- Use of spyware should only be allowed in exceptional cases and for limited time
- Targeted recommendations for Hungary, Poland, Greece, Cyprus and Spain after alleged abuses
- An EU Tech Lab could help with research, investigations and forensic analysis
In a resolution adopted on Thursday, the European Parliament outlined the reforms necessary to curb spyware abuse.
Based on a year-long investigation into the use of Pegasus and equivalent surveillance spyware, MEPs argue that the illicit use of spyware has put “democracy itself at stake” and call for credible investigations, legislative changes and better enforcement of existing rules to tackle abuse. The resolution was adopted with 411 votes in favour, 97 against, and 37 abstentions.
Recommendations to Hungary, Poland, Greece, Cyprus and Spain
MEPs call on Hungary and Poland to comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies. The two countries should also ensure independent and specific judicial authorisation before deploying spyware, launch credible investigations into abuse cases, and guarantee that citizens have access to meaningful legal remedies.
Parliament asks the Greek government to “urgently restore and strengthen the institutional and legal safeguards”, repeal export licences that are not in line with EU export control legislation, and respect the independence of the Hellenic Authority for Communication Security and Privacy.
Noting that Cyprus has served as an export hub for spyware, MEPs say it should repeal all export licences not aligned with EU legislation. Spanish authorities should ensure “full, fair and effective” investigations, especially into the 47 cases where it is unclear who authorised the deployment of spyware. The Spanish authorities should also ensure that targeted people have real legal remedies, say MEPs.
Clear rules to prevent abuse
To stop illicit spyware practices immediately, MEPs argue that spyware should only be used in member states where allegations of spyware abuse have been thoroughly investigated, where national legislation is in line with the recommendations of the Venice Commission and case-law of the EU Court of Justice, and where export control rules have been enforced.
They want EU rules on the use of spyware by law enforcement, which should only be authorised in exceptional cases for a pre-defined purpose and a limited time. MEPs argue that data falling under lawyer-client privilege or belonging to politicians, doctors or the media should be shielded from surveillance, unless there is evidence of criminal activity. They also propose mandatory notifications for targeted people and for non-targeted people whose data were accessed as part of someone else’s surveillance, independent oversight after it has happened, and a common legal definition of the use of national security as grounds for surveillance.
EU Tech Lab and a boost to vulnerability research
To help uncover illicit surveillance, MEPs propose the creation of an EU Tech Lab, an independent research institute with powers to investigate surveillance and provide technological support including device screening and forensic research.
Foreign policy dimension
MEPs see “strong indications” that the governments of Morocco and Rwanda have spied on high-profile EU citizens, including heads of state. Overall, they demand an in-depth review of spyware export licences, stronger enforcement of the EU’s export control rules, a joint EU-US spyware strategy, talks with Israel and other third countries on spyware marketing and exportation rules, and ensuring EU development aid is not spent on the acquisition and use of spyware.
After the vote, Committee Chair Jeroen Lenaers (EPP, NL) said: “Spyware can be an effective tool in fighting crime, but when used wrongly by governments, it is a huge risk to the rule of law and fundamental rights. Instead of banning spyware, we should make sure that EU member states fulfil certain requirements, like effective judicial authorisation and independent oversight, and spyware use must be proportional and respect EU law. It is now up to the other EU institutions to take the work further, and we will continue to scrutinise the implementation of our recommendations.”
Rapporteur Sophie In ‘t Veld (Renew, NL) added: “Democracy is about accountability. Spyware is part of the toolkit of authoritarians who undermine democracies, and it is being used against the custodians of our democracy here, in Europe, on our doorstep. I expect the Commission and Council to report back to us, before the summer break, how they intend to follow up on each of the recommendations. We will make sure that they are implemented; this is where the work starts.”
On Wednesday 14 June, Mr Lenaers and Ms In ‘t Veld briefed media on the main points of the recommendation. You can watch the press conference again here.