Although the European Union has passed sweeping laws to protect human rights and personal privacy, it lacks powers over national security. Europe’s spy agencies use this gap to conduct massive wiretapping with little legal oversight. A single Greek prosecutor approved 15,475 phone hacks in 2021, about 16 a day, according to the country’s Authority for Communication Security and Privacy.

State-run surveillance practices and access to data by law enforcement and intelligence agencies represent a much-discussed thorn in transatlantic relations. The European Court of Justice has twice ruled that agreements allowing data to cross the Atlantic Ocean are illegal because of fears that the US could unlawfully access, misuse, and snoop over EU citizens’ data. However, judges tend to avoid the issue of European intelligence gathering, ruling that they have no jurisdiction. To US policymakers, the double standard smacks of hypocrisy since US intelligence seems to face more significant Congressional and court oversight than several EU member states do.

Recent scandals have raised the issue’s prominence. Spyware software that enables the covert monitoring and transfer of data from infected smartphones and computers, has generated an explosion in intrusive intelligence gathering. The European Parliament has launched a committee of inquiry to investigate the use of Israeli-made Pegasus by the governments in Poland, Hungary, Spain, and Greece. On November 8, the parliamentary committee plans to release a report calling for the EU to receive increased power to combat spyware. Dutch MEP Sophie Van in ‘t Veld says the problem is much more extensive than originally suspected.

“This is not about a handful of governments spying on their citizens, it is all over Europe,” she told the Financial Times. “All governments are using this stuff, some governments are abusing it.”

Until now, the EU has only taken strong action against spyware outside of Europe. The bloc bans the sale of cyber-surveillance technologies if they are likely to be used for serious human rights violations. But a European company that is forbidden to sell spyware abroad can sell it to their own government. In short, Chinese citizens may benefit from this EU policy more than EU citizens.

Similarly, the EU Action Plan on Human Rights and Democracy attempts to mitigate “risks for human rights defenders and journalists.” Though a step in the right direction, the plan focuses on EU external action, avoiding addressing human rights violations within Europe.

The bloc is trying to enact cybersecurity and other rules that set limits on snooping. Unfortunately, all the fixes contain dangerous loopholes.

Start with cybersecurity. The revised Network and Information Security framework (NIS2) creates stringent risk management obligations. It complements the recently proposed Cyber Resilience Act that mandates security-by-design for manufacturers, importers, and distributors of connected devices and services. Yet these regulations will not prevent governments from stockpiling zero-day vulnerabilities – these IT security flaws for which no mitigation or patch is available – nor refrain them from exploiting these for surveillance. 

Another possible avenue for reform is reinforcing the protection of fundamental rights and freedoms of groups targeted by intelligence agencies. The just proposed EU Media Freedom Act, intended to strengthen press freedom, would outlaw the use of spyware on journalists and their families. Article 4 prohibits placing “spyware in any device or machine” used by journalists or their families. The EU could consider giving this protection not only to journalists but to all potential illegitimate targets.

And yet, like most EU laws, the Media Freedom Act allows an exception “on grounds of national security.” This exception can be distorted to include almost anything that authorities dislike. In Poland, the ruling party used Pegasus to spy on political opponents. According to Wojciech Klicki, a Polish lawyer and activist, “judges have no tools to realistically check whether the services are abusing their powers.” On September 15, the Polish government refused to attend the European Parliament inquiry on spyware.

Transatlantic discussions could play a crucial role. An EU-US Trade & Technology Council working group focuses on combatting “arbitrary or unlawful surveillance.” But concrete progress has failed to materialize. Another avenue is to leverage law enforcement cooperation frameworks, such as the newly established agreement with Israel, home to Pegasus spyware.

For now, the unhappy conclusion is that EU policymakers will find it hard to take any concrete steps to tackle government surveillance. European MEP Saskia Bricmont, a member of the Parliament inquiry committee, says the Parliament’s role was to “exert political pressure” and “raise public awareness.”  The committee will propose expanding the EU’s enforcement powers but acknowledge that opposition from national governments prevents fundamental reform. But as long as Europe fails to take concrete action to reign in surveillance, the continent’s credibility in protecting democracy and human rights remains under threat.

Romain Bosc is a Program Coordinator at the German Marshall Fund. Charles Martinet is a Trainee at the German Marshall Fund in Brussels and an intern at CEPA.