The protection of privacy in the course of covert collection of information for national security purposes

Ðàçìåùåíî íà http://www.allbest.ru/

The protection of privacy in the course of covert collection of information for national security purposes

Attila Péterfalvi

Ph.D., President of the Hungarian National Authority for Data

Honorary Professor of

National University of Public Service (Budapest)

Honorary Professor at Károli Gáspár University

of the Reformed Church, at Pázmány Péter Catholic University

and also at Eötvös Lóránd University in Hungary

Doctor Honoris Causa of

Kyiv University of Law of the NAS of Ukraine

Abstract

collection information freedom

Recently, the “Pegasus” spyware case has focused attention on issues related to the covert gathering of information: the case has reopened the debate on whether privacy can be protected during the covert gathering of information, as in these cases the data subject is not aware of the surveillance and is therefore restricted in the exercise of his or her rights as a data subject.

In the second half of the paper, the findings of the investigation of the Hungarian National Authority for Data Protection and Freedom of Information launched ex officio concerning the application of the “Pegasus” spyware in Hungary are presented.

The conclusion of my study is that the tools and methods of covert gathering of information inevitably violate the privacy of the person concerned. As the data subject's ability to exercise his or her rights in the course of processing for national security purposes is limited, the exercise of these rights, and the effective protection of these rights, can be achieved, as in the case of law enforcement processing, through the intervention of the competent supervisory authority.

The publication is based on the findings of the investigation conducted by the Hungarian National Authority for Data Protection and Freedom of Information.

Evaluation of the Hungarian regulation in force from the viewpoint of the safeguards - investigation of the use of the “Pegasus” spyware in Hungary

Let us then examine whether the authorisation of covert information gathering for national security purposes as set forth in the Hungarian regulations in force meets the above criteria and provides sufficient guarantees for the protection of the privacy of the person under surveillance.

Based on the regulation in force applicable to covert information gather for national security purposes, it can be established that as far as the authorisation powers of the minister of justice are concerned, there have been no amendments to the legal regulation, so the rules in force at present are the same on account of which the European Court of Human Rights condemned Hungary.

I, however, attach importance to underlining that in the course of aligning the Privacy Act with the General Data Protection Regulation1 (hereinafter: GDPR)2 the Authority was authorised to initiate an investigation or a data protection procedure ex officio. This enables the Authority to launch investigations or data protection procedures to audit covert information gathering for national security services ex officio. This happened also in relation to the use of the “Pegasus” spyware.

“In terms of the processing of personal data, Act CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information specifies the legal framework of general data protection for covert information gathering.

From the perspective of the Privacy Act, covert information may be gathered for the purposes of law enforcement (prevention, investigation and detection of criminal acts) or for the purposes of national security. Pursuant to Section 2(3) of the Privacy Act, the substantive and procedural rules of the Privacy Act shall apply in both cases to these data processing operations and their supervision. It is, however, important to note that whereas data processing for the purposes of law enforcement is subject to EU law, i.e. the Law Enforcement Directive3transposed into Hungarian law by the provisions of the Privacy Act, data processing for national security (and defence) purposes is outside the scope of EU law and it is within the regulatory and administrative competence of the Member States. Both Article 2(2)(a) and Recital (16) of the General Data Protection Regulation (GDPR) and Recital (14) and Article 2(3)(a) of the Law Enforcement Directive are unambiguous concerning the fact that the processing of personal data carried out in the course of activities related to national security is outside the scope of EU law. This means that national security as the subject matter of legislation and the application of the law is exclusively within the scope of authority of the Member States according to EU law.”

I would not dare to predict how the European Court of Human Rights would assess the law amendments since 2016 with regard to external control over the authorisation within the executive power (by the minister of justice); however, I find it important to show the depth of the supervision carried out in relation to the use of the “Pegasus” spy software and the types of documents that the Authority checked.

Pursuant to Section 54(1) of the Privacy Act, in the course of its investigation, the Authority may have access to and may make copies of all data processed by the controller subject to the inquiry that are presumed to relate to the case at hand and it may have the right of access to and may request copies of such documents, including documents stored in an electronic data medium. The Authority may learn about the data processing associated with the case under investigation, it may enter the premises serving as the venue of processing, it may have access to the tools used for performing the processing operation and it may have the right to request written or oral information from the controller subject to the inquiry and from any employee of the controller. These investigative powers, however, are not limited to the controller as the Authority may request written information and copies of any data associated with the case under study including data stored in an electronic data medium not only from the controller, but also from any organisation or person associated with the case subject to the inquiry. The controller subject to the inquiry and any other organisation or person associated with the case under investigation shall comply with the call of the Authority within the period specified by the Authority. (It was on the basis of this provision that the Authority con- tacted Amnesty International Magyarország Egyesület, as well as Amnesty International Secretariat, unfortunately, unsuccessfully as a result of the absence of their cooperation).

