The protection of privacy in the course of covert collection of information for National Security purposes

Размещено на http://www.allbest.ru/

The protection of privacy in the course of covert collection of information for National Security purposes

Attila Pйterfalvi, Ph.D., President of the Hungarian National Authority for Data, Honorary Professor of National University of Public Service (Budapest), Honorary Professor at Kвroli Gвspвr University of the Reformed Church, at Pвzmвny Pйter Catholic University, and also at Eфtvфs Lorвnd University in Hungary, Doctor Honoris Causa of Kyiv University of Law of the NAS of Ukraine

The conclusion of my study is that the tools and methods of covert gathering of information inevitably violate the privacy of the person concerned. As the data subject's ability to exercise his or her rights in the course of processing for national security purposes is limited, the exercise of these rights, and the effective protection of these rights, can be achieved, as in the case of law enforcement processing, through the intervention of the competent supervisory authority.

The transformation of Hungarian regulations since the change in regimes

At its session of 25 January 1990, the Parliament adopted Act X of 1990 on the Transitory Regulation of the Authorisation of Special Secret Service Means and Methods.

The regulation classified the application of every means and method as special means if they were applied without the knowledge of the person concerned and whose use infringed the rights to the inviolability of private homes, private secrets, correspondence secrets and the protection of personal data. This act already stipulated that special means may be applied only if the data cannot be obtained in any other way.

The regulation distinguishes between the cases in which special means can be applied for criminal acts or for national security purposes even though this term is not used; however, in terms of content, it lists cases corresponding to national security interests. The authorisation of the collection of information was within the competence of the Minister of Justice. The act included a safeguard rule that “if the application of special means does not lay the foundation for a penal procedure against the person under surveillance, the entity requesting the authorisation shall notify the person under surveillance of the measures applied and the data obtained in the course of the surveillance will subsequently be annihilated”.¹

Act CXXV of 1995 on the National Security Services

Act X of 1990 was repealed by Act CXXV of 1995 on the National Security Services (hereinafter: National Security Services Act).

The regulation in force distinguishes between the covert gathering of information authorised by a judge and by the Minister of Justice. With regard to privacy, the question arises in relation to authorisation by the minister whether authorisation within the executive power is appropriate from the viewpoint of protecting privacy. If a judge authorises the gathering of information - as the judge is separate from the executive power - this issue does not arise.

With regard to the protection of privacy, in addition to the protection afforded by the Member States' constitutional, civil and penal law, it is equally important to take into account the European Convention on Human Rights as an international obligation⁴. Article 8 of the Convention states that “Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

Taking into account the practice of the European Court of Human Rights, Decision 32/2013. (XI.22.) of the Constitutional Court declares that: “As the secret gathering of intelligence by necessity excludes the possibility of efficient legal remedy, it is of vital importance that the procedural arrangements enabling its application provide sufficient guarantees to protect the individual's rights. In view of all this, the application has to be subject to three-stage control: when the intervention is ordered, during the implementation of the intervention and after the completion of the intervention. Control will be carried out by bodies independent of the executive power. First and foremost, permanent and mandatory control guarantees that the requirement of proportionality is not violated in specific cases”.

With regard to the constitutionality of the secret gathering of intelligence, the justification to Decision 2/2007. (I. 24.) of the Constitutional Court provides important guidance: “In a democratic constitutional state, the circumstance that traditional means do not prove to be sufficient for successfully combating certain criminal acts severely violating or jeopardizing the order of society lays the foundation for making use of the secret gathering of intelligence and secret collection of data as instruments of criminal law. Hence the restriction of the fundamental rights under study by the methods applied in secret procedures is not a constitutionally unnecessary means. The protection of the constitutional state and of the fundamental rights, however, require the law to regulate the order of using such instruments in detail and in a differentiated manner. As the use of secret means and methods constitutes a severe intervention in the life of an individual, they may be applied only exceptionally as a transitory and ultimate solution.”

The European Court of Human Rights underlined that “precisely because the intervention in fundamental rights is secret and the use of such instrument provides imponderable opportunities to the executive power, it is indispensable that the procedures themselves provide sufficient guarantee for the enforcement of the rights of the individual”.⁵

