the true perpetrator. We do not know how this person moved. They used an Internet cafe maybe, or used their false banking card. I didn’t say 300 messages myself. What I said, we are covering cases of lifting the confidentiality on communications, something done by the national authorities. On Predator, we have technical problems. The law does not give us the possibility to cover Internet fraud. However ADAE has decided that in the future will perform controls. Because we have other findings. Allow me not to mention the findings now. In order not to undermine the investigations, we would like to perform a general investigation. Control companies for which there is a possibility that they transfer. This type of links. Let’s say these false messages. That’s what I have to say. Nothing more to add. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Menoudakos.
Konstantinos Menoudakos: I think that the difference is due to the fact that the investigation of the authority, as I mentioned before, is the following. The Data Protection Authority has very few complaints. Out of our own initiative we begun the investigations and in general we’re moving of our own initiative. When we find some data, we try to move to the next stage in order to find the full picture of the use of the Predator. So this own initiative investigation led us to discover these 300 messages. We’ve begun having a list. A list of domain names. We discovered these through various sources. Two from the messages of Mr. Androulakis and Mr. Spirtzis. Many of these were published already. We discovered things. From Meta and from Google. They gave us data where they discovered that there was a use of predator in the European Union. When we found facts, we advanced in our investigations and that’s how we were led to the 300 messages I mentioned. The investigation continues. Maybe we’re going to discover more messages in the meantime. Thank you very much.
Jeroen Lenaers (Chair):Thank you very much, Mr. Menoudakos. There was a short follow up question of Sophie in ‚t Veld.
Sophie in ’t Veld (Renew): Yes, to Mr. Menoudakos, because you mentioned the companies that are part of this whole system, let’s say the whole set up outside the European Union. Is it possible to tell us which countries we are talking about?
Jeroen Lenaers (Chair): Mr. Menoudakos.
Christos Rammos: I cannot tell you. We all think United States in our minds, we have the United States. Because we have publications, relative publications in Israel, but this is not confirmed yet. On the one or the other point, we don’t have confirmation.
Jeroen Lenaers (Chair): Thank you. Thank you very much. That concludes our question and answer part of this second on our agenda, so thank you very much. Mr. Menoudakos Thank you very much, Mr. Rammos. Mr. Rammos, also for the third time that you have been kind enough to meet with us and please, we will continue our work in this committee. Please stay closely connected to the investigation that we do and feel free to reach out to us at any moment, and we hope to be able to continue our cooperation. Thank you all very much.
And then we move on to point three of our agenda. And I welcome Michael O’Flaherty to the podium. We will take a minutes to make sure we can all get seated in a comfortable way. And then we start with the next point of our agenda.
Panel 2: Michael O’Flaherty, Director of the EU Agency for Fundamental Rights
Jeroen Lenaers (Chair): All right. So the next item on our agenda is the presentation by Mr. Michael O’Flaherty, the director of the Fundamental Rights Agency of the update of the study on surveillance by intelligence services, fundamental rights, safeguards and remedies in the EU, which we requested as a PEGA committee. So I want to thank the Director, first of all, for being here, but I would also like to really thank him for already having provided a draft version of the report ahead of the deadlines for amendments to the report’s recommendations so that members can also refer to it in their amendments. I really appreciate that you’ve been able to work on this at such short notice. So I would like to give you the floor to present the draft report and then afterwards again, we’ll open the floor for question and answers with our committee members, please.
Michael O’Flaherty: Thank you very much. Chairperson, Honourable Members. Back in 2017, the Parliament requested the agency to undertake a report which was ultimately titled Surveillance by Intelligence Services, Fundamental Rights, Safeguards and Remedies in the European Union.
Back then, the report highlighted three important elements. The first was the very limited legal frameworks for signal or generalised surveillance. Second, the then very large diversity of oversight systems and frankly, serious doubts regarding the effectiveness of many of them and issues of transparency of their operation. And thirdly, the limited access, as a matter of fact, to remedies for violations of fundamental rights. And then back in August of last year, Chairperson As you mentioned, this committee requested us to do an update focusing on the different models for oversight mechanisms, mechanisms and remedies. And that’s, as you said, the subject of my presentation today.
Let me first take the legal developments since 2017. In the first instance at the EU level, well, of course, there was the adoption of the General Data Protection Regulation and also of the Law Enforcement Directive. Very importantly, there was clarifying jurisprudence of the European Court of Justice regarding the competency of the EU in these matters. In the joint cases of La Quadrature du Net and others, which clarified that the EU does have competency where security measures engage the actions of the private sector. Those same cases also gave us for the first time a definition of national security. These developments at the EU level have contributed to, they are not the sole reason, but they contributed to significant law reform at the level of the member states. We saw since 2017, legal changes either completed or still underway in 17 Member States. However, it’s telling to note that there is no evidence other than in Greece of spyware revelations as since 2021 at triggering reforms.