“The Authority's responsibilities and powers for the supervision of data processing by the National Security Services and, within that, the control of the lawfulness of the covert information gathering is rather wide also in an international comparison. In the course of its investigation, the Authority contacted the data protection authorities of the Member States and requested information concerning their responsibilities and powers to take action to control data processing for national security purposes. It transpires from the responses of the data protection authorities of the EU Member States that the supervisory authorities of numerous Member States do not have supervisory or controlling powers with regard to data processing by the National Security Services, in particular, their covert information gathering, and the majority of the Member States authorities, which according to their national law are authorised to supervise data processing for national security purposes, have never yet carried out an investigation of this kind.

In the course of controlling the lawfulness of external authorisation by the minister of justice, the Authority examined the submission in every single case to see whether it complied with the formal and procedural requirements set forth in legal regulation.

Within this, the Authority examined whether the submission for covert information gathering came from the director general of the National Security Service authorised to secretly gather information and whether it contained all the data set forth in Section 57(2) of the National Security Services Act. The submission must include the location of the covert information gathering, the name(s) or circle of the person(s) concerned, and the available data suitable for identification, as well as the description of the covert information gathering (i.e. the means and methods to be applied) and the justification of its necessity and the start and end dates of the activity (and in the case of a submission related to an exceptional authorisation according to Section 59 of the National Security Services Act justification of the fact that it was indispensably necessary in the given case for the successful operation of the National Security Service).

When investigating the lawfulness of external authorisation, the Authority examined whether there was adequate verification of the fact that the covert information gathering was necessary in the interest of national security. The Authority's investigation therefore extends to the existence and the nature of the interest of national security. Section 74(a) of the National Security Services Act defines the interpretation of “interest of national security”; by comparison with the given facts of the case, it can be established or excluded whether interest of national security obtains. As the Authority may examine with regard to every data processing operation whether it restricts the right of the data subjects to informational self-determination to the necessary and proportionate extent, therefore, even where the interest of national security is invoked, it must be examined whether the enforcement of the interest of national security in the given case restricts the right of the data subjects concerned to informational self-determina- tion and the right to privacy to a necessary and proportionate extent by the covert information gathering.

The Authority also examined whether there was sufficient verification in the submission concerning the external authorisation of the covert information gathering that the purpose of data processing cannot be achieved without it and whether the requested use of the means and methods is necessary. The submission is also to verify whether the covert information gathering is indispensably necessary for the requested period, and the Authority examines whether the authorisation was requested for a maximum of ninety days, or if that period was extended by another ninety days via a new submission and justification as required by law.

The Authority is also responsible for examining whether the decision of the minister of justice reasonably follows from the facts set forth in the submission. The minister brings the decision on whether to approve the submission or to reject it if it is unfounded within 72 hours from its receipt. This means that the Authority examines not only the formal and procedural requirements of the submission, but also the decisions made by the minister of justice on the individual submissions.

It is important to examine in the case of every decision whether the minister of justice justifies the granting of the external authorisation in view of the facts and circumstances detailed in the given submission. Point 1 of Constitutional Court Decision 32/2013 (XI.22.) AB referred to the obligation to provide justification for the external authorisation as a precondition to the enforcement of ex post external control by specifying a constitutional requirement. Consequently, the justification must be sufficiently detailed and individualised so that it should enable the control of the facts and circumstances taken into account in making the decision and the adequacy of the content of the decision made on the basis of these facts and circumstances in the course of ex post external control.

On the basis of the legal provisions mentioned has carried out its examination of the lawfulness of the external authorisation, in relation to the conformity of nearly one hundred submissions and related decisions of the minister of justice, along the following questions:

Were the submissions compliant in terms of formal and procedural rules?

Was the submission received from the director general?

Did the submission include all the data specified in Section 57(2) of the National Security Services Act?

Was the authorisation granted within the time limit?

