European Commission Failing to Tackle Spyware, Lawmakers SayParliamentarians Pass Resolution Calling for Immediate Executive Branch Action
European lawmakers on Thursday slammed the EU executive branch's inaction after a parliamentary committee called for tougher rules designed to prevent spyware abuse across the world's largest trading bloc.
The European Parliament in March 2022 empaneled the PEGA Committee to investigate commercial spyware, following reports that authorities in Poland, Greece, Hungary and Spain had used such surveillance tools to monitor politicians, journalists and activists.
In May, the PEGA Committee concluded that Europe continues to be a safe haven for mercenary spyware companies such as Israel-based NSO Group, which remains one of the most active suppliers of commercial surveillance tools, in the form of its Pegasus software. Based on the committee's recommendations, lawmakers in June called on the European Commission to introduce tighter spyware export controls and permit commercial spyware's use only in exceptional cases that "present a genuine threat to national security." Lawmakers set a deadline of Nov. 30 for the executive branch to introduce legislation enshrining the recommendations (see: European Parliament Condemns Commercial Spyware).
As that deadline looms, lawmakers accused the European Commission of failing to act. On Thursday, they passed a resolution that attempts to force the European Commission to present the legislative changes recommended in May by the PEGA Committee.
At a plenary session in Strasbourg, EU lawmakers said that the European Commission's inaction had facilitated an uptick in recent spyware cases. Such cases have included the alleged targeting of exiled Russian journalist Galina Timchenko using Pegasus when she was based in Germany, as well as the Greek government's attempt to thwart investigations into spyware abuse by its ministers.
In contrast to the EU approach, lawmakers highlighted the U.S. government's blacklisting in July of European spyware firms Intellexa and Cytrox and the Biden administration's citing of the companies' risk to U.S. national security and foreign policy (see: Biden Administration Blacklists 2 Commercial Spyware Firms).
Speaking at the Thursday plenary, EU Justice Commissioner Didier Reynders condemned using spyware to illegally intercept personal communications, adding that member states cannot use "national security" as a legal basis to circumvent existing laws and indiscriminately target their citizens.
Even so, he said, the European Commission lacks adequate investigatory powers to intervene, although victims can seek justice via existing data protection rules and via the European Convention on Human Rights.
"This is not good enough," responded Sophie in 't Veld, a Dutch member of the European Parliament and rapporteur of the PEGA Committee. She said Europe is a "gangster's paradise" where there is "complete impunity" for the abuse of spyware, and for the illegal sale of spyware. "I wonder," she said, "if the commission cannot fix this, then why do we have a commission?"
She called on the commission to emulate the U.S. government's approach to banning commercial spyware companies.
Some additional protections may soon be in place. The commission last year proposed the European Media Freedom Act, designed to safeguard journalists from hacking and other forms of surveillance. EU lawmakers last month adopted the legislation. Now the European Council - part of the European Commission - is hammering out the law's final form with national governments, although some are demanding national security exemptions that would allow them to use commercial spyware to monitor domestic journalists.