The European parliamentary committee of inquiry to investigate alleged breaches of EU law in the use of Pegasus and other surveillance software by EU member states continues amid new disclosures of breaches of EU law.
The spyware scandal in Greece has resulted in a political crisis threatening Prime Minister Kyriakos Mitsotakis who was forced to accept the resignation of two senior officials involved in the scandal. He admitted that the country’s intelligence agency had been spying on Thanasis Koukakis, a financial journalist. Greek opposition politician leader and MEP Nikos Androulakis has also been targeted by spyware.
When the Prime Minister spoke on live broadcast earlier in August, his statements caused more tension. He claimed that the intelligence agency had acted legally but that it had not realized the political consequences. He went on saying there will be a revamp of the agency. In the meantime, there will be an investigation.
The fact that the agency reports directly to the Prime Minister raised questions as to whether he had been using his control of the agency for his own and his party's advantage. In the absence, of a supervising body, the agency seemed to have been free to do as it liked.
In Greece, more than 15,000 persons have reportedly been targeted by the spyware Predator on grounds of national security but the government denies any involvement and Greece’s National Intelligence Agency even denies that it has purchased the spyware.
The committee of inquiry held a hearing on Tuesday to discuss remedies for victims of illegal surveillance by spyware.
As previously reported, the European Parliament decided to establish the 38-member committee after an overwhelming majority voted in favour of it. According to its mandate, it will look into existing national laws regulating surveillance, and whether spyware was used for political purposes against, for example, journalists, politicians and lawyers.
Cooperation with the Commission
The European Commission welcomed the establishment of the Inquiry Committee and asserts that it is cooperating closely with it. Justice Commissioner Reynders has already participated in a hearing organised by the Committee on 30 May.
“We have also received a set of questions from the Committee, some of which we have already replied to, others we are still working on,” a source in the Commission told The Brussels Times.
The Commission has also sent letters to Greece, Hungary, Poland, and Spain, the four EU member states most compromised by the alleged misuse of spyware, asking for clarifications. Until now, it has received replies from all of them besides Spain. Asked by The Brussels Times about the content of the letters, a spokesperson replied that the Commission is not in the habit of disclosing its correspondence.
National security is a member states competency and is up to the member states to investigate the potential misuse of spyware, according to the Commission. That said, it could become an issue for the Commission if member states have violated data protections rules or rulings by the European Court of Justice.
However, the Committee is critical against the Commission for its cooperation until now. According to Belgian MEP Saskia Bricmont (Greens/EFA), who has been nominated as coordinator in the committee on behalf of her group, the Commission is not doing enough to clarify the misuse of spyware in the EU.
“The Commission is not very proactive and delaying responses to the Committee,” she told The Brussels Times. “It has agreed to share information but we have always to remind them to do it.”
Issues at stake
Following a recent visit by the Committee to Israel, it received new information about the sales of Pegasus by the NGO Group to EU member states. The meetings with Israeli authorities were more limited and did not result in any new information. According to Bricmont, Israel is not using the same safeguards on export licenses as in the EU but also EU needs to tighten its regulatory framework.
Media reported that the NSO Group has active contracts with 12 EU member states and is now working with 22 security and enforcement organizations in the EU. NSO claims that it has cancelled cooperation with Hungary and Poland.
“The fact that 14 member states had acquired NSO’s spyware shows that there clearly is a European component in our inquiry,” Saskia Bricmont said. “It’s being used in almost every member state. The answers from the member states concerned, using national security as argument to avoid responding and transparency, are unacceptable.”
There are also number of European spyware manufacturers. How important are they on the spyware market and does the Committee intend to investigate them?
“It’s an internal market issue but for the time being it won’t be possible for the Committee to include them in its investigation,” she replied. “It would also be outside our mandate.”
She underlined the need to also look into the ‘black market’ of spyware in the EU because it means not only governments and public agencies but also individuals and criminals can access such spyware. While victims of surveillance can complain against a public agency and ask for remedy, how can they complain against a private company if they don’t even know they have been spied on?
The spyware scandal has a cross-border and European security dimension, she explained. “It’s not only about national security but concerns also democracy and the rule of law – more than reason enough for the Commission to take responsibility and act. It needs to use all its powers. The investigations by member states aren’t very deep or proactive.”
She underlined the importance of treating all member states equally, referring to Spain which has not yet replied to the Commission’s letter and which opposes a visit by the Committee. In the Committee itself, there are political differences of opinion about the need to investigate Spain.
Admittedly, the size of the scandal is Spain is much smaller than in for example Greece. Media reported in April on a spyware scandal named Cataloniagate in Catalonia, Spain, where the Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with spyware, the majority of them with Pegasus.
Israel approved export licenses to dictatorships and authoritarian regimes that were likely to misuse the spyware. What about the licenses to democratic EU member states that are expected to use spyware only for lawful purposes?
“It’s a shared responsibility,” Saskia Bricmont replied. “Israel has an obligation to carry out due diligence before approving licenses, including to EU countries, knowing that some of them are subject to on-going rule of law procedures. It could have contacted the Commission for more information and advice about the rule of law procedures.”
The Brussels Times