In November 2019, Forbes magazine released a video, claiming that "A multimillionaire surveillance specialist comes out of the shadows with his $ 9 million van that has the ability to intercept", and that "The man behind the operation of the van [...] can with the touch of a button "empty" mobiles and access our "personal" conversations through What's app, Messenger, but also other applications that smart phones have.".
According to various articles, publications and information at the time, a van with a foreign registration plate, equipped with electronic and technical equipment to monitor and intercept private communications, was moving around in Cyprus.
The case was novel for Cyprus, and it resulted in gathering enormous public interest, mainly due to the huge impact the surveillance had on a European level. The case has many aspects worth looking into, but as it can be easily understood, one of the key aspects thereof is the violation of privacy laws.
Cyprus DPA was informed of the alleged surveillance and investigations begun. Due to the nature and the sensitivity of the case, all material collected was examined by specialized forensic examinators, both by Police experts and by a private expert specializing in telecommunications systems/networks and intertwined security issues. In addition, the electronic data extracted from the seized equipment were sent to a specialized department of Europol for further investigation and analysis.
Cyprus DPA was from the very beginning in close cooperation with the Police and they delivered their opinion aiming to assist the investigations procedure. Upon completion of the criminal investigation, the case file was sent to the Law office of the Republic, as per common practice. After the company was informed of the results of the investigation, they addressed a letter to local DPA in which, in essence, they admitted responsibility for the violation of Regulation (EU) 2016/679 and Law 125(I)/2018, and in particular they admitted that their activities resulted in the collection of mobile telephone subscriber data, during various tests that the company carried out without of course the knowledge of the devices’ users.
The result was that Cyprus DPA imposed an administrative fine of €925,000 on the company - in relation to the unlawful processing of personal data, as were the findings of the police investigation.
Aggravating and mitigating factors (Article 83 of Regulation (EU) 2016/679), were taken into consideration by our DPA, such as the company's admission as well as the confirmation received from the Law Office of the Republic of Cyprus, that, according to the experts' investigation, no device monitoring or interception of any private communication was found, as the systems operated in the context of demos without targeting specific persons/users, however, the process constituted a violation of the Principle of Legality, Objectivity and Transparency (Article 5-11 of Regulation (EU) 2016/679).
Article provided by INPLP member: Alexia Kountouri (Tassos Papadopoulos & Associates LLC, Cyprus)
Dr. Tobias Höllwarth (Managing Director INPLP)