On Thursday 15 June, MEPs adopted the recommendations of Dutch MEP Sophie in ‘t Veld (Renew Europe) on the use of spyware in the EU (see EUROPE 13178/24) by 411 votes to 97, with 37 abstentions. The European Parliament’s board of inquiry, PEGA, named after the Pegasus software, took a position at the beginning of May.
In this non-binding text, MEPs call for a common legal definition of national security justifying this type of eavesdropping and propose authorising the use of spyware only in Member States “where allegations of spyware abuse have been thoroughly investigated, national legislation is in line with recommendations of the Venice Commission and EU Court of Justice case law”.
The elected representatives want data relating to confidential communications between clients and their lawyers or concerning politicians, doctors or the media to be excluded from this surveillance, unless there is evidence of criminal activity.
MEPs also propose “mandatory notifications for targeted people and for non-targeted people whose data was accessed as part of someone else’s surveillance”. And they suggest the introduction of an independent check to be carried out following surveillance cases.
MEPs also want EU rules on the use of spyware by law enforcement agencies, which will only be possible in exceptional cases for predefined purposes and for a limited time.
They still want an in-depth investigation into spyware export licences and a stricter application of EU export control rules.
By December 2023, the Commission “should assess whether these conditions have been fulfilled in a public report”.
The MEPs also made specific recommendations to Hungary, Poland, Greece, Spain and Cyprus, where the use of spyware has been reported by the media or NGOs in the first four cases, Cyprus being considered to be a country where spyware is exported.
MEPs are calling on Hungary and Poland to respect the decisions of the European Court of Human Rights and to restore the independence of the judiciary and supervisory bodies.
The Greek government, for its part, is called upon to “urgently restore and strengthen the institutional and legal safeguards, repeal export licences that are not in line with EU export control legislation, and respect the independence of the Hellenic Authority for Communication Security and Privacy”.
Noting that Cyprus has been used as an export hub for spyware, MEPs say the country should revoke all export licences that do not comply with EU legislation.
And the Spanish authorities will have to ensure full, fair and effective investigations as the government has been accused of using Pegasus in the context of the Catalan referendum in 2017.
A debate was held the previous day in the presence of the European Commissioner for Justice, Didier Reynders.
He told MEPs that, having received responses from all Member States on the use of spyware such as Pegasus or Predator, “with the exception of Hungary and the Netherlands”, the Commission would monitor the use of spyware in the EU.
In the meantime, the Commissioner has asked the national courts and competent authorities to provide clarity on how this software is being used and to restore public trust. Furthermore, Member States cannot simply refer to the principle of national security as justification for violating the right to confidentiality of communications; they must prove that this national security would be compromised.
Link to the adopted text: https://aeur.eu/f/7ij (Original version in French by Solenn Paulic)