Did the validity of the authorisation exceed 90 days?

Was justification attached to the authorisation?

If there was exceptional authorisation, were the rules thereof complied with?

Did the submission verify that the covert information gathering was needed in the interest of national security?

Did the submission verify that the purpose of data processing could not be achieved without the covert gathering of information?

Did the submission verify that the use of all the means and methods requested were necessary?

Did the submission verify the necessity for the duration of covert information gathering requested?

Did the decision of the minister of justice reasonably follow from what was said in the submission?

Did the minister of justice justify the granting of the external authorisation with sufficient detail reflecting on the facts and circumstances presented in the submission?

During the on-site procedures, the Authority also examined whether the documentation of the classification applied complied with the provisions of Act CLV of 2009 on the Protection of Classified Data (Mavtv.)

The procedure of the Authority is of outstanding significance also because data subjects have limited possibil- ity to exercise their data subject's rights in the course of processing for national security purposes, so the Authority is able to exercise their rights according to the Privacy Act instead of, and on behalf of, the data subjects. (According to Section 48 of the National Security Services Act, the director general of the National Security Service may refuse to provide information on data processed by the national security services or to erase personal data at the request of the data subject, on grounds of national security or in order to protect the rights of others, and the director general may restrict the right of access of the data subject in connection with the classified data of the national security ser- vices, as provided for in Act CLV of 2009 on the Protection of Classified Data, on grounds of national security. As a safeguard it can be mentioned that the National Security Services have the obligation to keep records of requests received from data subjects, the mode of their adjudgment and the reasons for their refusal and to report to the Authority on these annually).

As regards processing for law enforcement purposes, Article 17 of the Criminal Justice Directive obliges Member States to adopt provisions where national law provides for the delay, restriction or suspension of the exercise of the rights of the data subject4 whereby “the rights of the data subject may also be exercised through the competent supervisory authority”.

Since the rules on data processing for law enforcement purposes laid down in the Privacy Act5, pursuant to the Criminal Justice Directive, apply with regard to data processing for law enforcement purposes - with some exceptions expressly provided for in the Privacy Act -, the data subject may exercise his rights in accordance with the above provisions of the Privacy Act6 with the assistance of the Authority, in the event of refusal to provide information pursuant to Section 48 of the National Security Services Act. For this reason, the Authority will have to conduct an ex officio investigation in the case of every data subject appearing in the news, even if the data subjects do not wish to make use of the enforcement possibilities provided for them.

In the course of the Authority's investigation, no information was found that the bodies authorised to covertly gather information subject to external authorisation according to Section 56 of the National Security Services Act would have used the spyware for any purpose other than those specified by the manufacturer (prevention and detection of criminal acts and acts of terrorism), and the discharge of the duties specified by law. According to the information made available to the Authority in the course of its investigation, the Specialised National Security Service used the technical tool subject to its investigation in the course of the provision of its services in the field of the covert surveillance of information systems and premises.

The Authority also established that the contractual conditions concerning the use of the technical tool stipulate that the contracting party is to take all the measures to prevent access by any unauthorised external party to the personal data affected by the use of the tool. According to the position of the Authority, the data protection provisions of the contract provide the requisite guarantees for this purpose.

No data were found in the course of the Authority's investigation that would cast doubt on whether the Specialised National Security Service has acted, and is acting, when using the technical tool, in accordance with the relevant legal regulations, the provisions regulating the organisation of public administration and, in the case of contractual relationships, its obligations undertaken in the contract.

With respect to the conditions of using the covert gathering of information subject to external authorisation, it is important to underline that the Hungarian law in force does not differentiate by vocations or professional activities, i.e. it does not restrict the authorisation of the National Security Services to carry out the activities under Section 56 of the National Security Services Act for any profession (e.g. “journalist, human rights activist, opposition politician, lawyer and businessman”). In this respect, it is warranted to refer to the definition of national security interest according to the law in force7:

“To secure the sovereignty and protect the constitutional order of the Republic of Hungary and, within that framework,

aa) to detect aggressive efforts against the independence and territorial integrity of the country,

ab) to detect and prevent covert efforts which violate or threaten the political, economic, defence interests of the country

ac) to obtain information of foreign relevance/origin necessary for government decisions,

ad) to detect and prevent covert efforts to alter/disturb by unlawful means the constitutional order of the coun- try ensuring the observance of fundamental human rights, representational democracy based on pluralism and the constitutional institutions, and

ae) to detect and prevent acts of terrorism, illegal weapons dealing and trafficking in drugs, and illegal traf- ficking in internationally controlled products and technologies;”.