Now, just a brief word before passing on regarding the impact of the GDPR and the law enforcement directive. As sad to say, seven member States took the opportunity of the adoption of these laws to kerb the powers of data protection authorities in the national security context. And in fact just three enhanced the powers of the DPA’s. However, this can be counterbalanced by the fact that in some cases the kerbing was counterbalanced by the establishment of new oversight bodies such as here in Belgium.
Now, in light of the evolution of law since 2017, we see four oversight models in play within EU Member States. The first in five countries comprises authorisation of surveillance by a judicial body and the subsequent oversight by Parliament, a specialised body of the Parliament. Second, authorisation by a judicial body and oversight by the specialised body of the Parliament, together with an expert body. We see this in five countries with a variant in two additional. The third model involves authorisation by an expert body or the government, the executive, and then oversight by an expert body with a limited role for the Data Protection Authority and an oversight of a specialised a committee of Parliament. Fourth involves authorisation by a judicial body or the executive, and then oversight by the DPA and Parliament. And the fifth model involves authorisation by a judicial body and then no expert body, but rather oversight by a parliamentary committee that is not specialised.
Now the members might reasonably ask which model works best. This is beyond the scope of our current study. However, what we can offer is a test or elements in order to test the effectiveness of the model. Whichever one is in place. We put this test in our 2017 report and I am pleased to say that it’s been validated by subsequent jurisprudence of the European Court of Justice and the European Court of Human Rights.
In the first place, we obviously need a clear legal framework, honoured the principle of legality. In the second, and notwithstanding the oversight role of Parliament. We do need an independent expert body with sufficient powers and competence. And in terms of powers and competence, such oversight bodies need to have a match, must match the power and the scope and the jurisdiction of the intelligence services. Third, it’s not enough to have a matching mandate. We need the oversight body to have sufficient technical expertise. We need some manner by which the oversight body, this is fourth, can be subject to public scrutiny, albeit in recognition of the sensitive nature of the work. And finally, and this is perhaps the pre-eminent consideration we need to ensure continuity of oversight, ex-ante and ex-post. So in other words, the authorising body and the terms of its authorisation need to be fully echoed by then the monitoring body, which at a minimum needs to know exactly what the authorising body authorised.
Now, beyond these considerations, it’s important also to ensure effective remedies for the violation of the fundamental rights of individuals. Back in 2017, we flagged a number of challenges: the challenge of secrecy, of lack of expertise in dealing with victim issues, in oversight bodies, the the classic challenges of access to justice and so forth. And in this context, we flagged the necessary, the important role of non-judicial bodies with remedial powers. We also observed back in 2017 that there was a very low take up of remedies, as a matter of fact, across the member states.
And so what’s the situation today? Little changed. We still see a very low take up of remedies, albeit nominally at least in most member states. There are bodies that can deal with the complaints, and so we’d have to conclude that it is still a distant goal in many member States to put in place strong, independent, visible, well-resourced, non-judicial expert bodies designed to offer effective remedies while at the same time, of course, respecting the necessary considerations of secrecy and security. And so, Chairperson and honourable Members, to conclude, while it’s beyond the remit of our report, nevertheless it’s within the remit of our agency. I would like to take the opportunity to endorse the guidance that has been offered to us by the UN High Commissioner for Human Rights regarding the regulation of spyware, in particular in the report of 4th August 2022, called the Right to Privacy in the Digital Age. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. O’Flaherty, for the great clarity with which you have made your presentation and for the draft report once again. So we’ll now open the floor for our members. And I start with our rapporteur, Sophie in ’t Veld.
Sophie in ’t Veld (Renew): Thank you very much, Chair And thank you, Mr. O’Flaherty, for being here, but also for monitoring this topic very closely. I have to say I’m a tad depressed after your presentation because I think you confirmed pretty much what we also observed, that there’s very little progress in terms of improving oversight and remedies and what have you. And there’s actually very little political will to improve things. You mentioned low take up of remedies, but isn’t that due to the fact that many of the targets, the persons targeted, the persons put under surveillance are simply not aware of the fact that they have been targeted or that they do not believe that there’s any point in in seeking remedy because the authorities are going to hide behind the argument of national security. And, you know, they’ll get lost in endless procedures anyway. Those are that are not going to provide any real remedy.
