Written by Andrés García with Clemens Weichert.
Investigative journalists recently brought to light extensive spying operations in Europe, using the powerful Pegasus spyware. European Union governments and the European institutions set up their own investigations have been seeking ways to improve data protection in the EU. On 2 March 2023 the European Parliament’s Panel for the Future of Science and Technology (STOA) brought together experts on cybersecurity and data protection during a workshop entitled ‘Pegasus affair: the end of privacy and cybersecurity?’.
STOA Vice-Chair Ivo Hristov (S&D; Bulgaria) set the scene by describing the new technologies that make it possible for private and state actors to monitor private communications. These technologies endanger individual rights and challenge democracy by infringing on citizens’ privacy in a way they cannot defend themselves against as individuals. The EU has therefore undertaken to regulate and restrict the use of spyware.
Moderating the workshop, Fanny Hidvegi (Europe Policy and Advocacy Director at Accessnow), highlighted that members of marginalised communities fall disproportionately victim to spyware attacks, meaning that those affected often belong to the most vulnerable groups in society. Although Pegasus is not unique, it constitutes an egregious example of commercially available spyware that can be used both against institutions and private individuals, even granting retroactive access to data stored on a phone. It poses an unprecedented threat to the General Data Protection Regulation (GDPR). She then introduced the workshop discussion panels: the first on threats and challenges posed by software like Pegasus, and the second on the future of spyware legislation.
On the first panel, Professor Bart Preneel presented the technological aspects of the case and its effects on international politics. To protect citizens’ digital privacy, the EU will need strong supervision of its digital sector, as well as considerable investment to keep pace with developments in the United States and China. Civil rights activist Chloé Berthélémy (European Digital Rights, EDRi) then took the floor to advocate EU use of its market power to ban this ‘market of vulnerability’. This would set an important precedent on the international stage.
Fanny Hidvegi introduced the second panel with a reminder that reform of the E-Privacy Directive is long blocked by disagreements between EU governments about the extent of national security exemptions. This, she argued, is a political rather than legal issue. European Data Protection Supervisor, Wojciech Wiewiórowski took the floor to push for a European solution, within the framework of the Treaties. He pointed out that the exceptions currently in place allow EU Member States to justify extensive spying operations by invoking national security. In the future, these exceptions should be revised, if European legislation is to have an impact on EU countries’ operations in the digital field. The rule of law is key in this debate, the Supervisor argued, since European legislation is worthless if Member States’ secret services do not follow their own laws.
Olivier Micol, Head of Unit for Data Protection at the European Commission, pointed out that, even though spyware can be bought and sold privately, using it for illegal purposes is already punishable. Not only private companies, but also ‘if you work for law enforcement, for criminal purposes, the EU law applies; and with EU law you have all the checks and balances, the oversight up to the European Court of Justice’. In a similar vein, Member States cannot simply claim to act in the interest of national security in their spying operations; they have to prove it to profit from legal exceptions.
Opinions differed on the topic of a general ban on spyware. On the one hand, it poses a severe interference in people’s rights and freedoms; on the other hand, if banned in Europe, spyware may be bought and sold on the black market and to foreign governments. Some speakers advocated tighter regulation of both the scope and capabilities of spyware, as well as its use, with Mr Wiewiórowski highlighting the need for certain spying operations to counter Russian cyberattacks
The open discussion touched on topics such as the outsized influence that a few large corporations play in the sector, and the dangers and possibilities of cloud storage services. Mr Wiewiórowski took the opportunity to launch a plea for European citizens not to normalise spying and not to get used to being spied upon, but rather to see it as the infringement on individual rights it is.
With the work of the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA) coming to an end, these conclusions will inform future European Parliament debate. This STOA workshop, and the work of the PEGA committee, aim at taking further steps to protecting EU citizens’ privacy.