PEGA-UntersuchungsausschussStaatstrojaner gefährden demokratische Prozesse

Staatstrojaner bedrohen Grundrechte und Grundprinzipien des EU-Rechts. Das sagte der Autor einer entsprechenden Studie im Staatstrojaner-Untersuchungsausschuss. Der Vorsitzende der Geheimdienst-Kontrolle in Frankreich hingegen blieb vage. Wir veröffentlichen ein inoffizielles Wortprotokoll.

Serge Lasvignes
Im zweiten Panel spricht Serge Lasvignes über den französischen Geheimdienst. – Alle Rechte vorbehalten Europäisches Parlament

Dem Staatstrojaner-Untersuchungsausschuss liegt nun der zweite von drei in Auftrag gegebenen Berichten vor. Am 9. Januar war der Hauptautor Professor Giovanni Sartor vom Europäischen Forschungsrat zum zweiten Mal Gast im Ausschuss. Er stellte den Abgeordneten die wichtigsten Erkenntnisse der Studie „Die Auswirkungen von Pegasus auf Grundrechte und demokratische Prozesse“ vor. Sein Fazit fällt dabei deutlich aus: Staatstrojaner wie Pegasus stellen eine „Bedrohung für die fundamentalen Grundrechte und die Grundprinzipien des EU-Rechts“ dar.

Im zweiten Teil der Anhörung war Serge Lasvignes, der Vorsitzende des nationalen Ausschusses für die Kontrolle der Geheimdienste in Frankreich, für einen Meinungsaustausch mit den Abgeordneten zu Gast. Die Behörde ist unabhängig und soll den rechtmäßigen Einsatz geheimdienstlicher Methoden in Frankreich sicherstellen.

Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.


  • Date: 2023-01-09
  • Institution: European Parliament
  • Committee: PEGA
  • Chair: Jeroen Lenaers
  • Expert 1: Prof. Dr. Giovanni Sartor (Part-time professor at Faculty of Law at the University of Bologna and the EUI)
  • Expert 2: Serge Lasvignes (Chairman of the National Committee for the Control of Intelligence techniques)
  • Links: Study, Video
  • Note: This transcript is automated and unofficial, it will contain errors.
  • Editor: Anna Seikel

The impact of Pegasus on fundamental rights and democratic processes

Jeroen Lenaers (Chair): Okay. Dear colleagues, if everybody could take their seats, I would like to start the meeting first by wishing everybody in the room and those who are following us online a Happy New Year and welcome to all members and substitute members to the first big committee meeting of 2023. We have interpretation in the following languages today: German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian. The agenda is pretty straightforward, so I unless there’s any comments, I consider it adopted and we will start immediately with the first point on our agenda, which is the presentation of the study that you all have in front of you: “The impact of Pegasus on fundamental rights and democratic processes”.

Now several proposals were made by groups, and we have three studies commissioned. The first one we had in December a presentation on the existing legal framework. Today we’ll have the presentation of this second study that I already refer to. You have received a draft of the study before the Christmas break, so you have some reading materials for your Christmas holidays, which I’m sure you will appreciated. The study analysis, as you will have read the impacts of the use of Pegasus and similar spyware in the EU or targeting EU citizens on Article two of the Treaty of the Union on values, Privacy and Data Protection and on democratic processes in Member States.

Now, to present the results of the study, we welcome Professor Dr. Giovanni Sartor from the University of Bologna and the European University Institute. You previously took part in our panel and the hearing on the impact of spyware on Democrats, democracy, and electoral processes. And I’m very happy to welcome you back here to present the main findings of the study. I will give you the floor for about 15 to 20 minutes to present the main findings of the study, and then we’ll obviously open the floor to questions from the members present here. Members who would like to take part in the Q&A, please indicate so during the presentation of Professor Sartor so we can have the speakers list ready immediately after his contribution. So, Mr. Sartor, you have the floor, and once again, thank you for joining us again.

Prof. Dr. Giovanni Sartor: Thank you. Thank you very much, President. I’m very happy to be here to the European Parliament and to present the results of my analysis of the Pegasus case. And this analysis focuses on this particular software and examining is impacts on fundamental rights and democracy and the rule of law. However, I believe that the outcome is relevant for other spyware tools. In particular are those of the device hacking type which secretly interfere with the devices of individuals and in particular with smartphones. And next slide, please. Okay.

So, the social and political debates and legal analysis decision making also by the European Court of Justice have so far addressed mainly the phenomenon of mass surveillance which involved the indiscriminate collection of the data of US citizens to identify criminal activity, security risks. But the data can also be used that have been used for further political or economic purposes. We all heard about the PRISM case, the Snowden revelations and the ECJ as intervene in values cases and on them on this kind of surveillance.

But here we deal with a different case, a different kind of surveillance, which is directed against the targeted individuals. And targeted surveillance may seem to present a minor risk since it is directed against the specific individual because of reasons concerning them. But it also allows for abuses and may have a great impact on society as a whole. So in particular, secret targeted surveillance through device hacking by interfering with individual devices and in particular mobile phones may have a vast impact, an impact which is larger and deeper. And to the same extent that as it is large and deep, they use, we make of these devices in particular smartphones, they have become our entry point to the digital dimension in which a large part of our life takes place.

So, as you can see from the from the slides, the intruder may have access to all information on the device that memos, messages, emails, photos. Moreover, the device can be activated remotely so that its microphone records the physical conversation that of the victim the targeted person is having. The camera may take photos of the physical environment, the place where the victim is. Moreover, the content of the device can be manipulated. The fake text that can be added, the fake messages can be sent, and so on. Please. Next slide.

So, the most relevant feature of Pegasus are the and described in these in these lies that these and spyware like and other similar tools allows for a complete access to the phone which involves the extraction of all data, which is there, the monitoring of conversation messages being signed, the arrived activity being done on the phone that, name was being written and so on. But also, the active memory monitoring which takes place when the features of the phone, such as the microphone and the camera, the possibility to send two stored messages are used the by the intruder and zero click attacks. It means that the attacked person doesn’t need to do anything for the attack to take place, not even to click on a link, which makes it more difficult to know, to be aware that something is an attack is taking place. No trace is left so that the targeted individual may not be able to know that even after the event that something has happened that the possibility to manipulate the content and that the transmission of data from the victim to the intruder takes place through a multilayered environment involving videos that is built in such a way that for the victim, it is impossible to trace the identify and trace the intruder.

Next slide. We already know from many inquiries that have been done concerning the use of Pegasus that this software has been used to last extend to all over the world. 60 agencies in 40 countries apparently have purchased it. And we also know that there is an extensive evidence, according to which not only individuals involved in organised crime, terrorist activity of hostile foreign powers have been targeted, but also human rights activists. The opposition, not lawyers, judges, foreign leaders, even on friendly countries.

And thanks to the inquiry developed by the Pega committee, we know that there are 22 users. There have been 22 users of Pegasus in 14 member states. We also know that in the US NSO, the company producing Pegasus, has been blacklisted, that you cannot have a contact with the US agencies or also companies. And there are litigation spending cases started by companies such as Apple and later the producers of Facebook against the NSO. And next slide, please.

It is important to stress that software like Pegasus affects not only individual citizens, but also the very the basic principles of a well-functioning political community. Democracy and the rule of law are at stake. So, when citizens are spied on, they can be intimidated into abstaining from political interaction, expressing their views, associating with others, just because they consider the possibility of being watched by when engaging in these activities, and that the adverse actions against them may take may take place. But we must also say that there are some individuals that play a special role in the public sphere and in politics in particular journalists, politicians, and activists. And attacks against these individuals may have the largest social effects. Spied on journalist, politicians, activists can be subject to repression, manipulation, blackmailing, falsification of the messages, defamation, and the electoral process itself can be affected. Because the people that are candidates to the elections or those that may consider participating in elections, may be subject to manipulation and fear and be unable to exercise their right to engage effectively in in the electoral process so that the outcome may be influenced by the surveillance.

I remember having attended the hear the testimony, for instance, of the Polish Senator, Krzysztof Brejza, who stated that he had been subject to pervasive surveillance during the 2019 elections, including wiretapping, theft of correspondence, specification of data. And the data was selectively used and misleadingly presented in the context of a defamatory campaign which was aimed to influence elections. So, Pegasus or similar spyware may also have an impact on democracy and also on the rule of law. To the extent that their use is not subject to legal regulation and an appropriate and appropriate controls. Next slide, please.

So, we must say that the use of power by state agencies is usually justified under the need to address the serious crimes or threats to national security, such as in particular terrorism. Unfortunately, it has happened all over the world that under the pretence of national security, partisan political interests or the repression of the social and political dissent has been pursued. And there is extensive evidence that individuals have been targeted that have no connection, at least no apparent connection to serious crimes or to national security threats such as I just said, the political opponents, activist lawyers, journalists, and this has happened in many states, in various states all over the world and apparently also in some European countries. So, a situation which is really a worrying. What shall we do about that; in particular, what does the law tells us in connection to the uses and abuses of the Pegasus and other kind of surveillance tools?

Let us go to the next slide when we have a look and a quick look at the UN framework. First, in particular, we have here the International Covenant on Civil and Political Rights, which has been ratified by all Member States. And just to distil a lot of the norms, the decisions reports, we can say that in this context the targeted surveillance should be limited as necessary and proportionate and should be proportionate for legitimate purposes, surrounded by legal safeguards and supervised by independent authority. The UN rapporteur has gone beyond that, asking for a moratorium on the use of spyware, at least until a regime is in place for ensuring compliance with human rights. Next slide, please.

Another very important body of law that concerns the use of spyware can be found in the European Convention of Human Rights and in the case law of the of the European Court of Human Rights. Where we can, again, to extract, in a few words, the essence of these of these legal regimes, we have that the covert use of spyware may be lawful, but only if the use of the spyware is for a legitimate purpose. Pertaining to those limitations, the distinction, those purpose that justify a limited limitation on the affected rights and a wish that is also national security together with law enforcement under an adequate legal regime, independent supervision according to necessity and proportionality with effective legal remedy, and in particular the requirement that those individuals that were subject that were spied on the would be notified as soon as these is possible.

Let us now move to the last framework that I am going to consider. That is the European Union law. And next slide, please. Here we have the target that the surveillance is relevant to, certainly to fundamental rights as included in the charter, but also to the principle in the charter, such as the principle of democracy. Given the impact that surveillance, targeted surveillance may have on democracy, the rule of law and matters also values instruments of EU secondary law, such as in particular data protection law. Next slide, please.

