(STRASBOURG) – Following a year-long investigation into the use of Pegasus and equivalent surveillance spyware, the European Parliament outlined Thursday reforms it thinks are necessary to curb spyware abuse.
These include that use of spyware should only be allowed in exceptional cases and for limited time, and targeted recommendations for Hungary, Poland, Greece, Cyprus and Spain after alleged abuses.
In the resolution, MEPs argue that the illicit use of spyware has put “democracy itself at stake” and call for credible investigations, legislative changes and better enforcement of existing rules to tackle abuse.
MEPs are calling on Hungary and Poland to comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies. The two countries should also ensure independent and specific judicial authorisation before deploying spyware, launch credible investigations into abuse cases, and guarantee that citizens have access to meaningful legal remedies.
The Parliament asks the Greek government to “urgently restore and strengthen the institutional and legal safeguards”, repeal export licences that are not in line with EU export control legislation, and respect the independence of the Hellenic Authority for Communication Security and Privacy.
Noting that Cyprus has served as an export hub for spyware, MEPs say it should repeal all export licences not aligned with EU legislation. Spanish authorities should ensure “full, fair and effective” investigations, especially into the 47 cases where it is unclear who authorised the deployment of spyware. The Spanish authorities should also ensure that targeted people have real legal remedies, say MEPs.
With a view to stopping illicit spyware practices immediately, MEPs argue that spyware should only be used in member states where allegations of spyware abuse have been thoroughly investigated, where national legislation is in line with the recommendations of the Venice Commission and case-law of the EU Court of Justice, and where export control rules have been enforced.
They want EU rules on the use of spyware by law enforcement, which should only be authorised in exceptional cases for a pre-defined purpose and a limited time. MEPs argue that data falling under lawyer-client privilege or belonging to politicians, doctors or the media should be shielded from surveillance, unless there is evidence of criminal activity. They also propose mandatory notifications for targeted people and for non-targeted people whose data were accessed as part of someone else’s surveillance, independent oversight after it has happened, and a common legal definition of the use of national security as grounds for surveillance.
To help uncover illicit surveillance, MEPs propose the creation of an EU Tech Lab, an independent research institute with powers to investigate surveillance and provide technological support including device screening and forensic research. MEPs see “strong indications” that the governments of Morocco and Rwanda have spied on high-profile EU citizens, including heads of state. Overall, they demand an in-depth review of spyware export licences, stronger enforcement of the EU’s export control rules, a joint EU-US spyware strategy, talks with Israel and other third countries on spyware marketing and exportation rules, and ensuring EU development aid is not spent on the acquisition and use of spyware.
Further information, European Parliament
The adopted text will be added here (15.6.2023)
Draft text tabled for the plenary