Is the EU protecting people from Pegasus spyware?

Spyware is an extremely invasive surveillance tool and a global threat to human rights and democracy. Since the initial Pegasus Project revelations, we’ve learned that governments and private actors in over 46 countries worldwide, including EU member states, have used invasive spyware to target and silence journalists, human rights defenders, political opponents, and dissidents.

By Access Now Europe (guest author) · February 16, 2023

What action has the EU taken against Pegasus and why isn’t it enough?

Scandals involving European governments should have been a wake-up call for European institutions. Yet so far, they have taken very little action to prevent future abuses of power and to protect people from the harmful impact of such surveillance tools.

In April 2021, the European Parliament responded to the Pegasus Project revelations with great urgency by establishing the PEGA Committee to examine the use of Pegasus and equivalent surveillance spyware across Europe. So far, the committee has organised public hearings and fact-finding missions, looking into topics such as the human impact of spyware, how the spyware market functions, tech companies’ digital security procedures, and law enforcement practices. Ultimately, the committee will deliver a report and a resolution in the Parliament – neither of which are legally binding, but which could spur the European Commission to propose related legislation.

The PEGA Committee’s biggest breakthrough was getting NSO Group to confirm on-the-record that at least 14 EU countries, including Poland, Hungary, Spain, Belgium, and the Netherlands, purchased Pegasus. The company also admitted to selling its products to 22 end-users in these member states, suggesting that in any given country, multiple authorities or intelligence agencies may be using the technology.

Different obstacles prevent the PEGA Committee from effecting real change. It lacks full investigative or prosecutorial powers, and cannot order government representatives, many of whom have been reluctant to share information, to testify. Its efforts have been further hamstrung by lack of cooperation from the European Commission and Council of the EU, by national politics interfering with country-specific investigations, and by the overall opacity of the spyware sector – something the committee’s rapporteur, MEP Sophie in’t Veld, has termed “corporate obfuscation”.

Nevertheless, the PEGA Committee still has an opportunity to build on the momentum generated by spyware revelations and to change the political status quo. Despite existing human rights frameworks and safeguards, specific prohibitions must be implemented to prevent governments from abusing their power.

An EU ban or moratorium: what is the PEGA Committee proposing?

In its draft report, the committee called for an immediate moratorium on the sale, acquisition, transfer, and use of spyware. The draft report proposes that any potential use of spyware should be decided on a country-by-country basis and only if all four of the following conditions are met:

  • Any and all allegations of abuse are investigated;
  • The country consents to Europol’s proposal to investigate any abuse;
  • There is an established framework for responsible use; and
  • The country repeals any export licences that do not fully comply with EU regulations.

If the conditions are legally mandated and enforced, it will leave states with very little to no room to use spyware. However, the committee still stopped short of calling for a full ban on spyware technology in Europe – something both the European Data Protection Supervisor and former UN Special Rapporteur on freedom of expression and opinion David Kaye have argued for, due to the unprecedented human rights risks posed by this type of surveillance technology.

The European Media Freedom Act: a chance to protect journalists?

The European Media Freedom Act is a legislative proposal that aims to strengthen media independence, safeguard media pluralism, and increase transparency around media ownership. The EMFA proposes specific safeguards against the deployment of spyware on media service providers or journalists’ devices, going beyond the PEGA Committee’s suggestion for a mere moratorium. However, governments could still use “national security” as legal grounds for circumventing this prohibition.

What’s next for spyware in Europe?

On 24 January, the PEGA Committee presented its draft resolution on recommendations. The Parliament should be ambitious and push the European Commission toward a prohibition on Pegasus and similar spyware. Our knowledge of such intrusive tools tell us that, regardless of whom they are used against, there is little to no difference between their use and their abuse. There is always an incredibly high risk of harm to fundamental rights such as privacy, data protection, due process, and freedom of expression.  As such, there are grounds under the EU’s legal framework for a ban, in order to safeguard trust in democracy, reinforce checks and balances against abuses of power, and protect and promote human rights.

So far, Europe has proved to be a financial and export hub for the spyware industry. Now the EU must show its commitment to doing better in future, by taking action to ban the use of spyware within and beyond its borders.

The article was first published by Access Now Europe here.

Contribution by: Julie Fuchs, Intern, EDRi member, Access Now Europe