Then you mentioned and I was interested in this, you mentioned that the only country where the spyware revelations have triggered reforms is Greece. Strictly speaking. That’s true. The only point here is that the rights of the victims of spyware have actually been restricted rather than enhanced. So can you, well, if you wish, you can reflect on that.
But then you also mentioned that there is the case of La Quadrature du net versus France, I believe, which in the ruling in those case, you say there a first rudimentary outline of the notion of national security or a kind of demarcation of notion of national security is given. You’ve seen that in my draft reports, and I hope this is going to make it through the final vote, I also recommend that there should be a definition of national security or rather a demarcation, if you want. Can you say a little bit how the definition in the ruling on La Quadrature du Net how that could be, how that could serve as a as a model for further steps? Thank you.
Jeroen Lenaers (Chair): Please, Mr. O’Flaherty.
Michael O’Flaherty: Thank you very much. And my thanks to Ms. In ‚t Veld on remedies. First, briefly, to say I will come to respond, but let me just say on methodology that we didn’t do qualitative interviews for this update. We simply looked at a desk review of law. But we did do qualitative interviews in 2017, and I can only agree with Ms. In ‚t Veld that that’s exactly what people told us, that they did not invoke remedies, perhaps because they were not aware or because they felt it was exhausting and ultimately futile. So that that was a finding in 2017. And we’ve no evidence that it has changed since then.
Under La Quadrature, I was searching for the definition here in my bundle of papers. The. I, let me first give you the definition, if I may, from the La Quadrature case. “National security”, they say, “corresponds to the primary interest of the member states in protecting the essential functions of the state and the fundamental interests of society, and encompasses the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country, and in particular of directly threatening society. The population or the state itself, such as terrorist activities.” That’s the courts definition, not ours of course, it’s the normative definition. It obviously can assist in building the frame for a definition.
Let me say, and this is a personal remark. I used to be a member of the UN Human Rights Committee, and we were very often challenged to define national security for purposes of our work. And we back then, in that particular context, felt that erecting an overly circumscribing definition was not necessarily helpful because of the ever changing contexts in our societies. But forgive me for introducing that. That’s just a reminiscence rather than a point, but it’s a challenging issue. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Heide, would you like to?
Hannes Heide (Socialists and Democrats): Thank you, Chairman. And thank you for those comments.
(Interpreter speaking) Microphone, please. Microphone, please. Microphone, please. I can’t hear him.
Jeroen Lenaers (Chair): One second. The microphone of Mr. Heide is on, but I think there are some problems with the sound for some of the interpretation booths. Can we try again? No, it’s on, it was on.
Hannes Heide (Socialists and Democrats): I put it off and put it on.
Jeroen Lenaers (Chair): Does it work?
Hannes Heide (Socialists and Democrats): I’m going to be speaking German. Yes. It seems to be working now. Yes. Thank you once again, Chairman. And thank you to you – okay. Thank you. When you talk about the definition of national security, you need that is necessarily, therefore, because of our experiences in this overview that you’ve given us, I would like to have a bit more about how you define national security within the EU, how that could look, how it should look because of your experience. Thank you.
Jeroen Lenaers (Chair):Thank you. I think I just witnessed a record breaking headset switch at the English booth without losing any of the interpretation. So thank you. Thank you very much for that, Mr. O’Flaherty.
Michael O’Flaherty: Thank you very much. And thanks to Mr. Heide. I am,I really don’t think I can add much usefully to what I’ve already said, sir. The, it’s not our role to propose a definition. It’s your role as lawmakers. We what we can do is, is lay the groundwork in terms of the empirical data and the context in which you make such definitions. The concern is, of course, not to overly narrowly prescribe it or overly expansively prescribe it, because if you over expansively and this is the context of the point I made earlier for my UN days, if you’re very expansively prescribed that you will overly restrict the impact of human and fundamental rights. But I don’t think I can add any more than that. Thank you.
Jeroen Lenaers (Chair): Saskia Bricmont.
Saskia Bricmont (Greens): Thank you very much. I thank you for being here and for your findings. I have a question on the possible follow up on those findings, because only five countries, as you mentioned, implemented such models. That’s what you said, right? Is there any possibility to include this approach in the rule of law report, the annual Rule of law report, country specific reports, so that it becomes an obligation for the member states to have such a model in place?
You mentioned and then I follow up on the question of Sophie. The reforms taken by Greece, which is the only country that triggered reforms. But what’s your view on the reforms themselves? Did they have any positive implication, including on the access to remedy, in your view?