In the course of its procedure, the Authority has to clarify how it could happen that personal data indicating that covert gathering of information took place against the data subjects were published. Unfortunately, the Authority's investigation has failed to clarify how the phone numbers that may be linked to Hungarian individuals, which Amnesty International's Security Lab unit found to have been infected by the spyware, could have been disclosed during the so-called Pegasus Project fact-finding investigation. At the same time, it can be clearly established that such data should not have been disclosed because according to the principles of processing personal data as set forth in Section 4(1)-(3) of the Privacy Act, personal data can be processed only for clearly specified and legitimate purposes in order to exercise certain rights and fulfil obligations. Data processing must comply with the purpose of processing in all its stages; data shall be collected and processed fairly and lawfully. Only personal data that is essential and suitable for achieving the purpose of processing may be processed. Personal data may be processed only to the extent and for the period of time necessary to achieve its purpose. The personal data will retain this quality during processing as long as the relationship with the data subject can be re-established. The link with the data subject can be re-established if the controller has the technical conditions necessary for the re-establishment.

Pursuant to Section 4(4a) of the Privacy Act, the controller shall ensure adequate security of personal data by applying appropriate technical or organisational measures during processing, in particular measures to protect against unauthorised or unlawful processing, accidental loss, annihilation or damage to data. The controller shall ensure an adequate level of security of the personal data processed and the fundamental rights of the data subjects by implementing technical and organisational measures appropriate to the extent of the risks represented by the processing. In designing and implementing the technical and organisational measures, the controller shall take into account all the circumstances of the processing, in particular the state of science and technology at all times, the cost of implementing the measures, the nature, scope and purpose of processing and the risks of varying likelihood and severity to the rights of data subjects presented by the processing.

The use of the technical tool under investigation requires respect for the principles of integrity and confidentiality, including protection against unauthorised or unlawful processing and accidental loss, annihilation or damage, by applying appropriate technical and organisational measures.

Pursuant to Section 3(26) of the Privacy Act “personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised transfer or disclosure of, or unauthorised access to, personal data transferred, stored or otherwise processed.”

The Authority's investigation therefore also covered whether a personal data breach could have occurred in the context of the use of the technical tool by the data controllers investigated by the Authority. The Authority's investigation did not identify any information indicating that such a personal data breach had occurred.

In the course of its procedures, the Authority made use of an expert in information security, who explained in his opinion that the circumstances of the data leakage are not known, it can, however, be assumed that data security was breached in some way, as presumably an unauthorised access to personal data took place, so it cannot be excluded that there was a personal data breach.

In the event that there was no data breach but an unauthorised third party had unauthorised access to the personal data processed, it is punishable according to Act C of 2012 on the Criminal Code (hereinafter: Criminal Code), several criminal offences may have been committed (e.g. Criminal Code Section 219: misuse of personal data, Criminal Code Section 265: misuse of classified data, Criminal Code 261: spying, Criminal Code Section 423: information system or data breach, Criminal Code Section 424: circumvention of a technical measure to protect an information system).

In view of the above, it cannot be ruled out that a criminal offence has been committed, therefore the Authority initiated criminal proceedings with the investigating authority pursuant to Section 70 (1) of the Privacy Act.

Annex

Presentation of the “Pegasus” spyware based on the analysis of the expert in information security invited by the Nemzeti Adatvédelmi és Információszabadság Hatóság.8

“The leaked list containing phone numbers

A “leaked” list containing some 50,000 phone numbers is a key element of the Pegasus Project. According to the Pegasus Project, the phone numbers in the list have been involved in the activities of the Pegasus spyware in one way or another since 2016. The data included the time and date of the selection of the numbers and their entry in the system.

The source of the list is unknown and there is no information available about the circumstances of the leakage. It is not known who compiled the list on what basis and how the list was obtained by the Pegasus Project umbrella organisation or Amnesty International, nor is it known what other data are included in the list in addition to the phone numbers and dates.

Based on the data in the list, the media partners of the Pegasus Project identified ten governments, which are believed to be responsible for selecting the targets9. There is a great deal of uncertainty around the list. The state- ments related to the list can be misinterpreted and do not necessarily match their direct or underlying meaning.”

