MEPs see “strong indications” that the governments of Morocco and Rwanda have spied on high-profile EU citizens

Based on a year-long investigation into the use of Pegasus and equivalent surveillance spyware, MEPs argue that the illicit use of spyware has put “democracy itself at stake” and call for credible investigations, legislative changes and better enforcement of existing rules to tackle abuse. The resolution was adopted with 411 votes in favour, 97 against, and 37 abstentions.

Recommendations to Hungary, Poland, Greece, Cyprus and Spain

MEPs call on Hungary and Poland to comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies. The two countries should also ensure independent and specific judicial authorisation before deploying spyware, launch credible investigations into abuse cases, and guarantee that citizens have access to meaningful legal remedies.

Parliament asks the Greek government to “urgently restore and strengthen the institutional and legal safeguards”, repeal export licences that are not in line with EU export control legislation, and respect the independence of the Hellenic Authority for Communication Security and Privacy.

Noting that Cyprus has served as an export hub for spyware, MEPs say it should repeal all export licences not aligned with EU legislation. Spanish authorities should ensure “full, fair and effective” investigations, especially into the 47 cases where it is unclear who authorised the deployment of spyware. The Spanish authorities should also ensure that targeted people have real legal remedies, say MEPs.

Clear rules to prevent abuse

To stop illicit spyware practices immediately, MEPs argue that spyware should only be used in member states where allegations of spyware abuse have been thoroughly investigated, where national legislation is in line with the recommendations of the Venice Commission and case-law of the EU Court of Justice, and where export control rules have been enforced.

They want EU rules on the use of spyware by law enforcement, which should only be authorised in exceptional cases for a pre-defined purpose and a limited time. MEPs argue that data falling under lawyer-client privilege or belonging to politicians, doctors or the media should be shielded from surveillance, unless there is evidence of criminal activity. They also propose mandatory notifications for targeted people and for non-targeted people whose data were accessed as part of someone else’s surveillance, independent oversight after it has happened, and a common legal definition of the use of national security as grounds for surveillance.

Spyware inquiry: MEPs finish visit to Madrid

EU Tech Lab and a boost to vulnerability research

To help uncover illicit surveillance, MEPs propose the creation of an EU Tech Lab, an independent research institute with powers to investigate surveillance and provide technological support including device screening and forensic research.

Foreign policy dimension

MEPs see “strong indications” that the governments of Morocco and Rwanda have spied on high-profile EU citizens, including heads of state. Overall, they demand an in-depth review of spyware export licences, stronger enforcement of the EU’s export control rules, a joint EU-US spyware strategy, talks with Israel and other third countries on spyware marketing and exportation rules, and ensuring EU development aid is not spent on the acquisition and use of spyware.

More information: European Parliament