Published by The Lawfare Institute
in Cooperation With
In July 2021, the Pegasus Project—a consortium of 80 journalists from 17 media organizations in 10 countries—broke the story that several governments were using the Pegasus spyware against journalists, activists, politicians, academics, and even heads of state. The Pegasus Project rested on a massive data leak, which revealed more than 50,000 potential surveillance victims. The investigation identified several of NSO Group’s clients who went after unseemly targets, including both authoritarian regimes and democracies.
Following the public backlash over these revelations, the European Parliament set up a committee of inquiry (PEGA committee) to investigate the allegations concerning misuse of spyware in the region. Established in March 2022, and launched in April of that year, the committee was tasked to look into “contraventions, or maladministration in the implementation, of Union law, resulting from the use of the Pegasus and equivalent surveillance spyware.” Its mandate included the collection of evidence on how its member states, and in particular Poland and Hungary, may have been violating human rights and freedoms via spyware. On May 8, the committee adopted its final report and recommendations after a year of work.
The committee’s work included convenings with experts, requests for several studies on Pegasus, and investigatory missions to relevant states. As a component of its inquiry, the committee solicited in-depth studies and analysis. Some of these studies looked at the state of the spyware industry in the EU and the risks of proliferation, while others focused on understanding the impact Pegasus and other surveillance tools could have on EU rights under its legal framework. The European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned these studies at the request of the committee, developing a sound body of work that would allow the members of the European Parliament (MEPs) to place their findings in context.
In addition, the PEGA committee conducted investigatory missions to Hungary, Spain, Greece, Cyprus, and Poland in order to discuss how spyware was being used by public authorities and what oversight and redress mechanisms were in place. During these missions, committee members met with public officials, members of the judiciary, victims of spyware, and representatives of civil society. They also conducted a mission to Israel, to “gather information and facts, both as regards private companies that produce and sell the main spywares (notably ‘Pegasus’) and from public authorities that deliver licenses and exercise control over their use, in order to better understand the nature and the functioning of the matter.”
Now, slightly over a year later, the committee has approved its final report and issued recommendations. Out of the 38 MEPs, 30 voted in favor of both the report and the recommendations. These recommendations will be voted on by the parliament as a whole during the plenary session starting in mid-June.
The Final Report and Recommendations
Taking into account their country assessments, expert analysis, and in-depth studies, the PEGA committee found evidence of abuse and a gap in the EU governance structures to deal with the problem. The committee explicitly calls out several countries in their final report where it found reason for concern, regarding either systemic abuse of spyware tools, poor safeguards, or weak export controls, or how authorities have used spyware against critics or opponents.
In Poland and Hungary, the two nations explicitly included in the committee’s mandate, the the committee found systemic issues and accused the governments of having “dismantled independent oversight mechanisms”: in Hungary, with the objective of repressing freedom of expression, and in Poland, as a way to repress the opposition and government critics. Both countries are called upon to “comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies.”
In Greece, concerns lie with “weakened safeguards” that have allowed both the use of spyware “against journalists, politicians and businesspersons” and its export “to countries with poor human rights records.” However, the committee did not find the use of spyware “to be part of an integral authoritarian strategy, but rather a tool used on an ad hoc basis for political and financial gains[.]” The committee calls on the Greek government to strengthen its framework and align its export licenses with the EU legislation. Cyprus was mentioned as a conduit for unchecked export of surveillance tools to authoritarian regimes. In Spain, by contrast, concerns are limited to ensuring that the investigations over the misuse of spyware are conducted independently. Particularly, the committee asks that victims be provided “real legal remedies.”
Given these findings, the PEGA committee recommends stronger regulations to prevent the abuse of spyware in other surveillance software. Although it does not call for a full ban on the software, it does recommend that the only member states allowed to use spyware should be ones that have demonstrated that allegations of abuse are properly investigated, national legislation is appropriate, and export control rules are adequate.
Overall, the recommendations for law enforcement’s use of spyware aim to ensure greater limits, oversight, and transparency. The PEGA committee also calls for a common legal definition of the term “national security.” The use of national security as a justification for unaccountability and as an “unlimited carve out from the normal rules” requires “criteria to determine what legal regime applies in matters of national security as well as a clear demarcation of the area where such a special regime may apply.”
In addition to stronger regulation, the committee proposes the creation of an EU Tech Lab. This lab would be an independent research institute with legal and technical components—a one-stop shop for forensic research, device screening, and legal support.
Export controls remain a primary tool for those interested in countering the proliferation of spyware. The PEGA committee calls for both an in-depth investigation on export licenses and reinforcement of current EU rules.
The committee also recommends a joint EU-U.S. spyware strategy. This is good news for the Biden administration, which on March 27 published an executive order prohibiting the U.S. government from using spyware that poses risks to national security. This also aligns with a joint statement by the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States on efforts to counter the proliferation and misuse of commercial spyware.
In addition to a common strategy, the committee identifies the need to develop “common rules on marketing and exportation” with countries such as Israel. As home to many of the controversial companies mentioned in the report, Israel is central to addressing the threat of spyware. However, the type of engagement and desired objective from those relations remains vague.
Lastly, the committee recommends that the EU ensures that its development aid is not used to acquire and use spyware. In her Twitter thread on the PEGA recommendations, Rand Hammoud, a surveillance campaigner at Access Now, highlights how a recent decision by the European ombudsman found that the European Commission did not carry out proper human rights impact assessments before providing support to African countries to develop surveillance capabilities.
Only the Beginning
It is a positive step that the PEGA report was adopted by an overwhelming majority. Addressing the proliferation of the spyware industry and the lack of appropriate regulatory structures to counter it is a solid move in favor of accountability.
This is not lost on the committee’s rapporteur, who after the vote stated:
Today, the committee of inquiry concludes its work. This does not mean that the work of this Parliament is finished. Not one victim of spyware abuse has been awarded justice. Not one government has really been held accountable. The member states and the European Commission should not sleep easy, because I intend to keep on this case until justice is being done.
Progress is iterative, and it is certainly a testament to the tireless work of a strong civil society that this issue has broken through the noise and become a central focus for protecting human rights. Although the PEGA committee report may not go as far as calling for a ban on spyware, it is reassuring to see the report join the repository of thorough investigations on the impact of spyware on fundamental rights.