“NSO Group firmly denies10 that the list could be connected to their activities or the activities of their clients; according to their position, the list is not a list of the targets or potential targets of NSO clients. NSO's response included an allusion to the fact that the phone numbers in the list may come from public services, including among others HLR search service, which is not connected to NSO or the services of the company.

The Home Location Register (HLR) is one of the “databases” of mobile service providers, which contains data pertaining to the subscriber in relation to the given service provider, entitlements to the service, current place of stay, the status of the device (switched on or off) or other subscriber data.”

“The use of the HLR search service as the source unrelated to NSO or its presence in the processes does not arise in the original investigative report of Amnesty International, it crops up directly in relation to NSO's response; it does not exclude, however, that there is a connection between the list (even as a set of data from an HLR search service provider) and the NSO service, because the use of the HLR search can be envisaged in the process of pro- pagating Pegasus, or even in additional related operations.”

“Thus, it can be concluded that inclusion in the list means specific surveillance activity only if coupled with a positive result of the examination and digital trace analysis of the device (this however was established only in the case of 37 phone numbers according to the investigative report). In such a case it may become apparent that there is a connection between the time and date of the inclusion in the list and the specific infection.

It was stated in several analyses that it seems unimaginable that secret services or other government agencies of several nations would upload data related to eventual targets into a common (even jointly used cloud) system because such data are processed in house by all such organisations because of classification and confidentiality.

This opinion was confirmed by a leaked document presenting the infrastructure necessary for the operation of Pegasus. The document is a product presentation, presumably from 2013 produced by the person in charge of pro- ducts at NSO. Based on the document, clients operate on their own side of the system, i.e. “targeting” is done on the client's side.

In relation to the leakage of the list containing the phone numbers, it was raised on several occasions that the data were leaked from a Cyprus server.”

“NSO claims that it has no servers in Cyprus, and they checked several data in the list and none of them are connected to any of their clients.”

“The journalists of the Pegasus Project identified about a 1,000 phone numbers, they were able to associate the person of the owners with these phone numbers.”

“The list included 300 Hungarian phone numbers. The appendix to the digital trace analysis report issued by Amnesty International shows only two Hungarian data subjects, but the Direkt36 investigative portal, the Hungarian partner of the Pegasus Project identified several phone numbers and continues to publish materials related to the Hungarian persons concerned.

Direkt36 published materials in relation to several persons concerned, whose devices could not be examined, but whose phone number was included in the original list. According to the terminology used by Direkt36, the per- sons in the list were “targeted”; this, however, did not mean that the device of the person concerned was actually infected and/or wiretapped.”

“Direkt36 published some material also about a person, whose phone number was not included in the leaked list, but he had earlier initiated an examination by the staff of Citizen Lab and Amnesty International, who did find the traces of Pegasus generated in 2021 on the device handed over for examination.”

Pegasus Agent (the ”spyware” application)

Following successful infection, a “spyware” application is installed on the device. Installation does not require the users' authorisation; it takes place without the user noticing it. The application running on the infected device provides full authorisation for the attacker with regard to the device and the data stored in it.

The Pegasus agent is integrated between the kernel of the device's operating system and the legitimate applications running on the device. This ensures that the agent can access the system functions and legitimate applications, as well as the data stored in them. The agent “sees into” the operation of the applications (for instance phone calls, text messages, chat, etc.), which means that even though a chat application may use encryption from endpoint to endpoint, the attacker is able to access the data, which are as yet unencrypted.”

“For the installation of the application, Pegasus uses the vulnerabilities of the devices or the applications running on the devices.”

“Hiding, survivability and self-destruction

Once installed, the Pegasus agent hides its operation as it functions at the kernel level of the operating system, its activity is virtually imperceptible for the user, at most the increased data traffic may betray that a fairly substantial exfiltration is taking place in the background.”

“The Pegasus agent contains self-destructive mechanisms in the event the agent is unable to communicate with its control server. In such cases, it automatically removes itself after the default 60 days, this time interval, however, can be set freely.”

