It could be a watershed moment. Under current rules, the European Union is prohibited from dealing with national security. No EU-wide regulation of surveillance technologies exists. And governments have used the national security loophole to justify massive surveillance.
At least 14 EU governments have deployed Pegasus spyware against journalists, civil society, politicians, and other citizens. The parliament report, published on November 8, called for an immediate moratorium on the sale, acquisition, transfer, and use of spyware and for the EU to agree on a definition of “national security,” forcing member states to demonstrate that security is compromised when it uses spyware.
“The spyware scandal is not a national scandal,” said Dutch MEP Sophie in ‘t Veld during a press conference announcing the report. “It is very much a European scandal.”
“Many of the recommendations go far beyond the scope of just spyware alone and touch on existing issues in law and security,” says Ben Wagner, professor at the University of Technology Delft.
Of course, national governments could still try to weaken the parliamentary recommendations. European Commissioner Margrethe Vestager has downplayed Pegasus and Commissioner Johannes Hahn says “these issues are the responsibility of each member state.” When the parliament committee sent a mission to Poland, the authorities refused to cooperate.
Parliament itself could retreat. The entire 38-member Pegasus parliamentary committee still must approve a final version of the report, due to be published in the spring. It “will be watered down,” fears Sven Herpig, Director of Cybersecurity Policy at the German think tank Stiftung Neue Verantwortung. “Some committee members will advocate for security and intelligence interests.”
But hopes are rising for reform. Sensational press reports have aroused public opinion against the abuse of spyware. “If we want to reach something here, now is the best time,” Herpig believes. The parliament report “makes it almost impossible for the Commission to look away and not talk about the problem,” adds Chloé Berthélémy, Senior Policy Advisor at the European Digital Rights (EDRi) network.
Parliament is also considering other ideas to curtail surveillance. It is negotiating with governments an ePrivacy Directive, which would protect the confidentiality of communications by requiring service providers to delete or anonymize content and metadata. Arguably, the deployment of spyware constitutes a restriction of this protection.
Another idea is to create a framework, which would oblige governments to produce transparency reports and limit hacking to “serious crimes.” The privacy group EDRi has proposed 11 conditions before allowing government surveillance including a need to “demonstrate strict necessity and proportionality” and “secure independent judicial authorization.” Several of these recommendations were also taken up in the draft parliament report.
“There is this ongoing legal battle to define the limits of European law,” says privacy advocate Berthélémy. “Some member states would like it to be clear cut, but the data retention jurisprudence proved that this can be shifted.”
If she is right, the EU could soon see its powers expanded into uncharted territories.
Laura Kabelka is a freelance journalist and works at the EU think tank Jacques Delors Centre in Berlin.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.