I conclude quickly. Okay. What fundamental rights may be at stake? We have obviously, privacy and data protection that unnecessarily interfered by any use of covert use on covert surveillance, but then also freedom of expression and non-discrimination, the right to engage in collective action, the right to elect and to be elected, given the interference on elections, the right to effective remedy and to a fair trial, which requires that that the individual which were a targeted may have the possibility of knowing that these took place and to access ineffective and judicial remedy. And then also the basic principles of dignity and freedom.

Let us now focus on the issue of national security. And as we have said, as I said, that the use of spyware for purposes of national security and as this raises an important issue, because the concerning the applicability of EU law and in particular are the fundamental rights included in the charter. This is because on the one hand, a threat to national security may justify the surveillance, but these should only happen according to the principles that are stated in the Charter. However, according to the treaties, national security is the sole responsibility of each member state. Does this mean that the activities aimed at national security are excluded from the EU law? That EU law has nothing to say about them and that each state is free to engage in them in the way that it sees fit?

That we must then consider two issues in this regard. First, that the use of the spyware, spyware must really concern national security and not be directed to further purposes for these four issues to pertain to the other side of the national competence concerning national security. And secondly, we need to consider that even an activity which pertains to a reserve the national competence, may be relevant to European law when it interferes with the domains that are regulated by EU law. And if this is the case, then the fundamental rights of the charter may have to be applied. And there is an extensive case law according to which measures pertaining to competence that are reserved to Member States can be subject to EU law when they interfere with domains that are regulated.

Just two examples’ Laws concerning education in Member States may regulate the appointment of teachers, and at this point they may interfere with freedom of movement. Or data retention measures are imposed on providers for the purpose of national security, interfere with their way in which a provider’s exercise that activity and thus they may be governed and limited by EU law, and in particular by the data protection law and the Charter as it happened in the decisions of the EU Court of Justice concerning data retention.

And next slide, please. So we have, may be interesting to consider again that the according to the ECJ and restriction of fundamental rights and data protection norms are permissible for the purpose of national security and to a lesser extent for combating serious crimes and preserving public security, but only to the extent that they respect the legality and proportionality. Next slide, please. An important issue, however, is raised then by the fact that that should – sorry. Let me go back. So, the basic idea is that also activities concerning national security are subject to EU law to the extent that they interfere with domains that are regulated by EU law. However, we have this problem that the application of data protection laws are excluded from activities concerning national security. But again, we may argue that these exclusions only apply to measures that are affecting other activities exactly for the purpose of national security. And only to the extent that the national in being excluded from the scope of data protection law the remedies provided by data protection law seem not to apply to this measure.

This is the two fundamental instruments are included which are the GDPR and the ePrivacy directive. Obviously, if a state where to order providers or to cooperate with the state authorities in the installation and use of space of spyware, we would consider that in this case there is an interference in the regulation of the activity of the providers that would fall under the data protection law. But this would not be the case when this data was engaging directly in the processing of personal data in the state, in the use of spyware. Or was contracting private companies exactly for this for this purpose. So, there is the limitation of data protection law, the exclusion of data protection laws from the inclusion of their application in the domain of in the activities of national aim, that national security is really a problem, I think, within it with EU law. Next slide, please.

This is not the case for the processing of personal data for the purpose of law enforcement. When spyware is used for law enforcement it falls within EU law and in particular within the law enforcement directive. According to this directive, the use of spyware is permissible, if necessary, for the performance of a task, which is carried out by a competent authority for the purpose of law enforcement and which is based on union law or a member state law, and must be based on union law, on member states law.

We may wonder whether this kind of regime should ideally be applicable also to national security. This is not the case, as I said, because both the GDPR and the ePrivacy directive do not apply to national security. And this is not and there is no regulation similar to the regulation to the law enforcement directive. So, there is a kind of a gap in EU law with regard to the processing of personal data for the purpose of a national security. And I must also say that some law enforcement agencies, in some member states in particular, this seems to be the case for the Polish Central Anti-Corruption Bureau, are labelled as pertaining to Social Security so that they are not subject to the law enforcement directive, which concerns law enforcement. And this is also an aspect that that should be considered and that EU law are correctly implemented as are probably going against the correct implementation of the law enforcement directive.

„Bedrohung für die Grundrechte und Grundprinzipien des EU-Rechts“

Let me now go to the conclusions of my work. Next slide, please. So, spyware threatens fundamental rights. And beyond that, the principles of representative and deliberative democracy and the rule of law. Issues is not necessarily unlawful, but to be lawful to eat the mass to satisfy certain stringent conditions: legitimacy, legality, necessity, balancing and consistency with a democracy. What can we do in this context to improve the current situation? Next slide, please. So, there is the need to circumscribe the material scope of national security when not to using it as a spurious justification. So, in order to further the use of spyware by national authorities to fall under the national security and therefore be considered pertaining to and to serve the national competence that justifies the limitation on fundamental rights and to which end which is excluded based from a certain data protection regulation. These activities should really concern national security.

Secondly, we may wonder whether the personal scope of national security should also be reconsidered, in particular when private parties are deployed. That is, there is the requirement that the competent authorities engage in data processing for law enforcement should something similar be required also for national security. And then there is the need to include the national security activity within the scope of data protection law from which it is currently excluded, this would be a very important improvement with regard to the existing legal framework. And next slide, please.

And then there is the need the for European authorities, the Parliament, the Commission to support the adoption of adequate framework at the national level, which include a set of principles that I have listed that in these slides, the legality and the regulation by law, legitimate end such as a real and national security, law enforcement, necessity, proportionality, competent authority that adopts the relevant decisions, due process and also public oversight, the security and certification measure, and also the fact that that the tools should be adjustable so that there is a some degree of assurance that they are going to be used only for the purpose and within the limits for which they are used has been authorised. Next slide, please.

We may wonder whether Pegasus is consistent with these principles. We have evidence that the growth curve should not always concern the national security, the in articulate legal framework arguably it is missing. Less infringing means in many cases that would be available. In some cases, this use would be, in many cases, would be unbalanced. That involving interferences that outweigh the advantages. And it has been used that against the democracy for partisan purposes and interfering also with electoral processes.

So, what can be done, quickly finishing, a consistency applied EU law? It would be important, I think, to reject the council proposal concerning the privacy regulation, which would completely exclude that, and any activity aimed at national security from the ePrivacy regulation, which means authorising interference is on individual devices. Urge states to deploy spyware to equip them with adequate organisational, technological, and legal frameworks. Engage experts in civil society. Last slide, The next slide.

So there has been the proposal by the UN rapporteur on a moratorium on spyware. And I don’t know, I have some doubts on an absolute moratorium since all European states are using some kind of spyware and there are many experts and people involved in police and enforcement who believe that some kind of spyware may be a useful tool to be deployed in certain situations. But still, we may have a presumption against spyware unless the state convincingly shows a willingness and capacity to prevent all abuses. The existing known abuses would found a strong presumption to this effect. And then I think the states genetics would be urged to ban the use of specific spyware tools that were such as in the case of Pegasus, there is clear evidence on unlawful uses even in other countries. So this would be my final suggestion. And with this, I conclude my presentation. Thanks a lot for your attention now.

Jeroen Lenaers (Chair): I thank you very much for the elaborate presentation, Professor Sartor, and gave a little bit leaning on the time because it’s also very important to have this presentation of your recommendations and conclusions. I think they’re very valuable for our committee. So, we’ll move straight to the question and answers. And we’ll start with our rapporteur, Sophie in ’t Veld.

Sophie in ’t Veld (Renew): Yes, thank you, Chair, and let me use the opportunity to extend my very best wishes to all the colleagues for the New Year. And let’s make this a year where we are going to actually do something very good for democracy and fundamental rights. And I would like to thank Professor Sartor for his study, which actually coincides very much with what we had already put in our finding’s documents.

But I have two concrete questions. One or three, maybe, two and a half. One is on national security, national security. And it is very problematic because member states themselves define what national security is. So, they could theoretically declare that anything is a matter of national security and place themselves entirely outside the scope of European law. I understand, I had a talk with an expert last week about national security in the Netherlands, and I understood that the matter of road salt in terms of, you know, freezing temperatures, that is a matter of national security. So, you see it could be it could be just anything. So, but the commission has written to a number of member states saying that national security cannot be unlimited as a notion. So where do you think the limits lie? How are we going to circumscribe it as you as you said, is there a limit?

And then secondly, and this is well, almost a rhetorical question, if you with everything that you have listed, how the use of spyware impacts on fundamental rights and democracy. Would you agree with the conclusion that member states or at least some of the member states have definitely violated EU law and treaties? And do you see any effective remedy for victims, because that’s one of the problems. Apart from the impact on democracy, the victims don’t seem to have effective legal remedy because they can only go to a national court and only when they have a ruling by a national court, they can go to European court. But national courts don’t rule. So, they are stuck. So how do you see that in terms of citizens’ rights?

And then one last remark, because you refer to the proposal of an absolute moratorium in the report. That’s not actually accurate. What we are proposing is very much in line with what you said, namely a conditional moratorium or, as you call it, a presumption against spyware. Unless a member state can prove that it’s using it in a responsible manner.

Jeroen Lenaers (Chair): Thank you, Sophie. Just to clarify, you referred to the UN rapporteur not to know to you as a proposal, but our first floor to you to answer the questions.

Prof. Dr. Giovanni Sartor:. Thank you very much for these answers, which are really important to this question. So, you can ask questions which are really important, and I appreciate it very much and the rapport by the commission that you have chaired, it was great, the great work and the in the investigative work and also why you put it together.

So, going to your first question, what is within national security? It seems to me that when national security is used there and obviously each nation, each state can define national security, how they see fit for their own purposes, as long as it is consistent with their constitutional framework. But when this concept is used within the EU law, even to limit the application of EU law or to restrict the application of certain rights and provisions of EU law, we should try to interpret it to give an interpretation of it based on EU law. And obviously, I think that in principle national security should not concern and something that put that question put at stake and a political community as a whole. Certainly, activities by foreign states, at the best activity by foreign states are certainly the threat of terrorism. So, there are certain things that that that are certainly inside the national security, but there are also certain things that are certainly outside of it, such as the pursuit of purposes that pertain to partisan politics, attacks on opponents and on the press, on journalists.

So, I think that we should be able to, even if you are unable to provide a clear definition of national security, we should be able to determine the certain things are certain inside of it and certain other activities that are certainly outside of it. And when we are outside of the scope of national security, then the activity does not qualify for the legal treatment of national security. And that may be a violation of the fundamental rights and democracy. Also, where an activity is meant to achieve a national security that may be a violation of fundamental rights and democracy. And when the condition for the restriction of human rights, fundamental rights in particular, do not apply. So, but this would be a task in I think there should be attempted at the task to clarify what counts of national security in the context of EU law. I do not have an answer to. I think that we can say that something is settled inside of it is something outside of it, but that this is a task for legal scholars, but also for a European institution to engage in these in this definition.

