Brussels may be ramping up its rhetoric against intrusive spyware, but EU governments don’t seem to have gotten the memo.
At the European Parliament’s plenary in Strasbourg on Tuesday, MEPs from across the political spectrum roundly condemned mounting evidence that the so-called Pegasus software, developed by the NSO Group, has been used to spy on politicians, journalists and activists in the 27-member bloc. Journalists revealed last July that the software was likely being used by governments across the world to keep tabs on opponents.
“We cannot overemphasize the severity of this scandal,” said Jeroen Lenaers, whose center-right European People’s Party has backed calls by the Parliament’s liberals to set up an inquiry to look into Pegasus.
Grandstanding by European lawmakers is commonplace. But their fervor is now spreading to other EU institutions: The European Data Protection Supervisor on Tuesday called for a ban on Pegasus.
NSO Group, meanwhile, has denied any wrongdoing, and said at the time of the initial revelations that it would “thoroughly investigate any misuse of its technology.”
In remarks to MEPs on Tuesday, the EU’s justice chief Didier Reynders called on EU member countries to implement rules to safeguard people from such spying. He noted that blanket approval for surveillance on national security grounds, an area which is fiercely guarded by national capitals, would not wash with Brussels.
“A measure being presented as being linked to national security does not mean that anything goes,” the Belgian commissioner said.
Reynders’ comments could be read as a warning to watchdogs in Hungary and Poland, which are investigating the alleged use of Pegasus spyware against government opponents. Though it confirmed that Pegasus had indeed been used in Hungary, the country’s data protection watchdog approved the government’s use of the software on national security grounds.
But privacy advocates in the country have cried foul, arguing that the national security legislation in question itself falls foul of European standards. The Hungarian Civil Liberties Union in January followed up by filing legal action before authorities in Hungary, the European Commission and Israel, which is charged with exporting the technology.
Over in Poland, the spyware scandal is proving a political headache for the governing Law and Justice party, which has been accused of using Pegasus to hack opposition politicians’ phones. The government, which is scrambling to block further parliamentary scrutiny into the matter, admits having the tech, but denies having used it in the run-up to the 2019 national elections.
In response to fears over the independence of government watchdogs in these two countries, which are both locked in a rule-of-law battle with Brussels, Reynders said the Commission “would not hesitate” to launch disciplinary measures if there was a hint of conflict-of-interest issues.
Over in Western Europe, governments are also holding their breath.
Though none have been implicated in the scandal as directly as their counterparts in Warsaw and Budapest, there have been close shaves. Luxembourgish Prime Minister Xavier Bettel in October let slip that his government had bought the software, which allows those who deploy it to effectively turn targets’ phones into listening devices. He later clarified that the government had bought the tech for national security reasons, distancing the country from reports of its use on journalists and activists.
France too, had reportedly been in talks to buy the software, though President Emmanuel Macron’s government denied the claims. On Tuesday, Macron’s man in Brussels, European Affairs Minister Clément Beaune, sought to put daylight between his government and Warsaw and Budapest.
“The use of surveillance software can only be the exception. This kind of surveillance constitutes such a severe intrusion into private life that it can only be used under the strictest conditions,” Beaune said.
But though officials like Beaune talk a good game in public, behind the scenes there’s a full-court press from EU governments — not just Poland and Hungary — as well as some corners of the Commission to hand national agencies greater access to citizens’ private data.
Documents obtained by POLITICO reveal that the French government continues to pressure its judiciary to green-light mass surveillance practices that have been ruled illegal by the EU’s top court.
In Brussels, the EU’s home affairs commissioner, Ylva Johansson, is spearheading talks to revive an EU-wide scheme to legalize these practices, where national agencies are given bulk access to personal data held by private companies, even though the bloc’s top court has time and again found that such schemes violate privacy rights.
Johansson’s enthusiastic backing of law enforcers contrasts with her Berlaymont colleague Reynders’ caution against state overreach on snooping, highlighting divisions within the EU executive.
There’s also broad support among EU countries for a framework to facilitate access to encrypted messages, with the Commission committed to find “a way forward” on the topic later this year, while negotiators in Brussels recently voted to roll back restrictions on what law enforcement agency Europol can do with people’s data.
“This situation reminds me of the film ‘The Lives of Others,’ which describes how a government critic is around the clock being spied upon by a government agent. And we all found it a very chilling image. But the point is it’s not a movie. This has been a reality for millions of Europeans for many decades,” Sophie in ‘t Veld, an MEP with centrist Renew Europe group, said Tuesday.