“The compromising process and the underlying infrastructure”

“NSO firmly stated on several occasions that they only sell the technology, its use and operation are the responsibility of the client; however, according to WhatsApp, NSO operated the infrastructure through which the earlier “zeroday-zeroclick” attack took place affecting 1,400 users. The accessible court material reflects the wording that according to WhatsApp, the attacking activity was carried out by NSO, thus it cannot be clearly determined, based on the contradictory and somewhat vague information what the role of NSO and of the client was in the hacking process. This issue is of outstanding importance, because if devices centrally operated by NSO also participate in the hacking processes, NSO can have access to information about the activities carried out by the operator, such as the persons under surveillance or even the data collected by them.”

“The contract of 2015 specifies the required equipment in much more detail and also includes an offer for the commissioning of the equipment.

“Based on these two documents, the servers responsible for the installation of the agents operate on the client's side and the direction, configuration and updating of the agents is also implemented from these servers. The servers, which receive the data obtained from the infected devices, the GSM communications modules or text message gateways that store the collected data and the operator work stations enabling the operation of the system, also operate at the client's side.”

“Based on the details of the various support levels and debugging activities, it may be assumed that NSO's support engineers get remote access to the systems operating at the client or already have such access in order to carry out these activities. In relation to this, the question may arise whether NSO may have access to the data stored in the system through the deep-level technical support and the necessary access (whether temporary or periodic). This is so in the case of traditional external corporate IT support, and that is why such access is controlled by the more security-minded organisations that are more mature from the viewpoint of IT security, for instance, by monitoring support activities even by recording the activities on video.

The Transparency Report issued by NSO contains a statement, which according to the Darknet Diaries professional podcast raises the possibility that NSO can have insights into the data of the clients under certain circumstances. The host of the podcast and John Scott-Railton, the head of Citizen Lab's NSO research, discussed that clients are under an obligation to provide data to NSO in relation to the use of the product.

The transparency report indeed includes such a statement but in the context that NSO may launch an investigation against the given client, if suspicion of the unlawful use of the product arises. In such cases, the client must provide information, for instance, the data of the system log files, or even data related to targeting specific targets. Refusal to provide this information leads to the immediate suspension of the right to use the system.”

“Anonymizer and proxy network”

“Once the Pegasus agent is successfully installed at the target (or it is already launched), the Pegasus agent begins to communicate with the control server and the surveillance and interception, the forwarding and processing of the data begin.”

“The possibility to intercept and detect Pegasus”

“If already installed (or launched), the activity of the Pegasus agent is virtually imperceptible for users; however, iOS devices carry out system logging, in which signs of Pegasus activity can be detected by digital trace analysis and, it is possible to detect some of the signs, indicative of infection in the case of Android devices as well.

Digital trace analysis is a complex technical and administrative process based on documented and attested examination methodology, which consists of recording the digital traces, exploring the digital traces (activity, event data, logged data, process information, file characteristics, data content, transaction data, traffic data, dates, etc.), searching for connections between the information collected, their analysis and evaluation and the preparation of the report on digital trace analysis.

In other words, digital trace analysis is the reconstruction and technical/scientific examination of past digital events that have already taken place, providing answers and evidence of whether or not an event or activity has taken place, why, when and how it took place, what was its extent, what processes were affected, etc. It is an important criterion that the examination can be reproduced, thus it can provide attested evidence whether the activity or event under study has taken place.

Citizen Lab confirmed the results of the research by Amnesty International; based on the document they published, they found Amnesty International's methodology to be sound and the results of their examination correct, and both organisations found the same results in the course of their examinations independently of one another.

Although neither the Pegasus Project, nor Amnesty International disclosed the source through which they had access to the list containing 50,000 phone numbers, or the list itself, the independent investigations of the French and the Belgian governments confirmed the results of Amnesty International's investigation in relation to Belgian and French data subjects.”

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).

Sections 20 and 23 of Act of XXXVIII of 2018 in force from 26 July 2018.

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA.

Cf. Criminal Justice Directive Article 13(3), Article 15(3) and Article 16(4).

Privacy Act Section 2(3).

Privacy Act Sections 22, 51/A(2) and 60(1).

Section 74(a) of the National Security Services Act.

Findings of the investigation of the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) launched ex officio concerning the application of the “Pegasus” spyware in Hungary: https://www.naih.hu/data-protection/data-protection-reports.

Azerbaijan, Bahrein, Kazakhstan, Mexico, Morocco, Rwanda, Saudi-Arabia, Hungary, India and the United Arab Emirates.

https://www.theguardian.com/news/2021/jul/18/response-from-nso-and-governments.

Ðàçìåùåíî íà Allbest.ru