And the second question now, the easiest question is the question about the moratorium. I was referring to the proposal of the UN and not to the proposal by the PEGA committee, with which I think I agree. And so, on this point, the answer is easy. Concerning effective remedies for victims, there is the problem that you have to go to the national institutions if data protection law applies, they may also be the data protection authorities besides the national courts and issues can be raised in front of the European Court of Human Rights, which, as you know, has also stated that the possibility of being subject to targeted surveillance in the absence of adequate national remedy, justifies raising a case in front of the European Court of Justice. They may be allowing that to be to be pursued. And then there is also the possibility of raising a case in front of the European Court of Justice that I know, and I think, Sophie, this is an issue on which I also have no clear answer to provide. But again, I think it’s a challenge both for the legal expert and also for institutions to try to provide a framework where effective remedies can be provided.

Jeroen Lenaers (Chair): Thank you very much. EPP, Karolin Braunsberger.

Karolin Braunsberger-Reinhold (European People’s Party): Thank you for coming. Thank you for your work. And thank you for introducing the study. So, thank you for being here today. Thank you for your work and thank you for presenting this study. You mentioned that you got a rejection, that you would recommend a rejection of the ePrivacy proposal in the Council. And I would like some more information. Why? What is problematical about it, in your view, and what should be amended to get it through the council? Thank you.

Jeroen Lenaers (Chair): Thank you. Professor Sartor.

Prof. Dr. Giovanni Sartor: Okay. Excuse me. The problem with the council is that there has been, as you may know, we already have the ePrivacy directive. And there has been a case involving the French legislation concerning. This is a domain of the mass surveillance and collecting data for the purpose of the prevention of terrorism that pertains to national security, and that the Court of Justice has argued that the way in which the French law was framed was against the then against EU law.

So now we are going to have a the ePrivacy regulation that would substitute the privacy directive. And there is a proposal of a change in the regulation where a provision is included, then I think it is included in the report. Now, I’m not finding the exact words, but then they said the idea by the council is to include the provision according to it – Okay. Thank you very much – according to ePrivacy regulation, the ePrivacy regulation is important because it governs the interference with individual devices. This is exactly what is at issue here. “It does not apply to the protection of fundamental rights and freedoms related to activities which fall outside the scope of union law. And in any event, the major processing activities and operation concerning national security and defence, regardless of who is carrying out those operation, whether it is a public authority or a private operator acting at the request of a private authority.” So, the idea is to expand the extent upon which the privacy regulation or to make sure that it does not apply to any activity concerning national security, which means that at least in the intention of those introducing these closer, whatever the state does, interfering with individual devices for the purpose of national security should not be scrutinised under European law. Maybe this purpose will not be achieved, even if this provision is included, but this is the direction which is aimed at, I think.

Jeroen Lenaers (Chair): Thank you. For the S&D, Thijs Reuten.

Thijs Reuten (Socialists and Democrats): Thank you so much. And thank you for your study and for sharing your knowledge with us. The national security argument has been touched upon already by my colleague. And of course, that is an argument that also we in our mission in Greece, for example, have come across countless times of abuse of this argument. But I want to touch upon another layer, I think, of this national security argument, because it is also, as such, embedded so deeply in some countries in the legislation, in the relevant legislation, and the functioning of this legislation, that that it’s almost inevitable to end up in a dead end street of any arguments relating to this by default, because you are violating the law by default, even by raising a question or let alone answering one on the topic.

So have you come across, I know it’s not part of your study and discussed, but I hope that that you have come across during your study on the different types of legislation, particularly in the European Union. And have you discovered two types, two schools maybe, of thinking that could lead us to some kind of idea, give us some idea on how you should who should scrutinise this type of legislation in order not to end up in these like sorts of vicious circles? If I make myself clear where you can never escape, because it’s you’re violating the same law by revealing something. So maybe I’m not entirely clear, but I hope that you can say something outside of the scope of the study about the different types of legislation in the different member states.

Prof. Dr. Giovanni Sartor: So thank you very much for your question. I may say that I am not fully prepared to answer it, but what I would say that has been, especially after the terrorist attacks in the last years after, that has been that in many countries in the world, an extension of the concept of national security and the scope of the activities that may be justified by appealing to these to this ground. And moreover, there has been recently the tendency also to include them in national security many aspects, such as the prevention of not only human activities, but also natural disasters, climate change and so on. How can we handle this kind of a notion?

So, on the one hand, you may say it is good that because then as we are interested in the terrorist but we also get interested in climate change, because both fall under the umbrella of national security. On the other end, since national security justifies the limitation of human rights. And you might wonder whether we are doing a good service to our community by using this concept in them in such a way. And I do not know really what is the best outcome. I think that at the national level defining something on national security means defining it as being particularly relevant for the national community at stake. So, this is something which I see as something for the member states to determine unless the EU law is involved. And as I, I think that we should be able to elaborate a concept, a notion of national security, which concerns those cases when we use it to limit the fundamental rights and also to consider interference, which a fundamental principle of EU law such as democracy, the rule of law.

So, we need to, I think, to separate the national layer and the European layer when developing these concepts. Otherwise, it would be very difficult to have an idea of national security that can be effectively used to determine when a certain measure is lawful or not in the context that in the context of EU law. But yeah, but this is something that is a challenging study on which I would like to do more work in the future. Even though I think that only an institutional response may be able to provide an answer to the question that you are raising. It’s not an issue for legal scholars, it is also for legal scholars about the decisive and this matter. It calls for an institutional choice, I think.

Jeroen Lenaers (Chair): Thank you. Rosa Thun.

Róża Thun und Hohenstein (Renew Europe): Thank you very much. Sophie asked about the remedy for those people who are either in danger of being surveilled or were surveilled. Amnesty International, for example, proposes that everybody who was surveilled should be informed afterwards. And if nothing was found that justified the surveillance, that there should be a compensation. What do you think about this? A compensation and obligation to inform the person about what happens with all the data that were collected, how they are processed, or if they are destroyed or not? Do the citizens have such rights? Can we demand it? Is there a chance that it will be realised?

Wir sind ein spendenfinanziertes Medium

Unterstütze auch Du unsere Arbeit mit einer Spende.

And another thing I wanted to ask you; you spoke about proportionality assessment that should be carried out. By whom? By European Commission? And you write, ultimately, you was on your slides, ultimately by ECJ. But. As we know, the European Commission doesn’t react when it knows and when it has proofs that there were people surveilled completely outside of the scope, which you described in the beginning of your intervention. Like a member of Parliament, Brejza, or prosecutor Ross, the Commission knows about those cases and doesn’t react. How can we explain this at all? Yes. Thank you very much.

Prof. Dr. Giovanni Sartor: Thank you. Thank you very much for your challenging question. I think that, you know, the answer matters to me. Under remedy. I think that Amnesty International raised two interesting point that there is according to international EU law, in fact, international law, in particular, that according to the case law of the European Court of Human Rights, there is the right to an effective remedy that presupposes that people are notified of the fact that they have been surveyed. And obviously, when there is a real risk, when there is a real need for national security or for law enforcement, the people cannot be informed when the surveillance is taking place. But just as soon as that is there, it is possible to inform that without affecting the purpose of the surveillance measure, they should be notified. And since it is an unlawful behaviour, there should be compensation also by, I think by civil law and unlawful activity taking place. Somebody is being harmed. There should be a compensation.

But now the problem is that for this to for this to take place, there should be a national authority who provide the notification and then there should be judges, an independent decision maker that then checks what is taking place and if the measure was unlawful grants the compensation, which is not apparently the case. There is the possibility, I think, of raising a case in front of the European Court of Human Rights when the application of EU law is involved, such as data protection law. There is also the possibility of, but then that it needs some collaboration by national judges in any case, of raising a case in front of the European Court of Justice.

But I think that we have quite a distinction between what is what should have been according to the law and what is likely to take place, given not many political and other legal arrangements that are in place. So, we have to face the fact that that the remedies that should be available may not be available. in particularly setting in certain countries.

And concerning the European Commission and the inactivity, I think that there may be political reasons, as you know better than me, why the commission doesn’t want to start the, in this particular context, challenging activities by the member states, even though I think that as guardians, if they want to play the role of guardians of the treaty, they should of guardians of the treaty, they should be active in engaging with these with these serious violations of EU law and of the basic values that underlie the European Union.

Jeroen Lenaers (Chair): Thank you very much. Ms Delbos-Corfield.

Gwendoline Delbos-Corfield (Greens): Yes, thank you. I have three questions. The first one is in your, one of the conclusions you have this text about adopting adequate legal framework at the national level with 12 items coming going from legality to technical adjustability. We’ve spoken about the abuse of national security justification. You’ve also really clearly targeted the fact that national security, we also have the problem. It doesn’t. it’s not in the scope of data protection law. But if we were going after all of these topics and we do look at the legal frameworks of each national level, would you say one of the EU members states doesn’t fulfil these 12 points? Because I would think that they do. So is this a formal sort of way of putting things? Because we know that in fact it was political reasons behind all of this? Or do you really think that we have flaws in some member states? You know, when we talk about adequacy, proportionality, I mean, do we have flaws in legal framework? That would be my first question.

My two other questions are about your conclusion. In the conclusion you talk about this UN proposal of moratorium, total moratorium, and you say you’re not convinced, because you think a genuine moratorium would be difficult to do. But you talk about what I understand being different rules for different countries. How would this legally be possible? I mean, what would be a country in the case we are in front of? EU law doesn’t allow the fact that you can do rules for some member states and not for others. So, I don’t exactly understand. Could you elaborate on this idea that you have that this moratorium would be only affecting those member states that clearly abused the rules and those that had not and could use the devices? This is not clear for me.

And the third question is, is the point that you show after. Do I understand well that you say that in the case of Pegasus, by its nature, anyway, it should have moratorium because it is not at all, it cannot be proportional in any case. Do I understand well that this is your conclusion Pegasus specifically.

Prof. Dr. Giovanni Sartor: Thank you very much for your question. I hope I can give some and at least provisional answers. So, the first question was whether there are, whether those principles that should govern the use of spyware are respected in all member states. Now, I have not engaged in the detailed analysis of the regulations in the different member states. But, for instance, there are some interesting observations that have made, I think it was on Poland in this case that by the Venice Commission, the commission that was set up by the Council of Europe, which concerns mainly the domain of law enforcement, but also on national security, where they observed that the legislation in Poland was not adequate and that for them. Focusing on the first requirement, which is the requirement of legality, the European Court of Human Rights requires that the law is clear enough so that it enables citizens to know that that they may be subject to surveillance under precise conditions. And moreover, there should be notification and effective remedies enabling them, which by an impartial authority, and at least according to the Venice Commission, these requirements were not fully satisfied.

