The first meeting of the parliamentary committee of inquiry to investigate alleged breaches of EU law in the use of Pegasus and other surveillance software by among others Hungary and Poland will take place on Tuesday.
The 38-member committee was established on 10 March after an overwhelming majority voted in favour of it (635 for, 36 against and 20 abstentions). According to its mandate, it will look into existing national laws regulating surveillance, and whether spyware was used for political purposes against, for example, journalists, politicians and lawyers.
In October 2021, the European Parliament awarded the first Daphne Caruana Prize for Journalism to journalists from the Pegasus Project coordinated by the Forbidden Stories Consortium. The winning story disclosed a leak of more than 50,000 phone numbers selected for surveillance by customers of the Israeli cybersurveillance company NSO Group.
The Forbidden Stories Consortium and Amnesty International had access to records of phone numbers selected by its clients in more than 50 countries since 2016. The NSO Group claims that its software is intended for use only by government intelligence and police to fight against organised crime and terrorism and that it is not responsible for any misuse by its clients for other purposes.
According to the Forbidden Stories Consortium, the leaked data showed that journalists, human rights defenders and politicians in among others India, Mexico, Hungary, Morocco and France had been targeted. Reports in Israeli media claimed that the former Israeli government had allowed the export of the sensitive spyware to authoritarian or illiberal regimes for geopolitical reasons.
Belgian MEP Saskia Bricmont (Greens/EFA) told The Brussels Times that the committee will invite journalists from the Pegasus Project already to the first meeting. She has been appointed as coordinator on behalf of her group. The Committee will appoint its chairs and vice-chairs at the meeting.
“We need to understand how the spyware works and will work closely with experts,” she said. “We need to know which governments have violated EU law and fundamental rights by spying on journalists, human rights defenders and political opponents etc for unjustified reasons and unlawfully.”
The committee shall submit its final report within 12 months of the adoption of the decision, i.e. by March 2023, but the time can be extended if needed. There are two dimensions to the investigation. The internal one is about the use or misuse by EU member states of Pegasus and other equivalent spyware. The committee is not only focusing on the spyware from the NSO Group.
The external dimension relates to third countries and whether their use of spyware had an impact on fundamental rights ensured under EU law. The committee will also look into the role of the government of Israel and of other third countries in supplying Pegasus and equivalent surveillance spyware to member states.
The mandate is already given but the committee can decide to add to it by political agreement among the party groups. The task to investigate the misuse of spyware is comprehensive but the committee’s legal power is limited. It cannot summon someone to be questioned at a hearing. Its work will also depend on the cooperation of the EU member states and the European Commission.
Saskia Bricmont counts on the Parliament’s political power. “We intend to reach out to the public opinion and raise awareness about this highly sensitive issue. Transparency is key.”
The committee starts its work against the backdrop of last week’s article by Reuters claiming that Justice Commissioner Didier Reynders and four other officials at the European Commission have been targeted by spyware from the NSO Group. The article referred among others to a warning from Apple to Iphone-users and an internal email in the Commission last November.
Is the committee aware of whether staff at the European Parliament also received the warning?
“This affair came as a surprise to me,” Saskia Bricmont replied. It’s a huge scandal which shows that the situation has run out of control. It seems that the Commission has been aware of it since November but refuses to disclose anything about its own internal investigation.”
The Committee expects to work closely with the Commission, she added. She questions the silence of the member states and fears that more disclosures will follow. According to Reuters, it is still unknown who targeted Reynders’ phone or whether the attack had been successful.
Both Hungary and Poland are subject to legal actions by the Commission over rule of law issues and risk to lose EU funding. Media have reported that they have used the spyware against journalists and political opponents. What is your opinion?
“We don’t know yet if Hungary and Poland or other member states are implicated in spying on the Commission,” she replied.
Should spyware like Pegasus be totally forbidden in EU or should the EU tighten the rules for buying spyware for legitimate reasons and using it only after a court decision?
“Considering the size of the scandal, we cannot allow us to be weak,” she replied. “We need urgently to decide on a moratorium before the situation is spiralling totally out of control.” Infringement procedures against member states that violated EU law should be launched, she added.
For the future, she prefers a ban on the use of spyware. The spyware is intended to be used in the fight against terrorism but anyone can be accused of terrorism and governments have used it against their opponents and journalists in violation of their fundamental rights.
Israel does not seem worried about the investigation. Asked if Israel intends to tighten up its rules on export of sensitive equipment and spyware, a spokesperson of its ministry of foreign affairs replied that Israel grants licenses for the sale of cyber products to governments alone and for the purposes of preventing and investigating serious crime and the fight against terrorism.
“The license is subject to a declaration of end-user use. Any question regarding the use of these products that is inconsistent with the legitimate purposes for which the permit was granted should be directed towards the user.”
The Brussels Times