PEGA hearing about spyware and ePrivacy

On 26 October 2022, EDRi was invited to a hearing on ”spyware and ePrivacy”, and was represented by Jesper Lund from EDRi member IT-Pol.

Please note that by clicking on this video, it will open an external link to the video on YouTube. YouTube engages in extensive data collection and processing practices that are governed by their own terms of service.

Spyware can extract any information stored on a smartphone, monitor ongoing communications, and even function as an eavesdropping device for physical meetings or private residences. This makes deployment of spyware by state actors a particularly serious interference with the right to privacy and data protection guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights.

As noted by the European Data Protection Supervisor in his preliminary remarks on modern spyware, the essence of the right to privacy is likely to be compromised.

The ePrivacy Directive

The primary legal instrument to protect confidentiality of communications in EU law is the ePrivacy Directive. This Directive and its interpretation by the Court of Justice of the European Union (CJEU) has been instrumental in protecting people against mass surveillance of their electronic communications through data retention laws, although most Member States continue to ignore the rulings.

The ePrivacy Directive applies to providers of electronic communications services. Providers are required to delete or anonymise communications data (content as well as metadata) as soon as the transmission has ended, with some limited exceptions mainly for billing purposes.

Data retention laws fall within the scope of the ePrivacy Directive because they require providers of electronic communications services to retain traffic data and location data (metadata) that would otherwise be deleted. This is a restriction of the rights and obligations provided for by the ePrivacy Directive, which must satisfy the conditions of Article 15(1) of the Directive.

Accordingly, Article 15(1) has the effect of bringing national data retention laws within the scope of the ePrivacy Directive and hence EU law, even if the purpose is safeguarding national security. This is noteworthy. Member States cannot circumvent the protection under EU law by invoking broad definitions of national security.

However, the critical connection to the ePrivacy Directive is the processing obligations for service providers. In paragraph 103 of the La Quadrature du Net judgment from October 2020,  the CJEU states that if Member States derogate from the protection of confidentiality of communications without imposing obligations on service providers, the protection of personal data is not covered by the ePrivacy Directive. It is only covered by national law, possibly subject to the application of the Law Enforcement Directive (LED).

Applicability of the ePrivacy Directive to spyware

Spyware such as Pegasus from NSO Group is deployed by exploiting software vulnerabilities on the devices (e.g. smartphones) of the persons targeted by this surveillance measure. The interference with the device is either done directly by state authorities or with the assistance of a private spyware vendor such as NSO. In terms of the ePrivacy Directive, the spyware vendors are clearly not providers of electronic communications services.

Since the deployment of spyware is done entirely without any processing by a provider covered by the ePrivacy Directive, the case law of the CJEU would suggest that the Directive does not apply to the processing of personal data.

However, there are other factual differences between the deployment of spyware and the data retention cases considered by the CJEU so far. This creates an alternative connection to the ePrivacy Directive which does not require processing by providers of electronic communications services.

Article 5(3) of the ePrivacy Directive, often called the “cookie law”, protects the user’s terminal equipment (e.g. a smartphone) against interference. The storing of information or gaining access to already stored information in the user’s terminal equipment is only allowed with the consent of the user.

The only exception to consent is if the processing is strictly necessary for an information society service explicitly requested by the user.

Unlike the other provisions of the ePrivacy Directive, the scope of Article 5(3) is not limited to providers of electronic communications services.

Since the conditions in Article 5(3) are clearly not satisfied for the deployment of spyware, it could be argued that the deployment constitutes a restriction of the right to protection of terminal equipment afforded by the ePrivacy Directive, and that this restriction is subject to Article 15(1). This would put national laws on spyware within the scope of the ePrivacy Directive similar to national data retention laws.

A case from Austria (C-548/21)  is pending before the CJEU which could perhaps resolve the legal uncertainty about the applicability of the ePrivacy Directive to spyware. The case is about extracting information from a mobile device with physical access, which is different from remote deployment of spyware. But the case is similar in terms of the possible interference with the user’s terminal equipment and in particular the lack of processing obligations for service providers.

Other EU laws that could protect against spyware

The proposed ePrivacy Regulation is meant to replace the current Directive, but the legislative process has been very slow.  As the text currently stands with Parliament and Council positions in trilogue negotiations, the ePrivacy Regulation will have largely the same scope as the current Directive. This also means the same limitations with regard to protection against spyware.

The recent proposal for the European Media Freedom Act takes a much more direct approach to regulating the deployment of spyware by Member States. Article 4 of the proposal creates rights for media service providers which include protection against deployment of spyware, though with some exceptions.

These exceptions are rather broad and leave so much discretion to Member States that the protection of journalists could easily be undermined. However, this part of the provision could be strengthened through amendments.

A similar and preferably much stronger protection of the confidentiality of communications against deployment of spyware could be extended to all individuals in the EU in a future legislative proposal.

Importance of EU law protection against spyware

Investigations of civil society organisations, journalists and the work of the PEGA committee have uncovered numerous abuses of Pegasus and other spyware. National laws of Member States do not provide adequate protection and safeguards against this intrusive surveillance. EU law should address this and uphold the protection of fundamental rights.

A second reason for protection in EU law is to counterbalance the increased information exchange between Member States, in part facilitated by EU law and EU agencies. The recently amended Europol Regulation allows Europol to receive and analyse large datasets from Member States. Large datasets can include electronic communications data obtained from bulk collection operations with spyware. The EncroChat investigation is an example of that.

Unlike traditional wiretapping of telephone services, spyware can be easily deployed across national borders. Protections against spyware in national law can therefore be undermined if other Member States can deploy spyware, especially in an indiscriminate manner, and then share the information obtained through Europol or other channels.

To prevent a race to the bottom for fundamental rights, EU law should set minimum legal standards for the deployment of spyware by Member States.

The EDRi position paper on encryption offers concrete proposals on how state hacking, including the deployment of spyware such as Pegasus, can be strictly regulated to protect fundamental rights.

Contribution by: Jesper Lund, Chairman of EDRi member IT-Pol.