And concerning whether I was arguing for different rules for different countries, my proposal. First, I would like to distinguish what is a political or a moral obligation and what is a legal obligation. So, the presumption against spyware and I think would be against all states, unless it is apparent that there is a willingness and a capacity to prevent abuses. If there are abuses in a state, this means that the willingness of the capacity is missing. And so, this would be a kind of general presumption against the spyware.

And concerning Pegasus, I think that my view is that since there are so many abuses related to it in different states in the world, that continuing to use it and to pay the company that is developing and distributing the software would involve a kind of political or moral complicity in this kind of activity. So even when, even if the use of Pegasus might be lawful, still, according to myself, it would be better not to use this particular software, given the context in which it has been used, which involve also necessarily in the way in which it is managed, it is distributed, it is developed.

And so it seems to me, my idea is that there should be a presumption against spyware, against the lawfulness of spyware for all for all states, unless there is evidence of this willingness and capacity. And secondly, that on the ethical and political grounds, it would be not better to avoid using the product as a system that has been involved in so many abuses all over all over the world. This will be my position on this regard, which it seems to me at least to some extent also, that the report by the PEGA Commission.

Jeroen Lenaers (Chair): Thank you. Mr. Todurache.

Dragoş Todurache (Renew): Thank you very much, Professor. Two questions. One, in one of your conclusions, you recommend engaging experts in civil society in a political, ethical, and technological debate on the use of device hacking systems, which is a good recommendation. I share it, but I wanted to see whether you could also envisage a broader role for experts in civil society. And I specifically refer to methods, modalities, including capacities to investigate possible infections of phones. Who do you see best fit to provide such independent verifications of deployment of spyware? Right now, we kind of rely only on citizens lab or others, and those methodologies are sometimes questioned. So again, who will you see best to do that and whether you see a role for exposition in society?

And the second question, or at least what you just explained now on this reversed presumption, which I understood correctly, means that the presumption would say that spyware is bad unless individual countries would be proving themselves according to these criteria, that they are doing what’s necessary in order to make their use legitimate. How would you see such presumption codified? If I understood it correctly, you would see this rather political, so it would only have some sort of a political moral standing? Or would you also see it codified sometime somehow, legally? And if so, where, and how? Thank you.

Prof. Dr. Giovanni Sartor: You raise a very difficult question on the first one. I have to think more on what, on who could be able to exercise an effective control over the use of spyware? I think that we have to think about that. The role might be played by data protection authorities who also have some technical competencies. I don’t know. ENISA for instance, the European framework has been playing some significant role to play, even a larger role, I think, in this in this, in this domain. We may want that also certification authorities, whether they could play a role on that. But I must say that I don’t have an answer. And maybe I have to learn from you in this regard.

Concerning the suggestion of this, the presumption, I think that within the human rights law, it is generally assumed that the state has to show that they are able to respect and protect human rights. So, it would be a kind of presumption that this was illegal. I think as a legal meaning, I would distinguish in my two suggestions on one hand to have, and then this presumption, then it is even not even a presumption, if there are abuse in taking place in within the state, that then we can really conclude that that the either willingness or capacity are missing, unless it is a prove that that it was just an exceptional event and that measure taking place to deal with it. The concern is that the recommendation not to use Pegasus given the number of abuses in which it has been involved, the these I see not as illegal, but more as a political or moral indication on how to address this kind of international transnational issue that is emerging in connection with the deployment of this software.

Jeroen Lenaers (Chair): Thank you. I don’t have any other speakers on my list. So before closing I have two questions of my own. Coming back a little bit to the national security part of the recommendations, because you recommend circumscribing both the material and the personal scope of national security. Now, on the personal scope, you give the example of not accepting the proposal by the Council on the ePrivacy directive, which is of course a somewhat of a defensive way, because of the status quo would remain. But if we would want to circumscribe the material and the personal scope of national security and to really limit the use of national security as an argument to circumvent EU application of EU law. So, would that be feasible within the current treaty? Would the treaty need to be changed? Is this a recommendation to us as policymakers? Is it something we could do or is it up to the ECJ or the human rights courts in Strasbourg to do to make this, to circumscribe this the scope of national security based on concrete cases? How would one do that in practice?

Secondly, you mentioned the Polish anti-corruption bureau that is referred to under a Social Security organisation, I think you mentioned, and therefore does not fall under the law enforcement Directive. And could you maybe elaborate a little bit on that? And if I understand you correctly, this would be a clear case for an infringement procedure for not implementing correctly the law enforcement directive by Poland. Is that did I understood that correctly.

Prof. Dr. Giovanni Sartor: Okay. Thank you very much. So now the idea that, let me start with the second point, which is where I have a more direct answer. So, the law enforcement directive establishes that certain requirement for the processing of personal data in the context of law enforcement. So, if this Polish anti-corruption bureau is engaging in law enforcement, as it seems to be the case, then it should be subject to the law enforcement directive. But if it is classified as a body that only works for national security, that work for national security, it is excluded from the law enforcement directive. So, I think that to the extent that it engages law enforcement, it should be subject to the law enforcement directive rather than excluded from it. And its exclusion would involve not implementing correctly the law enforcement directive. It would be my argument on this. On this point. Obviously, this argument is based on the fact that this anti-corruption body is engaged in law enforcement. If this is the case, then it’s a solution for the law enforcement directive that would entail a violation of the order. Not the full implementing the directive.

On circumscribing the notion of national security, it seems to me that I am speaking of circumscribing it to the extent that it concerns the application of EU law. So national authorities are. at the national level it can be defined as each country sees fit. But when it is used within EU law to determine whether EU law applies or not to a certain activity, it seems to me that it is a topic for EU law, a topic that involves the interpretation of the treaties since this concept is used in the treaties, but also the and the application of the treaty. So maybe we have to consider now to what extent secondary law can intervene in defining a concept that occurs in the treaty. This is an issue in EU law. I know, I want to, I need to have a look into that before giving an answer. I don’t want to provide a modification, but I was. The important thing to make it, according to me, is to consider that this is a concept that is used in EU law. It pertains to EU law and therefore including both the treaties and secondary legislation. And therefore it is a task for an EU institution to deal with.

Jeroen Lenaers (Chair): Well, thank you very much for handing our homework back to us at the end of this meeting. Thank you very much, Professor Sartor, for your time, for your work on the very interesting study and for being here with us to present the study, and to answer all the questions that the colleagues had. It’s the second time we meet in this context. Maybe not the last time, but please, you are invited to keep a close eye on the work of our committee and to also proactively engage with us wherever you see fit. Thank you very much for your contribution.

We will invite our next guest, Mr. Lasvignes, to come up to the podium and then we can start immediately with the second part of today’s hearing. Thank you very much.

Panel 2

Jeroen Lenaers (Chair): Well, thank you very much. I welcome Serge Lasvignes to our committee for the second item on our agenda today, which is an exchange of views with him in his capacity as President de la Commission Nationale de Contrôle des Techniques de Renseignement. It’s an independent administrative authority, the National Committee for the Control of Intelligence Techniques, and it is responsible for ensuring that these techniques are legally implemented on national territory.

To this end, it issues, except in cases of absolute urgency, an opinion or any request to implement the technique before the Prime Minister makes a decision. This is the ex-ante control part, and in addition, it controls the execution of the authorisations granted by the Prime Minister and ex-post control. And it can deliberate on any subject falling within its competence, either on its own initiative or at the request of the Prime Minister or Parliament.

Mr. Lasvignes, thank you very much for your willingness to join us here in our first working day of the New Year to speak to us about a topic that this committee has been working on for nine months now, and will continue to do so. And it’s a matter that is very important for the European Parliament. So, I pass you the floor for introductory remarks and then we pass the floor to our colleagues for any questions they might have. Please.

Serge Lasvignes: Thank you very much. I’ll speak French, if you don’t mind. We meet at least once a year together with the European intelligence control authorities for an exchange on our practices. And it’s also an opportunity to see how different our practices are.

So, I’d like to present the French system first, because the French system is one possibilities, one option. I would like to present its characteristics, its personality, if you like, with a view to hearing a critical feedback, because I think in matters of control and intelligence techniques, nothing is set in stone. It can all change. Threats are changing constantly, year on year. Technologies are being improved, but counter technologies are being improved as well. And legislation, particularly in the case of French legislation, legislation which is founded on the control of certain techniques, has to evolve as well. So, this pushes the legal developments or the ways laws become obsolete very quickly.

So, I’ll start with the constitutional requirements. In France, the Constitution protects privacy. The Constitutional Court has stated that this is at the very core of our Constitution. It’s the 1789 Declaration on Fundamental Rights and Freedoms, a very prestigious basis, if you like. However, apart from this constitutional principle, we also have objectives, constitutional objectives that the Constitutional Council extracts from the Constitution. One of those objectives is the safeguarding of public order and prevention of crime.

Clearly, the intelligence services work serves to preserve public order, to protect us from crime, terrorism and all the legislators job is, is to reconcile those two, the principle of safeguarding privacy and then on the other hand, safeguarding public order. It’s about striking that balance. And once the legislator feels that he’s struck that balance, it’s up to our commission to bring life into that. So, I work on balances. We work on balances.

So, what does the French legislator done to reconcile protection of privacy and protection of public order? Well, first of all, and this is a constitutional requirement, the legislation lays down an exhaustive list of reasons for surveillance. Reasons for surveillance are fixed by legislation based on prevention of terrorism, prevention of organised crime, national security, etc. Legislation also lays down, and this might be a bit more original, fixes a list of all the techniques that can be used. The intelligence services in France cannot make use of a technique which has not been placed on that list by legislation. If we want to add techniques, we have to amend the legislation. Because the framework is quite strict. And then the law also indicates which intelligence services can make use of those techniques. So not all services are authorised to use all the techniques. The most intrusive techniques are the preserve of certain services. Certain authorities.

And then we also have to determine a procedure. So, there I might highlight one of the characteristics of our French system. That procedure. If you look at how it’s designed, if you look at its elements, you can see that the aim is to ensure political responsibility, but also legal independence. So, what do I mean by that? Well, it’s about the decision making. Quite specifically. Say there’s a young man who is suspected of being involved in terrorism because of the websites he looks at or because of his discourse. So, the services decide to watch him.

So how are they going to do that? Well, we have a large service called the Directorate General for Intelligence Services. And the agent following that file is, first of all, going to turn to the director general and ask the authorisation to watch that person. If the director general gives that authorisation, he then has to get the authorisation of the Minister of Home Affairs. If the Minister of Home Affairs agrees, he has to ask the Prime Minister. In other words, any decision on using techniques to watch someone in France is a multi-level decision.