And finally, did you notice any limits in those five models you mentioned related to the concept of national security? Because depending on the definition that the member state would give to national security, even a very independent oversight body could have its powers limited in the name of national security. That’s why I think a common definition related to that kind of oversight and a minimum standard at EU level would be necessary.
Michael O’Flaherty: Thank you very much. What I actually, forgive me, I may have misspoken, but what I intended to say was just that just five member states have adopted legislation on signals intelligence, on generalised intelligence. And while it’s for you to determine what is an indicator of rule of law. But of course there’s no obligation on a state to adopt such legislation. Does an obligation on a state to make sure that in undertaking signal or generalised intelligence that it respects human and fundamental rights and that’s, that’s where the test is. The purpose of a of a legal frame would be to assist the state. So that is an objective rule-book for the roll out of such intelligence. Thank you.
Sorry. Forgive me. No, I’m not able to speak qualitatively about the Greek legislation simply because that was outside the scope of this study. This study was done quickly at the request of the committee, and we would need more time, more resources, more in-depth examination to provide you with a useful qualitative analysis, which would also for the agency, have to be within the remit of EU competency, which would mean by definition we wouldn’t have the full scope that you would have in such a review. Thank you.
Jeroen Lenaers (Chair): Thank you. Just this one final question, maybe from me, because what we’ve, what I’ve been at least somewhat struggling with sometimes is that there seems to be, in certain cases, a sort of a paper reality when we speak about fundamental rights safeguards when it comes to surveillance by intelligence. And the reality, in practice, for instance, in Poland, we were informed of many, many of our interlocutors that, yes, there is judicial authorisation for surveillance, but then if you get to the bottom of what is judicial surveillance or the judicial authorisation actually entails, it means that judges decide on a huge number of cases without really any proper information, not even the name of the target, the technique used, etc., etc.. How did you, when making this report and maybe a general reflection, how do you see this this sort of discrepancy sometimes between models that might look good on paper and in the legal framework as such, but then also how they are actually providing an added value in practice.
And then the second question, because we are the PEGA committee, so we look at Pegasus and equivalents spyware, and one of the I think one of the distinctive features of the spyware that we’ve been looking at compared to more traditional ways of spying or wiretapping, etc., is that you get you get retroactive information. If a judge gives a authorisation for a wiretap from that moment on, they can listen to my conversations. If a judge gives the authorisation to install Pegasus on my phone from that moment, they can see everything I do on my phone, but they can also see everything I already done on my phone retroactively. Does that, would that require a special kind of safeguard given the huge advance in technology also in in commercial spyware available that we see. Thank you.
Michael O’Flaherty: Thank you very much. The life of our societies is replete with marvellous standards on paper that aren’t delivered in practice. And it’s going to be no different in this context. But first, if I may say, not every model looks good on paper. I put before you five different categories of model, and then I match them up against criteria by which they can be tested. And if you match those criteria to the models, some of the models don’t look good on paper. But the second dimension beyond getting them right on paper is, what do we do to make sure that they’re right in practice? And for that, we need accountability. We need we need not transparency of everything in there. We’re not claiming that sensitive issues of national security should be proclaimed in the public domain, but nevertheless, a carefully structured accountability tools have got to be put in place whereby with public reporting of, ultimately of outcomes with a view to at the executive and the authorities being held accountable before their citizens.
In terms of the last. And let me say here no, let me just go straight to the last point, Chairperson. The key is not just to have authorisation of intrusion and intelligence gathering, but then to have ex-post oversight of such intrusion and intelligence gathering. And as I said in my earlier point, we need a continuity. We need a continuity between the authorising decision and the subsequent oversight of the intelligence gathering activities in practice. And we see gaps in this dimension in the operation of a number of the models and which are eminently fixable if you ensure that properly resourced expert bodies are put in place to complement and to work in tandem with what is typically the role of parliaments in the subsequent oversight. Thank you.
Jeroen Lenaers (Chair): Thank you very much Mr. O’Flaherty. There are no further questions. So that is a complement for the clarity of the report and your presentation. Then nothing rests but to thank you very much for your willingness to be with us this morning and for the excellent work the Fundamental Rights Agency has done under your leadership on this topic in general and on the report that you are now updating on our request. And we look forward to read the final version, of course. But we’re already very grateful to have this draft version in our hands while we are working on the report and the recommendations under the leadership of our rapporteur. So thank you. Thank you very much. Also, thank you to all the members who participated today. Our next meeting will be on the 9th of March at 9:00 in Brussels. And for the coordinators, we will meet this afternoon at 3:00 in this very same room and I look forward to see you there. Thank you all very much.