Data Extraction vs. Data Protection: Public Concerns over Cellebrite Use by the Tax Authority

Based on the available information, the SRS intends to use it only for specific economic operators or individuals identified as being at high risk of tax evasion. This action caused public concern about possible data security risks. Therefore, it became necessary to determine whether these concerns were justified, especially considering that there have been documented cases in the EU where Cellebrite software was misused by authorities to unlawfully access and extract data from the phones of journalists and activists, leading to privacy breaches and human rights concerns. Such incidents highlight the risks of using digital forensic tools in bad faith and impacting privacy of individuals.

The Digital Data Division of the SRS Digital Environment Data Control and Knowledge Department provided information to reassure the public that “Cellebrite” is an electronic tool for obtaining evidence that will only be used to detect tax evasion. Furthermore, to ensure that the software is used for its intended purpose, access to device data is only possible in the presence of inspectors. This ensures that the software will not be used for “control of the public” by gaining unjustified access to personal data.

However, despite these assurances, the public remains skeptical about the software's actual use, which would not affect the protection of personal data. To balance the conflicting interests in this case and ensure continued public trust in state action, the SRS must ensure transparency regarding the software's use, provide responsible personnel with training, implement strict access controls, data minimization, audit trails, monitoring mechanisms and document data processing cases. 

The scope of the GDPR excludes cases where competent authorities process personal data for the purposes of preventing, investigating, detecting or prosecuting criminal offences, or executing criminal penalties, including to protect against and prevent threats to public security. Accordingly, the provisions of the GDPR would not apply to such cases. Consequently, the SRS has a duty to ensure that data processing activities do not extend beyond the stated purpose.

Although Cellebrite as a software developer has terminated cooperation with certain state authorities in other countries when misuse was discovered, this alone does not guarantee that all activities in Latvia will fully comply with legal and ethical standards. The existence of strict licensing policies and the developer’s own interventions are important, but they cannot by themselves ensure that the software will always be used lawfully in every context. 

Given the track record of software misuse in other countries, it is almost inevitable that similar abuses of the software will eventually be uncovered in Latvia as well. The developer’s decision to end cooperation after violations are found is not a sufficient safeguard to prevent future misuse or ensure full compliance from the outset. Thus, this topic will remain highly relevant in the future, likely giving rise to new trends and debates regarding the interpretation of GDPR and local privacy regulations. Ongoing scrutiny and evolving legal perspectives are to be expected as the use of such technologies continues.