Not many countries say this, but we say we have 23,000 people under surveillance in France. That’s 23,000 surveillance decisions or authorisations granted by the prime minister. So that’s what I mean by political responsibility. So, it means that if I’m an agent and I say, well, I’m not going to ask anyone, I’ll just ask my director general. Well, really, what’s at stake there is the liability of the prime minister. Side by side with that we’ve got legal control. So what do we do in France where we have a kind of local specialisation? We have independent administrative authorities. And they’re not jurisdictions. They’re not legal entities. It sounds like they’re in administration, but they’re different from normal administrations because all administrations are under the authority of the government and these entities are independent. They’re not part of any hierarchy. So quite specifically, that means they answer to no one except the parliament.

So how have we designed these independent authorities? Well, we have made them a reflection of power other than the government. Other than the executive power. You know, there are three powers, executive, legislative, judiciary. Well, in this particular commission, you have representatives of the judiciary for magistrates. You have representatives of the legislative power for members of parliament. And those members of Parliament have been selected. So, they are not just from the majority. But the majority plus elements of the opposition. So, you’ve got a commission which is half magistrates, half members of Parliament, and in addition someone who specialised in the use of these techniques. So we construct this Commission by incorporating the principle of separation of powers within it.

And what is the role of this commission? Well, it hands down opinions, but there is a specificity there. If the opinion is favourable, if the commission says yes, you can watch that person in that locality that we’re talking about. They can say, the commission can say yes or no, might decide that it’s a good idea or not a good idea to watch that person. The Prime Minister might say no in certain cases. But if the commission’s opinion is not in favour and the Prime Minister decides to sideline them because it’s just an opinion, according to the most recent amendment to that legislation, I will have to make a reference to the Council of State, the Supreme Judiciary Authority. So, if there’s a disagreement between the Prime Minister and this commission, the judge will decide. So, you see, it’s a system which aims to reconcile political responsibility and legal control. Cooperation of different powers, majority plus opposition, and a dovetailing between an independent authority and a judiciary entity. It sounds complicated, but in practice, quite frankly, my impression is that it works very well. But we can debate that.

There’s another specificity in the French system which can be found elsewhere, but not everywhere. That is that a commission does not just grant authorisations. Once it’s granted the authorisation it monitors what the services do with that authorisation. So, we have a posteriori monitoring power. So, where there is a doubt about the sincerity of the service, a request for authorisation has been received and we say yes, there are certain indications, but is it not perhaps going too far? We say okay, we’ll authorise it, but we are immediately going to keep a very close eye on what is being done with this authorisation and if we realise that we were duped or that the service was mistaken, we can immediately interrupt that surveillance. And that’s what we do systematically with protected professions. So that is if we decide to watch a journalist, a member of parliament, a lawyer, a magistrate, because it would appear that they have relations with foreign services, while in those cases we systematically check how the services are making use of their authorisation.

And I will add an additional level of security, which is of interest to you and the subject that you’re dealing with. And that is that we are systematically informed of the cost of the material used. So, there’s an administrative commission, an inter-ministerial commission in France, which has the job of granting a label, if you like. Once we want to use surveillance or tapping technology, whether it’s from abroad or not. Any surveillance technology or material needs to be given a label. There are different ministries involved in giving this label and the commission that I am president of when we decide which material can be used. For example, we can see whether such and such a kind of material from such and such a foreign company is being used in France or not.

And the last thing I’ll say on the powers of this commission, this power, this commission can refer to itself, but it can also receive a referral from another person, in which case we check. Make the necessary verifications. So, if a service agent wishes to lodge a complaint on facts happening within its service, you can come to us. We act in confidentiality. And grant protection, that is, that we make sure that that agent would not suffer any negative consequences. And I can say that that procedure has never been used so far. So that’s what I wanted to say about how our service works.

What I can add by means of conclusion or to provoke a discussion is a something about what I think could be improved. The big priority for me is that we need to be up to scratch technically because legislative procedures are fine. But if we don’t understand how the service works, the nature of the material being used, the different material being used to select and receive data, this whole technical structure, which is very profound in our service, needs to be understood by us. And that is why one of the priority measures that I’ve taken is to strengthen technical capacities of our commission. Our commission works with engineers and legal experts, and I think our strength is the fact that the engineers and the legal experts work together. The lawyers understand the techniques and the engineers understand the law. So, we’ve strengthened that capacity.

And we’ve also asked the service to, uh, watch the functioning of their systems. Now, that’s provided for by law. It’s not a matter of legislative rights. It’s about implementation. It’s about having access to the service material, to the systems, understand how it works and not feel like a tourist. The technology I said in my introduction is evolving all the time. The old-style technology, phone tapping and all of that is becoming obsolete. Because messages are encrypted. Uh, because there is greater caution on the part of the service. So, phone tapping is less and less effective. So, services go very quickly, move very quickly towards I.T. Intrusion, I.T Data capturing is what is being worked on.

Now. The paradox in our system is that we have phone tapping which is centralised in a central unit. We have direct access and it’s subject to a quota obligation. So, they cannot tap more phones than the number stated by the Prime Minister. On the other hand, for I.T. data capturing there’s no centralisation. Each service which has the power to do so, may do so. You would have to go and verify that. And there are no quotas. So, what I’m saying is that for any future amendment to the legislation, it might be useful to go back to the drawing board on what we mean by data capturing. We’re talking about copying data. How we get sound, how we get images, how we get their screen.

I also believe that there’s another stage which is missing before we get this end-to-end guarantee that the Court of Human Rights is talking about. And that is that in in France, unlike other countries, we do not check data between the French, so the exchange between a French service and a foreign service. I think the French government is aware of that, that there is a gap there that needs to be closed.

And then the last thing I want us to improve is all this matter of, say, people who contest surveillance measures. People who feel that they’re in a situation of inferiority, structurally speaking. So, they’ll be able to take the matter to a judge, but they will have no access to the file. The judge will decide whether the person’s situation is legal or not. There are other countries that have intermediary solutions. I’m thinking about the U.K., where there are lawyers who act in a national defence, who can take on the defence of the person. The person doesn’t have access to the file, but the lawyer does. So that is an intermediary solution. I think we could make progress on that in France.

So, to conclude. I subscribe to the position of the European Court of Human Rights. Modern democracies need intelligence because there are diverse threats, there are strong threats, and because the threats can call into question democracy itself. But intelligence in democracy is necessarily imperfect. It needs to be controlled. It needs to be limited. It needs to fit within a certain structure. And we’re trying to establish that balance in France. Thank you.

Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Lasvignes, for a very interesting presentation. And I’m sure it has raised many questions from our colleagues as well. And you have given the kick off for an exchange of views. So, we’ll dive right into it. And I pass the floor first to Ms. Sophie in ’t Veld, our rapporteur.

Sophie in ’t Veld (Renew): Thank you, Chair, and thank you, Mr. Lasvignes, for being here and having an opportunity for an exchange of views. I have two questions, a short one and a long one. The short one is fairly easy.

You say that each time, let’s say if new technologies are to be employed, they have to receive authorisation. So, my question would be under the current law, would Pegasus, Predator or the surveillance technologies sold by Nexa and Amesys, would they be considered legal at this moment in time? That’s one question.

The second one is slightly longer, because you have, I believe, just over a year ago been appointed to be the head of the CNCTR. I have a bit of experience with that body myself. As you are probably aware before your time, I have to say. But it had to do with a law or decree, rather, which had been drawn up, I understand, with your assistance and I’m raising this issue because it’s a good test case, I think, of how it works in practice. It doesn’t concern spyware because that didn’t that wasn’t being used at the time. It concerns traditional interception of phone calls.

At some point in, I believe, 2015, it was revealed that since 2008, phone calls were being intercepted across France without a legal base. In other words, it was illegal interception. It was done on the basis of the decree I just referred to issued by President Sarkozy. And I understand you were involved in drafting that decree. So that was revealed by the media. And then very rapidly, the government in the Assemblée adopted a law in 2015, and that law foresees a legal remedy for people who may have been targeted or believe they may have been targeted because they’re a person of interest by telephone interception.

Now, it so happens that most of us reside in France one week a month. And I thought, I’m a politician. I have a big mouth. I might well be a person of interest. So, I’ll ask the CNCTR if they can confirm or deny that I have ever had my telephone calls being intercepted. The reply I got I’ll spare you the details, but basically the burden of proof was on me. I had to prove that such interception might have taken place either before 2015 or after 2015 under different conditions. Long story short, I went to court. The court said, we’re not interested. I took the matter to the courts in Strasbourg. That was December 2018. In other words, four years ago. So, whatever the court’s in Strasbourg is going to say.

I think that my case demonstrates very clearly that legal remedy is a joke. It’s a joke because like in the cases of spyware, as we have learned from Poland, Hungary, other cases, Spain, it is the victim or the potential victim who actually has to prove that he has been targeted with spyware or telephone interception or whatever. But he’s not going to get that information from the authorities. So, you get into a vicious circle. Now, as I said, I made my request through CNCTR in May 2016. So that’s almost seven years ago now. Yeah, seven years ago.

So basically, let’s say, now I have you know, I’m not really terribly worried about the French authorities listening in to my phone calls, but it was also a matter of principle. But let’s say that I do have reasons to worry. Let’s say somebody may be using spyware on me. I basically have no real legal remedy. So, you know, I’d like you to respond to that. How are you going to improve that situation? Do you discuss that with your colleagues of the other member states? And how what do you have to say to victims of spyware at the moment who have nowhere to turn because the CNCTR and it’s equivalent bodies in other member states are basically not there for the victims. They’re there to protect the authorities and the secret services.

Jeroen Lenaers (Chair): Mr Lasvignes.

Serge Lasvignes: So you’ve asked two questions. As far as the first one is concerned, I’m not sure whether this committee would authorise Pegasus or not. The point is that there was no request to do so. In other words, Pegasus has not been the subject of this evaluation and therefore has not been authorised in France. Private services cannot use Pegasus and public intelligence services have chosen to opt for national, let’s say, systems rather than foreign systems, because there’s no intention of sharing intelligence with the producers. So, we don’t have Pegasus in France. With regard to your second question. Well, clearly that is a complex matter.

Sophie in ’t Veld (Renew): But Nexa is a French company. So, my question actually had to do with foreign products such as Pegasus and Predator, But Nexa and Amesys are French.

Serge Lasvignes: Well, of course, we know that the surveillance technologies are produced in France, but Pegasus is not used in France. I’m not saying that we don’t use electronic surveillance systems in France. The purpose of my committee, in fact, is that of overseeing the way in which these technologies are used. Obviously, it remains to be seen whether these systems are acceptable or not and this is a fundamental matter when it comes to the very core of democracy. And this is a debate that obviously is extremely sensitive.

