Answer given by Mr Reynders on behalf of the European Commission

13.4.2022

The Commission strongly condemns any illegal access to communication systems, or any form of unlawful interception of users’ communications. Any attempts by the national security services to illegally access data of citizens, including journalists, civil society activists or political opponents, is unacceptable.

The EU has a strong legal framework for data protection and privacy. This framework must be respected and independent supervisory authorities, including the data protection authority and the national courts, have an important role to play in this regard.

The Commission expects that these authorities, within their scope of competence, make full use of all their supervisory powers to thoroughly investigate the allegations regarding Pegasus spyware and restore citizens’ trust.

The Commission notes that the Hungarian Data Protection Authority announced the conclusion of its investigation into the matter and that the investigation by the Budapest regional investigating office of the Hungarian prosecution service is still ongoing. The Commission continues to closely monitor the issue and gather information in this regard.

The General Data Protection Regulation (GDPR)[1] requires supervisory authorities to act with complete independence. If pertinent indications were to point to a lack of independence or effectiveness in either of the Data Protection Authorities, the Commission could, if necessary, initiate infringement procedures.

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 4.5.2016, p. 1‐88.