European Parliament spyware inquiry committee has adopted its final report and recommendations, condemning spyware abuses in several EU member states and setting out a way forward.
Article continues below
On Monday evening, the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA) adopted its final report and recommendations following a year-long inquiry into the abuse of spyware in the EU.
MEPs condemn spyware abuses that aim to intimidate political opposition, silence critical media and manipulate elections. They note that EU governance structures cannot effectively deal with such attacks and say reforms are needed.
MEPs condemn major violations of EU law in Poland and Hungary, where the respective governments have dismantled independent oversight mechanisms.
For Hungary, MEPs argue that the use of spyware has been “part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government.â€
In Poland, the use of Pegasus has been part of “a system for the surveillance of the opposition and critics of the government designed to keep the ruling majority and the government in powerâ€.
To remedy the situation, MEPs call on Hungary and Poland to comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies.
They should also ensure independent and specific judicial authorisation before the deployment of spyware and judicial review afterwards, launch credible investigations into abuse cases, and ensure citizens have access to proper legal redress.
On Greece, MEPs say spyware use “does not seem to be part of an integral authoritarian strategy, but rather a tool used on an ad hoc basis for political and financial gainsâ€. Even though Greece has “a fairly robust legal framework in principleâ€, legislative amendments have weakened safeguards.
As a result, spyware has been used against journalists, politicians and businesspersons, and exported to countries with poor human rights records.
MEPs call on the government to “urgently restore and strengthen the institutional and legal safeguardsâ€, repeal export licences that are not in line with EU export control legislation, and respect the independence of the Hellenic Authority for Communication Security and Privacy (ADAE).
They also note Cyprus has played a major role as an export hub for spyware, and should repeal all export licences it has issued that are not in line with EU legislation.
On Spain, MEPs found that the country “has an independent justice system with sufficient safeguardsâ€, but some questions on spyware use remain.
Noting that the government is already working to address shortcomings, MEPs call on authorities to ensure “full, fair and effective†investigations, especially into the 47 cases where it is unclear who authorised the deployment of spyware, and to make sure targets have real legal remedies.
To stop illicit spyware practices immediately, MEPs consider spyware should only be used in member states where allegations of spyware abuse have been thoroughly investigated, national legislation is in line with recommendations of the Venice Commission and EU Court of Justice and European Court of Human Rights case law, Europol is involved in investigations, and export licences not in line with export control rules have been repealed.
By December 2023, the Commission should assess whether these conditions have been fulfilled in a public report.
MEPs want EU rules on the use of spyware by law enforcement, which should only be authorised in exceptional cases for a pre-defined purpose and a limited time.
They argue that data falling under lawyer-client privilege or belonging to politicians, doctors or the media should be shielded from surveillance, unless there is evidence of criminal activity.
MEPs also propose mandatory notifications for targeted people and for non-targeted people whose data was accessed as part of someone else’s surveillance, independent oversight after it has happened, meaningful legal remedies for targets, and standards for the admissibility of evidence collected using spyware.
MEPs also call for a common legal definition of the use of national security as grounds for surveillance, in order to prevent attempts to justify manifest abuses.
To help uncover illicit surveillance, MEPs propose the creation of an EU Tech Lab, an independent research institute with powers to investigate surveillance, provide legal and technological support including device screening, and perform forensic research.
They also want new laws to regulate the discovery, sharing, resolution and exploitation of vulnerabilities.
On third countries and the EU’s foreign policy instruments, MEPs would like to see an in-depth investigation of spyware export licences, stronger enforcement of the EU’s export control rules, a joint EU-US spyware strategy, talks with Israel and other third countries to establish rules on spyware marketing and exportation, and ensuring EU development aid does not support acquisition and use of spyware.
MEPs adopted a report, detailing the findings of the inquiry, with 30 votes in favour, 3 against, and 4 abstaining, and a text outlining recommendations for the future with 30 votes in favour, 5 against, and 2 abstaining. ■