Immer auf dem Laufenden bleiben!

Abonniere jetzt unseren Netzpolitischen Wochenrückblick als Newsletter

Jetzt abonnieren

As your second question, I am sorry, but there is something I must specify. When a person fears that he or she is being placed under surveillance we have a law that was enacted in 2015 and the system is not retroactive. In other words, the committee that I am a chair of can only be invested with these matters, provided that the person in question believes that surveillance has started after 2015. Now, if the committee is required to examine this matter, how to go about it? Well, somebody will have to contact the committee indicating that he or she fears that there is surveillance taking place and obviously numbers must be provided. I cannot just simply randomly go to ask services whether an individual is under surveillance or not. Obviously, a telephone number will have to be provided and I.T. details will have to be provided by the applicant. And then there will be the possibility of establishing whether the person in question has been placed under surveillance or not. I might add for the reasons that I mentioned, that the cost of, let’s say, clandestine or unlawful surveillance is very high. So, I’m going to see and establish whether an individual is under surveillance or not. I must say that in most cases the requests we receive come from individuals who have not been placed under surveillance.

But let’s say that’ll be a little bit mentally unstable. If I may say so. And we receive a significant number of, let’s say, requests from these people. This can seem scary, but they are not under surveillance. Sometimes we obtain other, let’s say, in requests from people who have reason to believe in a more structured way that they have been placed under surveillance. So, when that happens, we have to see whether surveillance is taking place and if so, whether this surveillance is legal or not. If we issue a favourable opinion and if there’s nothing, let’s say that leads us to re-examine this opinion, then we will establish that this surveillance is being done legally. If, on the other hand, we have not issued an opinion or if since an opinion was handed down, there was a change in the persons, a situation whereby surveillance becomes illegal. In that case, surveillance would be immediately halted if a service were to refuse to do so. Then of course there would be measures in place to force such a service to do so. Now, the thing is, I cannot say to somebody, Oh, yes, you’re quite right. You have been placed under surveillance, but it’s over. Don’t worry, because of course, we have to consider the secrecy that is required when it comes to national defence matters. If any terrorist can write to me and say, Oh, could you please check and see if I’m under surveillance or not, and then I have to reply. Well, obviously the service would not be able to operate, the whole system would not be able to operate.

Therefore, what I am going to say to somebody making that request and I know this is not fully satisfactory, that checks have been performed. And verification has taken place. People must trust the committee. If there’s no trust, obviously then the judge or the Conseil d’État cannot be asked to carry out an investigation and see how surveillance is taking place. And at the end, then the person in question will be told that the necessary checks and verifications will have taken place. So, what if we look at the adversarial aspects? Of course, this is not fully satisfactory because lots of checks and verifications are taking place without the individuals in question being aware of what is involved. But obviously we know that we have to safeguard secrecy and that is why the British system, which, as I explained, uses lawyers with the necessary authority, is an effective system, we believe, in order to comply with the adversarial principle. I hope I have answered your question. However, if you would like to contact me, I can give you more information in the course of this week. Please feel free to do so if you need any further clarification.

Jeroen Lenaers (Chair): Just to clarify, there was no question on the mental stability of our rapporteur. We moved to EPP, Ms. Braunsberger.

Karolin Braunsberger-Reinhold (European People’s Party): Have you got your headphones on, great. Thank you for coming, Mr. Lasvignes, and making your presentation. I’ve got a very brief and pragmatic question. You talked about the different investigation techniques, and you said that the older techniques are now being reviewed.

Can you tell us about the effectiveness of the different investigation techniques and particularly as we’re talking about spyware and the effectiveness of the follow up based on spy software?

Serge Lasvignes: Well, that’s quite a challenging question. Obviously, I am not in the business of intelligence. We have oversight functions on intelligence services. What I was saying earlier was that traditional telephone tapping doesn’t really give us much. And therefore, we know that this is only, let’s say, the beginning of a process. Now we start with wiretapping. And then if a target is worthy of being placed under surveillance, then additional technologies are put in place. Obviously, when somebody is placed under surveillance, I do understand that this is done not with just one technology, but with a bundle of technologies.

What are the most effective ones? Well, first of all, the technologies that enable us to know how an individual moves, who he or she meets with, and therefore that is why we use real time geo localisation technologies, because this means that if an individual has a phone with him or her at all times, this is possible. If not, we can also use, let’s say, technologies that enable us to locate the movements of a vehicle, for instance, with the form of G.P.S. We therefore know where a person is going, who that person is meeting, what activities are engaged in. Then obviously it’s difficult to know, and that is what at stake, what a person says or does not say on the phone. And to do this, the any possibility is direct recordings. In other words, using a microphone. But obviously, this means that this is a far more intrusive process because it means that it would be necessary to bug somebody’s domicile or let’s say infiltrate IT systems and let’s say do what Pegasus does, i.e., establish a form of, of trapping mechanism which can enable us to listen in to any exchanges or exchanges.

So, we have to apply a principle of proportionality. Our committee does not allow that these technologies are used unless a service has already started placing a person under surveillance and only provided that sufficient information is given to indicate that we’re dealing with a dangerous individual, a very targeted individual. And if sound is picked up directly or indirectly with a traditional microphone or through IT systems, then obviously this is only linked to situations characterised by individuals who are a particular threat. This is a technique that’s normally used in the event that terrorism is suspected. When it comes to surveillance of violent extremist militants. We know that this is done very rarely, even though we know that some extremist militants in, let’s say, certain areas can be extremely violent. And we know that we have to also consider the way in which the threats evolved.

And we have cases in France and many other European countries. We know that there are many people today who purchase weapons either joining shooting clubs or obtaining weapons illegally through the Internet in some cases, and in France and another especially northern European countries, we know that there is a significant amount of weapons and people who train and during summer they take these survival courses. The question is, when are they going to act? When are these weapons going to be used for something other than training or war games? So, when we find ourselves in situations of this kind, When we, for instance, see that there are groups of armed groups with there are possibilities to use these techniques as described.

Jeroen Lenaers (Chair): Merci bien, thank you. Roza Thun for Renew.

Róża Thun und Hohenstein (Renew Europe): Thank you very much. I have three questions.

So, you said that you don’t use Pegasus in France. Can you explain why not? Other question, you mentioned illegal or unlawful surveillance. How is that possible given all the precautions that you’ve just described? Is there such a thing in France as unlawful or illegal surveillance? Given that you have described a system whereby the president has to sign off decisions, etc.? And last question, if I understood you correctly, you said that in France, approximately 23,000 people are under surveillance. And you also said that you monitor the way in which surveillance technologies and methods are used. How does that actually take place? Could you describe it, please? Thank you.

Serge Lasvignes: With regard to your first question, why not Pegasus? Well, I did try and explain the reason for this. Let’s put it this way. The French intelligence services, as a matter of principle, have tried to make sure that the material employed is national. In other words, for instance, we have a surveillance system maybe that can be considered as national, even though there can be some technologies that come from other sources. We know that in France we have seen considerable evolution of technical, let’s say, systems. We’re not dealing with operatives. We’re not dealing with James Bond like characters. But the most important resource, our view, actually lies in the technical experts, all the technical divisions of our services that will identify which systems to use for surveillance purposes. We avoid using foreign systems because we know that there can be some backdoors, information intelligence collected by the French could easily, let’s say, end up elsewhere.

So, are their forms of unlawful illegal surveillance? I hope not. What I was trying to explain is the system is has been actually developed to make any form of illegal or unlawful surveillance, either impossible or extremely costly. If we do observe anomalies, if, for instance, we see that in a service, there are agents who have access to data that they should not have access to because they are not entitled to carry out, let’s say, operations, given that they have not been, let’s say, involved in the surveillance. Let’s say a surveillance operation has been authorised with favourable opinion of the committee, but in a service, for instance, perhaps the outcome of this surveillance has been shared beyond, let’s say, the circle of agents who were entitled to obtain this information. This is not illegal, but one has to really carefully watch over the way in which data is shared to avoid it being, let’s say, shared beyond, let’s say, a certain limit.

We have talked about 23,000 people being placed under surveillance. We know that there are, let’s say, limited resources. Three times we try and carry out in situ checks. And we also look at remote surveillance options. The purpose is to ensure that all those services that have the high-end technologies for surveillance can give us a remote access. So that means that when the committee needs to do so, it is possible to oversee the outcome of a surveillance operation without having to go physically to the service. So what we’re talking about 23,000 people, as we said, and most of these are suspected of being involved in terrorism. And this form of surveillance is not as, let’s say, difficult to manage when compared to other instances. In general, services can provide information on these individuals, relational, let’s say, M.O. And that leads us to conclude that there are good reasons why they have been placed under surveillance. There can be rather more, let’s say, critical situations, more delicate situations, as happens in the case of surveillance of journalists. And in that case, we systematically perform checks and exercise oversight on the data collected by the services, how the data is used, and we check to make sure that the service is not attempting to identify sources. This is not allowed. Obviously, we know unless we’re talking about Chinese or Russian spies I suppose.

Jeroen Lenaers (Chair): Thijs Reuten.

Thijs Reuten (Socialists and Democrats): Yes. Thank you, Chair. And I was inspired by your answer to my colleague, because you gave a frank answer about the acquisition of the spyware. But let me rephrase the question a little bit. Have you although it did not lead to this decision, but have you considered acquisition of such spyware and or acquired information about which packages of software then and what were the reasons for the different choices in that process? And if I may be so bold. Have the possibly the revelations, which I think would be a legitimate reason to reconsider, have they played a role in your decision not to engage in acquisition of such software?

Serge Lasvignes: You must forgive me, but I’m actually not involved in intelligence. As your question might seem to indicate, I’m not responsible for a acquiring Surveillance systems. We are just involved in overseeing the way in which systems are used for surveillance purposes. So, it’s not my, let’s say, responsibility. I don’t know whether French intelligence services have at some point in time considered acquiring Pegasus or not, but it is a possibility. But I don’t know if that is the case.

What I do know, as I pointed out is that our systems are sovereign systems that say they are in-house. To use a more common term. So, I cannot give you any information on what might or might not have happened. On whether to decide in favour of acquiring a system or not. What I can say, however, is that it’s just as well that I don’t know anything because I only work on what exists and the ideas or designs of the services are not something that I’m personally involved in. Let’s say it’s not a decision process that I take part in.

Saskia Bricmont (Greens): Thank you. Good afternoon, everybody, and happy New Year, by the way, because this is our first meeting this year. Thank you very much for having joined us. And we know that the French do like Made in France systems and technologies. Can you tell us something on the other hand, as to the use of spyware on the part of foreign intelligence services? I wonder whether you could say something with respect to the fact that French authorities have not publicly reacted with regard to misuse or illegal use of these technologies. We know that we have safeguards in place to avoid abuse of these spyware technologies. But obviously we know that if there are such instances on the part of foreign entities, this obviously indicates that there’s an attempt to interfere in the French system. So, I’d like to have your thoughts on this.

