The director of the Catalan Data Protection Authority (APDCAT), Meritxell Borràs, appeared today in the Commission of Investigation on the Espionage of Political Representatives, Activists, Journalists and their Families by the Kingdom of Spain with the Pegasus and Candiru programs.
During his intervention, Borràs presented the conclusions of the legal report drawn up by the APDCAT at the request of this Commission. In this regard, he has reiterated the need to ban espionage tools such as Pegasus, which have no place in a State governed by the rule of law. Borràs has affirmed that Pegasus and Candiru do not respect the principle of proportionality, and has recalled that there are limits to telephone interventions and that jurisprudence shows that the concept of national security must be interpreted restrictively and be proportional.
The director has insisted that the general principles of data protection must always be respected and, of course, the principle of proportionality, both when adopting the measure and with respect to the tool used. He also mentioned the importance of respecting the principle of legality and the fact that any telephone intervention needs prior judicial authorization.
Borràs recalled that the secrecy of communications in a State of law is a unique manifestation of the dignity of the person and the free development of his personality, and he denounced that the lack of effective regulation of the intervention of electronic communications causes a deficit of democratic quality.
In addition, the director pointed out that it is necessary to consider the guarantees of the victims, who must have the right, regardless of the applicable regulations, to end up being informed of the existence of the intervention and to exercise their right of defense effectively .
Borràs has also criticized that the judicial investigations in this regard by the State courts are not exactly being simple, neither agile nor decisive, and has regretted that as a country we are late in protecting the rights of the victims of this case of espionage.
In line with the misgivings shown by several European authorities regarding this issue, such as the European Data Protection Supervisor, the Council of Europe, the UN and NGOs such as Amnesty International, the director has reiterated her concern for the use of these systems. He has insisted that data protection affects the rest of individual rights and freedoms, such as the right to freedom of expression, to physical integrity, the right to respect for private and family life, freedom of thought, conscience and of religion, the right of defense or the free right to political participation, among others.
Reported security breaches
On the other hand, the director explained that the APDCAT received three security breach notifications in relation to spying with this technology on people within its sphere of influence. Specifically, from the Hospital Clínic, the Parliament of Catalonia and the CTTI, in relation to the Government, as well as a complaint that was made to the Spanish Data Protection Agency, competent to resolve it. In this regard, Borràs has called for the APDCAT to achieve full powers and be able to act in these cases as well.
For Borràs, the reported cases clearly show the large and serious scope of people, personal data and rights affected by these infections. The three reported security breaches affect freedom of expression, the right to political participation or the right to health, and those related to them taking into account access to the personal data of an undetermined number of people.