Bill to amend the law

In view of the fact that the 12 January 2016 ruling of the European Court of Human Rights did not regard the external authorisation regime of the covert gathering of information as appropriate and declared that Hungary violated the Article of the European Convention on Human Rights (hereinafter: the Convention) on the right to respect for private and family life, the Ministry of the Interior prepared a proposal to amend the law and issued it for public debate; this proposal would have institutionalised the power of the Nemzeti Adatvedelmi es Informacioszabadsag Hatosag to override the authorisation of the Minister of Justice. According to the draft, journalists, Members of Parliament and clerics could be intercepted in the future only if approved by the Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (hereinafter: Authority). The Authority could have monitored the lawfulness of data collection subject to external authorisation. The minister of justice would have had to forward its decision granting authorisation within 48 hours of signing it and the Authority would have had 72 hours to bring a decision on the issue. If the Authority had deemed that the gathering of information was unlawful, and it would have been able to stop it and instruct the given entity to erase the data collected till then. Whoever would have learned or suspected that an agency conducted covert data collection against him unlawfully, it would have been possible to turn to the Authority, which would have had three months available to investigate the complaint. If a person was put under surveillance unlawfully, the Authority would have been able to stop this (provided it was still in progress), but if suspecting a criminal act, it would have been abled to lodge a report on prosecution.

The position of the Authority in relation to the planned regulation

I sent the recommendations of the Authority concerning the improvement of the external authorisation system of covert information gathering for national security purposes to the Legislative Committee of the Parliament.

The ECHR judgement referred to above, which stated that Hungary infringed the Convention's article concerning respect for private and family life ”in a wider context it calls attention to the fact that the rapid development of info-communication technology implies dangers also in addition to countless favourable effects : it renders the mass application of secret surveillance increasingly easy, which may be concomitant with other unfavourable social impacts in the longer term beyond intervention in the privacy of citizens. The attention of the public in advanced democratic constitutional states was directed to these problems first and foremost by the documents disclosed by Edward Snowden. Indirectly, the leakage led to the annulment of the Safe Harbor Convention regulating the TransAtlantic transfer and use of personal data.

The Privacy Shield, which replaced Safe Harbor, reinforced the protection of the personal data of European citizens against secret surveillance by the intelligence agencies of the United States and authorised the data protection authorities of the Member States of the European Union to collaborate in the remedy procedures related to these data collections by secret services with a view to protecting the rights of citizens.

Beyond this, the⁴ Privacy Shield is essential from the viewpoint of our subject matter because the data protection expectations set against the United States expressed common European fundamental values, which are naturally governing for European countries when the legislatures of the Member States decide under what conditions secret surveillance is possible and what safeguards are needed to protect the rights of the citizens.”

The court procedure did not extend to obtaining the opinion of the Authority resulting in numerous legally and factually incorrect statements remaining unreflected in the course of litigation with regard to external control over the ministerial authorisation in the Hungarian regulation. Thus, the ECHR was not able to learn of the experiences of the Authority obtained in the course of the independent external monitoring of the covert information gathering activities of the National Security Services.

Pursuant to Article VI (3) of the Fundamental Law, the enforcement of the right to the protection of personal data and access to data in the public interest shall be supervised by the Nemzeti Adatvedelmi es Informacioszabad- sag Hatosag, an independent authority established by a cardinal law, whose responsibilities and powers are specified in Act CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information (Privacy Act).

As declared by its Recital, the Privacy Act was enacted by Parliament in order to guarantee the right to informational self-determination and the freedom of information to implement the Fundamental Law pursuant to Article VI of the Fundamental Law. The relevant provisions of the Privacy Act:

"Section 1, The purpose of this Act is to lay down, in the areas falling within its scope, the fundamental rules for data processing in order to ensure that natural persons' right to privacy is respected by controllers [...].

Section 2(1) This Act shall apply to all data processing activities conducted in the territory of Hungary, which relate to the data of natural persons, data in the public interest or data accessible on the grounds ofpublic interest.

Based on the rules presented, the Authority is an independent supervisory organ responsible for the protection of personal data. The scope of the Privacy Act extends to all the covert information gathering activities carried out by the National Security Services in the territory of Hungary and the Authority is authorised to supervise these activities. Pursuant to Section 52(1), anyone may turn to the Authority, if in his or her view any of the Hungarian National Security Services has conducted or is conducting unlawful covert gathering of information, or there is a direct threat of unlawful covert gathering of information.

The Privacy Act provides adequate instruments for the Authority to explore eventually unlawful covert information gathering and to take action against any infringement. The rules of the investigative procedure (Privacy Act Sections 52-58) grant authorisation to inspect, ask for copies, access data, entry, request information and initiate inquiries similar to the ombudsman's procedure. Section 71 of the Privacy Act contains rules, which provide access to the necessary data for the Authority also in the case of procedures expressly affecting the National Security Services.

In addition, the Authority may use the data including national classified data accessed in the course of the investigative procedure also in its data protection procedure. As a result, for instance, it may prohibit the unlawful processing of personal data, order the erasure of unlawfully processed personal data, order that information be provided to the data subject, if the controller denied that unlawfully, and it may levy fines. These are much stronger powers than that of the ombudsman's procedure referred to as independent external control invoked in the judgment.