And then I would like to ask you, in the light of what you have said about the system, whether it is an effective barrier against abuse of spyware, do you think the system works, in other words, and do you think that it could also be an example that other European states could take into consideration? And do you think that it would be appropriate to have minimum standards at a European level with a European wide framework that could be applied to all states? I don’t know if you were here earlier or when we had Professor Sartor, he mentioned national security. And certainly, this is the stumbling block, if you will, when it comes to the concept of national security as seen as a European level on a national level. And of course, we have to also consider whether this definition is sufficiently precise, not just in France. We would like to have your opinion on it. I know that there are many differences between member states when it comes to using this type of spyware.

And I would also like to know whether a common European framework would be advisable. And. Viable. And finally, with regard to victims, obviously, you suggest suggesting a possibility to go along with the British approach so as to guarantee that victims can have access to information. But in general terms, what do you think of the impact of the use of spyware on human rights? And would you say, in the light of your contacts with European counterparts that the French system is sufficient or whether it would be better to have a European wide framework to safeguard fundamental rights? Thank you very much.

Serge Lasvignes: On your first point. There has been foreign interference. That’s not my work. It’s the intelligence services who have to fight against foreign interference, foreign meddling. The French system was not designed to stop foreigners from spying on the French. There are counter interference measures to deal with that. And these measures were taken as a result of the revelations that you talked about. But we’re not talking about the area that I deal with. It’s not my job to censor or what a certain state may have done using Pegasus.

And that brings us to another question that I raised before, which is the question of monitoring discussions between services of different nationalities. So a progress would be if in every member state, European state, there was some kind of device which allows every competent authority, judicial or independent, to ensure that a state is not using another state to obtain surveillance which had been refused to them on a national level. It’s a sort of way of circumventing such a decision.

Do we need a European framework? Well, that is a very difficult question. What I would tend to argue is the European framework does exist already to a certain extent. If I add up the case law of the Strasbourg Court of Human Rights and recent decisions taken by the EU Court of Justice, I do have the impression that there is a European law. There is case law. Which is not positive law. When I talk about the European Court of Human Rights there is a fundamental principle which is that intelligence, Internal surveillance, is at the heart of state sovereignty. So, I cannot interfere with the choices made, options adopted to carry out surveillance on the compatriots. It’s nothing to do with the judges in Strasbourg. What I can check is that in the system, whatever system that may be, whatever the choice is made by that stage, all that system allows for a certain number of guarantees. And that those guarantees are from end to end, as the court said. In other words, as soon as the person is being monitored until the point at which surveillance ceases and everything that happens in between the two. The case law of the court in Strasbourg consists in saying that to organising an interior surveillance system is a sovereign decision to be taken by a state. But as the authority charged with monitoring the application of the Court of Human Rights, I have to check that the choice is made to have sufficient guarantees attached to them.

And I don’t know whether we need to go any further, to be honest. I think that if every member state complied entirely, which is not the case of France, as I said before, for example, there are a few gaps here and there, but if every member state complied fully with the case law of the court in Strasbourg, that would be a big step forward already. Now, after that, we can try to define European rules. That would mean that the states and you know this better than I do, must accept to open up an area which is not yet open to European law. We may end up with a number of rules which may end up being just minimum rules, because if you have a case law which is adjusting as the Strasbourg law and positive law or directives regulations being drafted between the two, there is a certain amount of flexibility. So, I would be afraid that you may end up with making another a lot of effort and end up with a set of rules which can actually be pretty disappointing.

Third question. The impact on fundamental rights. I had no real intelligence experience, unlike what the rapporteur was saying. I did not write decrees for Mr. Sarkozy. Sarkozy what I said, according to Le Monde, I was the author of the first note of warning against the insufficiency of the French legal framework for surveillance, which isn’t quite the same thing. And then as the secretary general of the French government, I did participate in the discussions which led to the 2015 law, which is the law setting of the framework for controlling intelligence in France. So, I don’t have any specific intelligence experience. I only just discovered it since November 2021, since I’ve been chairman of this committee. So not too long ago.

And once we get into the subject matter, what have I seen? Well, I can conclude that the essential characteristics of people under surveillance are that they are people where you wouldn’t really hesitate to be blunt when you have an indication that there is a terrorist conspiracy. Organised crime where we have a lot of clues there. I mean, you have to take into account that an essential part of the work of the intelligence services is combating trafficking, particularly drugs in France. That represents about 15%, 15.3%, I believe, of the activity of the intelligence services. Counter interference, in other words, combating foreign spies is 17.5%. Terrorism is 42%. So, in these files, when you talk about terrorism and counter interference and drugs trafficking, you don’t hesitate. You don’t really wonder about the fundamental rights for too long.

The part which does cause you to hesitate, and it should do is when you are placing political activities under surveillance. In other words, when you are monitoring extremists, the question being are these extremists likely to turn violent? And that that’s when you ask the services to justify and to give you proper proof. And that is where the number of Nos that we issue is highest, because then we say that there is going to be a risk there of impacting fundamental rights. On the other hand. When you put a monitor on a vessel involved in drug trafficking, then you’re not likely to have a crisis of conscience about putting a trucker on a boat like that.

So, our hesitation is mainly, well, it’s around 13% of all surveillance operations. And out of these 13% of operations, you will have neo-Nazis, you’ll have racists, you’ll have neo-fascist who are armed. And they’re in such cases, it would be difficult to hesitate. There are 3,000 people who are being monitored because of political extremism. So, I have understood when I read what the British Parliament has done, that armed extremism, ultra-right, extreme right terrorism in Germany and in the northern Europe, as was one of the priority threats now.

Jeroen Lenaers (Chair): Thank you. Mr. Puigdemont.

Carles Puigdemont i Casamajó (Non-attached): Thank you, Chairman. Mr. Lasvignes, you said that you use French technology. Is this a technology capable of doing the same thing as the other spyware, such as the spyware described by in the previous presentation? Is it part of the individual toolkit? Can you upload photos, videos? Can you manufacture fake messages as the first question?

And secondly, how can you prove that there’s been a misuse of this technology? Because if it’s technology which is similar to Candiru or Pegasus. There isn’t really any practical way to check whether a file is fake or not. So, what kind of reports do you receive to verify whether the use made of that technology is legal and whether all this data collected by the spyware is, well, where is it stored? Who is responsible for guaranteeing that this data will be stored? In a secure place that the data will not be used. Once you’ve carried out your checks and issued your opinion, how can you make sure that the data will not be used illegally?

Serge Lasvignes: Yes. On your first point on the technical capacity of the French intelligence services. So, I think that is the something that the Secretary of Defence would have to answer, although I know that we’re at a high level. The tools used by the French intelligence services are used to collect information, not manufacture it, and we don’t really see what the interest would be during these missions for the French intelligence services to manufacture fake information because it’s administrative intelligence. Why would it be, to influence public opinion to cause a scandal or perhaps provide a false evidence to a court?

But what is important in France is that there is a line of demarcation, a very deep line of demarcation between what we call the administrative police and the judicial police. What we’re dealing with here, what I deal with, is the area of the administrative police, i.e., prevention. Once a person is guilty of something and you have to prove that, then you are starting a judicial procedure, procedure and everything that the administrative police has done, it no longer has any value as evidence. So, the evidence has to be then managed by the judicial authority, working under the authority of a magistrate. So, I think that the French services are technically capable of doing many things. Collecting a lot of data. And I think it’s unlikely that as part of their mission, they would manufacture data.

Now, where is the data? And the data is in the services systems. We have direct immediate access to the services systems. In principle, in practice, you have to do a bit of work to get it to. But that’s what we do. We work at it. So, we work to be to familiarise ourselves with the system and so that we know where to go to find interesting stuff. I think you know how it works. There is a huge mass of data. You have to have a sort of area that you can trace data back and like around this thread. So, you know that this data cannot be stored longer than a certain period. So, we also have to check that the data has been destroyed after the period has elapsed. That’s what we do. We also do it on a one-off basis by carrying out random checks. And then when you get to the limits of this exercise and we’ve already talked about it here in this committee, once this data is being used to draw up a file being held by these services, then we no longer have access to the file. It is another authority. It’s the Freedoms and Computer Data Committee which can access that data on a specific person, and we can no longer get an access to that file because the law tells us the only thing, we can see is data which is being collected using intelligence techniques in the files. As a sort of big market. You can have tech and technical data, data from informers, human resources, in other words, and from foreign services. So, we are not entitled to see that data.

So, what we really need is either to be given that right. Perhaps we will be given it, or you have to be able to sift through these files. And we should then get access to the data, which comes from the intelligence tech intelligence techniques and not the other information which comes from the other sources. And this is one of the challenges of perfecting the French intelligence system.

Jeroen Lenaers (Chair): Thank you. I had a couple of questions myself. You mentioned already there’s 23,000 people under surveillance in in France. I was looking at the website of the of the committee. I think the numbers presented here are relatively old, but they spoke about 65,000 opinions delivered between 2015 and 2016. So, I mean, this is if you do this in a year, it’s 178 a day. What kind of access, what kind of file do you base your opinions on? What we’ve heard from other EU member states where there were complaints about, for instance, judicial proceedings? Yes, the judge approved a certain type of surveillance, but the judge only received a phone number, for instance, not a name or not only biographic data of a person, it didn’t really receive what kind of technique was used. A very, very brief summary of a request by the intelligence services, which was then approved, basically as sort of a formality. So, if you if you work with such big numbers, how do you ensure that these requests are also assessed in a qualitative way?

And secondly, how you ensure the independence of the committee? If I’m not mistaken, the President of the Republic appoints you as President of the committee, and I don’t want to know reason to doubt your independence or whatever. But I could imagine if you looking at the question, what could other member states learn from the French system? There are member states in the European Union I would say that if the head of this committee is appointed directly by the head of State of government of the Member State in question, this could lead to an undesirable conflict of dependency. Maybe. So how do you feel as and how do you ensure this this independence?

And then one question you already answered very elaborately on Pegasus. One of the interesting things we discussed on many instances here is that one of the key differences between Pegasus and Pegasus type spyware compared to the classic wiretapping is that, of course, once you give an approval for classic wiretapping, this is when the data starts being collected. When you talk about Pegasus or similar spyware, you can also very easily retroactively find data. Once you have access to someone’s phone, it is not only the data that is gathered from that date, but you have access to also all the historical data on that phone data that’s already present there. How do you see that difference in terms of intelligence gathering? And do you also have different approaches in approving or giving positive opinions on requests of intelligence gathering? Thank you.

