by Molly Killeen
Lawmakers adopted on Monday (8 May) a non-binding report and recommendation on the use of Pegasus and other spyware in the EU, calling for an effective ban on the technology unless certain conditions are met by the end of the year.
The documents result from an ad hoc committee set up last year to investigate Pegasus and equivalent surveillance software, following the 2021 revelations that governments worldwide had systematically deployed the NSO-provided spyware.
The text, based on 15 months of investigation, also includes country-specific recommendations. The report was adopted with 30 votes in favour and three against; the recommendations received 30 for and five against. The two will be voted on by the full Parliament at its next plenary session.
The report is “the most comprehensive overview ever of the illegitimate use of, and trade in, spyware in and through the EU,” rapporteur Sophie in ‘t Veld of the liberal, centrist Renew Europe told EURACTIV, adding that it “paints a highly alarming picture”.
“De facto moratorium”
The amended report contains a key change to the draft report’s provision covering the regulation of spyware. To continue using spyware, the report’s final version says EU countries should fulfil certain criteria by 31 December 2023, described as a “de facto moratorium” by Saskia Bricmont, a Green lawmaker.
The conditions they must meet include investigating fully alleged abuses, providing an adequate governing framework in line with European law, committing explicitly to involve Europol in investigations into its illegitimate use, and repealing export licenses that are not in line with the EU’s Dual-Use regulation.
According to the resolution, the European Commission should assess whether these conditions have been fulfilled and publish their conclusions in a separate report by 30 November. The EU executive has so far declined to get involved in this matter, branding it as a member states’ issue.
The report also includes calls for action at several levels on a variety of topics, including the rights of non-targeted persons whose data is collected during surveillance, the inclusion of specific markers to help identify the tech used, and the establishment of a Commission taskforce to ensure the integrity of the 2024 European elections.
Speaking ahead of the vote, MEP in ‘t Veld highlighted the need to enforce existing legislation that could help tackle the abuse of spyware, such as the ePrivacy Directive, the Dual-Use Regulation, and the General Data Protection Regulation (GDPR).
“The problem is: If it’s not enforced and if member states consider that national security means an area of lawlessness where the EU laws don’t apply and where the EU and basically nobody has access, then what’s the point in having legislation?” she asked.
Country recommendations
Also in the report are specific recommendations for five countries where abuse of spyware has been identified, covering what In ‘t Veld said were the two main clusters of problems identified by the committee: abuse of the spyware for political purposes, and its export from the EU to non-democratic countries.
For Poland, whose government has been accused of purchasing the software, the report urges the public prosecutor general to launch an inquiry into its abuse and calls for greater clarity on the situation to safeguard upcoming elections. It also seeks the introduction of legislation to protect citizens, and action to ensure full judicial independence and compliance with EU law.
The report has also been updated to call on the Hungarian government to comply with European-level rulings on the independence of the judiciary and to implement the EU Whistleblowers Directive.
It also expands an earlier provision on institutional and legal safeguards to stipulate that clear justification be provided in instances of surveillance and that targets be informed of the fact, duration, scope, and manner of data processing linked to the operation.
In the case of Greece, where the spyware scandal has had major and continuing ramifications, the text calls on Athens to ensure that the judiciary has the support it needs to investigate the abuse of spyware and that the government refrains from interfering in the work of the chief prosecutor.
Where the draft report urged the reversal of a 2019 amendment that placed the Greek intelligence services (EYP) under Prime Minister Kyriakos Mitsotakis’ direct control, the final report goes a step further, calling for constitutional guarantees and parliamentary control of its operation.
In Spain, the government has been accused of using Pegaus software against politicians linked to the Catalan independence movement. The spying software was also found to have infiltrated devices belonging to Prime Minister Pedro Sanchez and other members of his government.
The report calls on Spanish authorities to conduct a “full, fair and effective investigation” into alleged abuses and to provide the targets of abuse with adequate access to information about their cases. The report also calls for the start of a reform of the national intelligence service, announced last year.
Cyprus, where much of the focus is on the trade of surveillance tech, is again urged to conduct a thorough assessment of the shipment of spyware within the EU’s internal market and of any Israeli companies involved in the business that are registered in the country.
“While acknowledging that the report is not binding and could have been more ambitious on certain aspects, its implementation would be a key step for accountability, transparency and the rights of the victims,” MEP Bricmont told EURACTIV.
*first published in: Euractiv.com