In its practice of applying the law, the Authority's point of departure is that covert surveillance by its very nature deprives the data subject from the possibility of direct legal remedy, hence, independent external data protection supervision is the key element to the protection of informational privacy in this area. Accordingly, the Authority investigates every complaint or notification concerning covert surveillance received from citizens irrespective of whether the circumstances described in the submission referred to covert gathering of information, or whether the data subject can be informed of the results of the procedure. Annually, the Authority receives roughly 10-20 notifications with this subject matter.”

From the viewpoint of the transformation of the external authorisation system of covert information gathering for national security purposes, over and above the provisions of the Fundamental Law and the Privacy Act, Decisions 2/2007. (I. 24.) AB and 32/2013. (XI. 22.) AB of the Constitutional Court have to be taken into account also.

“Decision 32/2013. (XI. 22.) AB and the judgment focus on the preliminary supervision of covert information gathering, i.e. external authorisation. Preliminary external authorisation is one of the elements of the set of guarantees protecting informational privacy, which is important, but insufficient in itself. The procedural order of preliminary external authorisation is characterised by tight timeframes, a rather tied supply of evidence (decision has to be made on the basis of a documentation selected, edited and formulated by the entity submitting it), the full exclusion of the public and the absence of the adversary procedure. Because of this, in accordance with the guidance of Decision 2/2007. (I. 24.) AB, it is expedient to look at the entire system of control over covert information gathering jointly and in context and seek a legal regulatory solution, which, overall, allows adequate protection against unlawful (unnecessary, disproportionate) surveillance of citizens by the secret services. In other words, a multi-stage (preliminary, interim and subsequent) and multi-agency (internal controls by the National Security Services, supervision by the parliamentary committee, the entity entitled to external authorisation and the data protection authority) control system has to operate adequately in total to achieve the above-mentioned goal.”

It follows from its function stipulated in the Fundamental Law and its responsibilities set forth in the Privacy Act that the Authority is responsible for the subsequent supervision of covert information gathering, including the investigation of complaints and notifications, taking or initiating the necessary measures in relation to covert information gathering whether subject to external authorisation or not. According to the Authority's position, therefore, the unity of the subsequent data protection supervisory system should not be disrupted, so the investigation of citizens' complaints concerning cover information gathering subject to external authorisation should not be delegated to another entity. The reinforcement of the safeguard role of subsequent control was enabled by the amendment to the Privacy Act, on the basis of which the Authority may launch investigations also ex officio in relation to the covert gathering of information.

Several types of regulatory models can apply when the preliminary external authorisation system of covert information gathering is transformed. In terms of the independence of external control and the principles of the separation of powers and public law, the transfer of external authorisation powers, currently vested in the minister of justice, to the court of justice would be an unacceptable solution.”

The judgment, however, allows for an interpretation according to which the preliminary authorisation powers of the minister would be retained. In relation to this, the Authority's recommendations sent to the Legislative Committee of the Parliament in 2016 underlined the following:

• “The results of an earlier data protection investigation carried out using a statistical analysis of several years of data from external authorisation procedures for covert information gathering indicated that, in the case of the external authorisation powers of the minister of justice, single-person decision-making authority may clash with the requirement of informed decision-making. Every year, the directors-general of the National Security Services submit such a large number of submissions that a single person - the minister - cannot possibly review them in sufficient depth before making a decision on authorisation. Because of this, if these powers continue to remain within the ministerial framework, in the Authority's opinion, the establishment of a committee should be considered which should be entrusted with the task of screening the submissions for lawfulness and necessity, and to put forward recommendations as to whether they can be authorised prior to ministerial decision-making. The members of this committee would include experts with the necessary special national security knowledge, delegated by government agencies with an interest in the lawfulness of covert information gathering (such as the Ministry of the Interior, National Security Services). This committee would, therefore, not implement independent external control, instead its role would be to facilitate the lawfulness and the informed character of the ministerial decisions to be made concerning external authorisation and thereby fulfil its role in protecting rights. Regulatory framework for establishing the committee can be created by amending the Act on National Security Services.