Serge Lasvignes: Three rather different questions. Yes, we have 90,000 requests per year because all 23,000 people may be subject to individual measures, each one different measure. I know that two thirds of these and 90,000 requests, so about 60,000 are just requests for telephone identification. In other words, the service says to us, I have located this suspicious telephone number. Can you tell me who uses that telephone number? And I would like to obtain information from the operator. Or, on the other hand, I’m interested in a suspect, and I would like to know his different telephone numbers. And I would like to put that question to the operator. So, these are very easy measures to deal with and pretty low level on the intrusive scale, and they don’t take much time or work.

All our efforts in this system is to prioritise, to select and to spend time on the things that are worth spending time on. And when you get used to it, you see that difficult cases are a minority. So, we break down our work. There are lots of opinions from the committee which are given by one member alone, always a magistrate, and it’s one single member who will provide the opinion because it’s a simple case. If it’s a more complicated case, we convene a meeting in a small format. And if it’s, for example, a question of placing a journalist or MP under surveillance, well then, it’s going to be a plenary meeting of the committee. And so, we try to prioritise those so that we can be productive and effective.

I’m not sure that a good solution would be to multiply the number of people on the committee or to set up this is some kind of huge institution because in reality what is important for us is not so much the large amount of human resources. It’s the knowledge of what the services do and the sectors in which they work. At the end of the day, these 23,000 people under surveillance, and this is what struck me on a human level, is a sort of a world unto itself. So, you’ve got the world of terrorism. And what is the world of terrorism? You’ve got a certain number of isolated individuals who have radicalised themselves alone by surfing on the Internet. Often, they’re very young. Sometimes they’re still at school. Very difficult to detect. You detect them by monitoring the jihadist sites.

And then you have all of the others more traditional forms of terrorism, those who know each other, who’ve met in prison or in Syria, in the field, and those people we know, the links that they maintain. And if the services service says to us, well, we have the impression that Mr. X is now getting involved in with Mr. Y and Z who are already under surveillance and we know them, well then, we will consider that we do have enough information to say, okay, we have to place that person under surveillance.

What I ask the services to do increasingly, and what they can do now is that we ask them to do in-depth presentations on subjects that they are working on. For example, it’s true that in France there are certain foreign minorities which are under surveillance because we are afraid that they may cause diplomatic difficulties or because of violence. You have to know what minorities were talking about, who is in that minority, who the leaders are, and what type of danger they pose in practice. And we ask our services to provide justification to give us the result of their inquiry. So, we examine individual requests on the basis of more general knowledge of a sector which is of interest to our service. And sometimes the services want to place a certain community under surveillance, an ideological group, for example. And we want to prove that they’re dangerous. And often we’re very reluctant because any request for that community will be rejected. Let’s just get a whole series of no’s. So, the requests that we get and doesn’t get come out of nowhere. Of course, it comes from a certain set framework, reference framework, community, sudden way of acting ideology.

So how do you control Pegasus? Or rather, how do you control what is equivalent to Pegasus? Well, first of all, if the service can use data to get discussions on the telephone, by telephone or in an apartment, they have to request an authorisation and say, first of all, I want to gain access to the computer data of that person. And I want to get sound. I want to get to the conversations of that person sent back to me. So, we have to do that with the. Computerised means we have it all available, so we send the sound services exclusively in. Just for the reasons which gave them a favourable opinion. So, they have to systematically eliminate anything else. We cannot keep any of the reasons stored and we can’t deal with it in the intelligence bulletins, as we call them. So, to be specific, often a person is placed under surveillance. For example, we think he’s a spy. And we may want to use very intrusive devices because if somebody is a spy, you have to use the spy toolkit as well. And then what you get out of it. Then we listen to what two fists or the thumb have said and then, we’re not entitled to, it’s not authorised, so we have to get it deleted by the services immediately. So, in this system of prioritisation, once you authorise the service to use a very intrusive device such as Pegasus, they’re going to be under systematic surveillance so the service knows it and nobody will try to remain within the framework. You may have areas where you go beyond the limits of the framework. And in general, we can prevent that happening.

I’m not saying that our system’s perfect, but I have to be honest, as a practitioner, I have never had the feeling that we were allowing things to carry on or which were really dangerous. So I was appointed by the French president, but there is, I would qualify that. But because you have to be appointed a member before you are appointed chairman and to be a member, the president has nothing to do with that. It’s the president of the Conseil d’État. And he chose me to be a member of the committee. And the president said, well, I would appoint him as the chairman. So, of course, sometimes they can. Agree amongst themselves, I suppose. But to my knowledge there was no prior consultation between the two of them.

Jeroen Lenaers (Chair): Thank you very much. And there was one additional follow up question from Sophie in ’t Veld.

Sophie in ’t Veld (Renew): Yes, as you’re here, I would like to benefit from your presence to still a little bit deeper into two issues. You said basically, France only uses, let’s say, homemade spyware. But as my colleague said, we know that at some point in time before the Pegasus Project revelations, there were negotiations ongoing or explorations with NSO and Variant, and it concerns, in both cases, an Israeli brand of spyware. So apparently, I mean, the impression one gets is that the Pegasus revelations actually changed this, the strategy or the approach of the French government. Can you confirm that? And can you then also say, do you really use 100% French made spyware only? Or do you also consider European brands like Predator, for example, or, you know, there are others which have been produced in Europe. And can you say because, you know, we all know that the Israelis have really exceptional expertise and an experience with spyware. It’s very difficult to for countries to make something which is as good or better. We know that even the Americans are using this. And I can see I mean; I would agree on the reasons for not using it. But can you guarantee that it’s 100% French? There’s really no element of Israeli or other non-European spyware. And can you confirm that you do not consider European brands acceptable for France? Are you completely self-sufficient?

My second question would be you distinguished in answer to the question of my colleague, Mrs. Thun, you distinguished, or she was asked about illegal spying, and you said, well, there is no illegal spying, but there may be anomalies. So, would you consider the period 2008-2015 an anomaly? And I’m interested in this because you also said, you know, you have to trust me in making judgements to a certain extent. And so, I’m asking about the judgement. You were maybe not, you know, one of the architects of the surveillance program. And indeed, you did write a note about this, but that was in 2018 when there was already a law in place. But you were aware of this surveillance program from. Okay, well then you have to have a stiff talk with Le Monde because they published an extensive article, you know, outlining your role. And given that you were very close to Sarkozy, that you were you were also involved in the implementation. Okay. Had you been aware of the 2008 to 2015 program? Would that have been sufficiently worrying for you to flag it up? Would you consider that that is illegal or at least a-legal spying?

Serge Lasvignes: You said 2018. I think you meant 2008 because in 2018 I was doing something completely different. I was the president of the Centre Pompidou. At that time. When I was the secretary general in the government, I wrote a note which highlighted the weakness of the legal framework of the intelligence service. It’s public now. So, I think I can say this. It was the time when France was creating an international surveillance system, and I wrote this note to say that I get the feeling as a lawyer, because I was the first jurors consult of the government, so I felt in my capacity as a lawyer that the legal framework was insufficient and that that was hazardous.

I don’t use anything. I don’t use any device. I’m not the intelligence service. So, I can’t say anything about using this service or that or a European system or not a European system. That’s not up to me. And I can’t give you France’s position either because I’m not a member of the government. It needs to be clear that I’m an independent authority. I mean, it would be quite worrying if I, as a as an independent authority could say this is France’s policy on intelligence. I, I can’t say what France’s policy is. All I can say is what I see. As in my capacity of control and monitoring. I want that to be clear. Well, I can’t really say much more than that. Well, we use European systems. I don’t know. One thing I do think I know. But you’d have to ask the French government to be sure. I think that the decision to not make use of Pegasus was taken before the Pegasus scandal broke out. That’s what I thought.

Sophie in ’t Veld (Renew): Or this is my unstable quality. But just to be clear, because you said at some point that Pegasus has not been authorised in France, has Predator or another European brand been authorised because that you can say you’re not in charge of the purchase of spyware, I understand that. But if you say Pegasus has not been authorised, then you would know which brands have been authorised.

Serge Lasvignes: I know that the French intelligence services use surveillance equipment which has been developed by their technical directorate so that they are homemade products, if you like, made from bricks, if you like, coming from companies that present no risk from the point of view of the mission of the secret services.

Jeroen Lenaers (Chair): Thank you very much. And, of course, we have also sent a questionnaire to the French authorities like we have with all EU member states. We have not yet received a reply, but many of these questions would hopefully be still answered also by the by the French government. Thank you. Thank you very much for your presentation, for the elaborate answers to all the questions posed by our members. I thought it was very, very interesting to hear about the French system and also to what extent it could serve as a model for other European member states, where, of course, it always is a question of implementation and how such systems are implemented in practice.

But thank you. Thank you very much. We also kept to our New Year’s resolution to finish our meetings on to start and finish our meetings on time. So at least the first the first meeting went well, let’s keep it up for the rest of the year. Thank you all. Thank you, members. Our next meeting is on the 19th of January in Strasbourg, and I look forward to seeing you all there. Thank you very much.

No Tracking. No Paywall. No Bullshit.

Unterstütze auch Du unseren gemeinwohlorientierten, werbe- und trackingfreien Journalismus.

Die Arbeit von netzpolitik.org finanziert sich zu fast 100% aus den Spenden unserer Leser:innen. Werde Teil dieser einzigartigen Community und unterstütze jetzt unsere Arbeit mit einer Spende.

Jetzt spenden

Eine Ergänzung

  1. In the context of EU law, targeted surveillance is relevant to the rights enshrined in the Charter of
    Fundamental Rights of the European Union, the principles set forth in the Treaties (such as
    democracy and the rule of law), and various instruments of EU secondary law, such as those
    pertaining to data protection law.

    According to the Treaty on European Union, national security is the sole responsibility of each
    Member State. This does not in principle exclude that national security activities are subject to EU
    law when they interfere with activities regulated by EU law.

    However, the application of EU law to the use of spyware for national security purposes is hindered
    by the fact that national security activities are excluded from the scope of two fundamental
    instruments, the GDPR and the ePrivacy Directive. This limitation to the protection of data subjects
    relative to state activity can hardly be justified with regard to the rights contained in the Charter
    and the principles contained in the Treaties. Because this exclusion may be used too broadly, it
    needs to be pointed out that it only concerns cases in which the spyware is genuinely designed to
    protect national security properly understood.

    EU law applies to the use of covert investigations for law enforcement purposes, which are subject
    to the Law Enforcement Directive. However, even in this domain evidence exists of abusive
    national practices.

    https://www.europarl.europa.eu/RegData/etudes/STUD/2022/740514/IPOL_STU(2022)740514_EN.pdf

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.