• In view of the provisions of the judgment, if the minister's external authorisation powers are maintained, it is inevitable to subject it to independent external control. From a public law point of view, there is nothing to impede the Authority in fulfilling this role as it is an independent data protection supervisory authority as specified in the Fundamental Law, and whose powers in any case include the subsequent supervision of the lawfulness of covert information gathering. The Privacy Act provides the appropriate regulatory framework for the performance of this task, including the investigative authorisations needed to establish the facts of the case and to take the necessary measures in the event of a ministerial decision infringing informational privacy. Essentially, it would suffice to supplement the Privacy Act with the statement that the Authority continuously supervises the lawfulness of the ministerial authorisation of covert information gathering.”⁵ were designed so as to place NBSZ in a decision-making situation concerning an issue significant from a data protection point of view specified in advance throughout the execution of the test. We were not satisfied with modelling situations typically occurring in the case of covert information gathering, we also included the testing of situations rarely arising under real life circumstances in the test catalogue of the audit plan, if we could check the enforcement of an important data protection requirement through the given tests.

Test plans were only accessible to the designated contact persons of the National Security Services who were subject to a confidentiality obligation.

In general, the Authority provided the devices, equipment and materials used in the test situations. Members of the Authority's staff acted as target persons in the test situations, as well as the other persons concerned in the course of the covert gathering of information, and the officers of the organisation ordering the service (usually the fictitious Civic Surveillance Service).

The Authority examined the entire process of the procedures related to covert information gathering by the National Security Services under circumstances similar to reality. Every test started off by the Authority handing over the documentation of the order corresponding to the fictitious facts of the text case to the National Security Services on behalf of the non-existent Civil Surveillance Service, including the service notes completed with fictitious data and the fictitious external authorisation in the case of covert information gathering subject to external authorisation. In the course of the preparation and implementation of the tests, the National Security Service acted in every respect as a service provider within the meaning of Section 8(1)(a) of the National Security Services Act.

The implementation of the test was documented by a designated staff member of the National Securities Service in a protocol. (Incidentally, this would be a task of the Authority, but this was the only way for us not have access to information for which the Authority is not authorised pursuant to the provisions of Section 71 of the Privacy Act and which was in any case not necessary for the implementation of the tests.) At the same time, the staff members of the Authority documented in a memo drafted on the given test if, as officers of the Civic Surveillance Service, they consulted the staff members of the National Security Service or, for instance, received extraordinary “operative information” on the fictitious covert information gathering. In this way, the communication and interaction between the National Security Service and the commissioning organisation became fully verifiable.

The National Security Service gathered, recorded and processed information in the course of the tests as if it was providing services “live”. The nature of the documentation handed over to the Authority as a result of the secret information gathering tests (for instance, protocol, video recording, sound recording, expert opinion, etc.), as well as the degree of processing of the information, their data content and format were the same as in the case of actual covert information gathering. In the period between April 2016 and February 2017, 34 covert information gathering tests were implemented.

The audit profoundly confirmed the commitment of the National Security Services for the lawfulness of data processing, at the same time the tests explored a few details of the activities related to covert information gathering, in relation to which the Authority made observations and recommendations with a view to the high-level enforcement of the data protection requirements”.

Comprehensive data protection audit of the covert information gathering activities of National Security Services⁶

The Authority also conducts procedures aimed at facilitating the lawfulness of data processing related to the special activities of the National Security Services. In 2016, upon the initiative of and in cooperation with one of the National Security Services, the Authority carried out a data protection audit whereby it supervised the lawfulness of the application of the individual means and methods of covert information gathering through practical tests. This activity by the Authority was based on a novel data protection supervisory method unprecedented even in an international comparison.

“The core of the method developed for the data protection audit of covert information gathering is that in the experimental situations designed by the Authority, NBSZ should carry out its service provider activities related to covert information gathering under circumstances as similar to reality as possible.

The tests extended to all the means and methods of covert information gathering subject to external authorisation listed in Section 56 of the National Security Services Act and to those of the means and methods not subject to external authorisation, which were relevant from the viewpoint of the protection of personal data.

Referents

1. Section 5(2) of Act X of 1990 on the Transitory Regulation of Authorisation of Special Secret Service Devices and Methods.

2. It was promulgated by Act XXXI of 1993 in Hungary.

3. Ruling of the European Court of Human Rights (ECHR) in the case launched by Dr. Beatrix Vissy and Dr. Matй Daniel Szabo on 12 January 2016.

4. The judgment of the Court of Justice of the European Union in Case C311/18 Schrems II declared Commission implementing decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US privacy shield under Directive 95/46/EC of the European Parliament and of the Council invalid.

5. Case No. NAIH/2016/6396/3/J.

6. See in detail: Attila Pйterfalvi: Jubilee publication “25 йves az NBSZ”, pp. 79-86. Specialised National Security Service, Budapest, 2021.

7. Report of the Nemzeti Adatvйdelmi йs Informacioszabadsag Hatosag (Hungarian National Authority for Data Protection and Freedom of Information) on its activities in 2016.

Размещено на Allbest.ru