Pegasus investigation: EP report discloses biggest spyware scandal in Europe

Pegasus investigation: EP report discloses biggest spyware scandal in Europe
Demonstration in Brussels in connection with the independence referendum in 2017 in Catalonia. The persons targeted by spyware in 'Catalangate' were active in the movement for independence. Credit: Belga / Hatim Kaghat

The European Parliamentary committee of inquiry to investigate the use of Pegasus and other surveillance software (PEGA) in EU Member States published a draft report on Tuesday, detailing the findings country by country on the use and extent of political surveillance in the EU.

As previously reported, the European Parliament decided to establish the 38-member committee after an overwhelming majority voted in favour of it in March this year. According to its mandate, it would look into existing national laws regulating surveillance, and whether spyware was used for political purposes against, for example, journalists, politicians and lawyers.

The draft report has not yet been adopted by the committee and will be amended with recommendations and voted on next year. According to the report, the findings of the inquiry at this stage of the inquiry are shocking and should alarm every European citizen.

The report covers in detail the illegitimate use of spyware in Poland, Hungary, Greece and Spain with descriptions of their purchase of Pegasus or other spyware, the legal framework, scrutiny, redress, political control and the victims who were targeted. Cyprus, as an important European export hub for the surveillance industry, is also included. The report also describes the spyware industry in Europe

The first meeting of the committee took place in mid-April. Since then it has held hearings, collected information from the member states, and carried out missions to those of them that were most implicated in using spyware for surveillance of their citizens.

However, according to the report, EU Member State governments have largely declined the invitation to cooperate with the committee. Some governments have downright refused to cooperate, others did not share meaningful information.

The committee is also dissatisfied with the response of the European Commission, which also was targeted by spyware. The Commission has so far limited itself to writing letters requesting clarification from the governments of Poland, Hungary, Spain and Greece. “However, it would seem that this timid admonition by the Commission will not be followed by further action”.

Hearing on 'Catalangate' in the European Parliament, 29 November 2022. Credit: Twitter

In contrast, with the exception of the European Parliament, the other EU institutions have remained largely silent and passive, claiming it is an exclusively national matter, the report says.

The use of spyware by EU Member States, under the pretence of national security is a highly political issue, and has now also become politicised in the committee itself. As regards to Spain, the mission took place in the form of an alternative fact-finding mission as Spain is the only country where the authorities have refused to host the committee.


In Spain, the spyware scandal has been labelled ‘Catalangate’ as the 65 people who were targeted or infected there with spyware were from Catalonia, which included lawyers, civil rights activists, and even elected members of the European Parliament. What they have in common is that they were involved in the campaign for the referendum in Catalonia on independence.

On Tuesday, a hearing was also held in the European Parliament on the fact-finding report on Spain, drafted by German MEP Cornelia Ernst (The Left), with testimonies by some of the victims. The Spanish authorities have admitted that they spied on 18 persons of the 65 people who were targeted but, until now, refused to explain why they were targeted or provided any court warrant.

“It was difficult to organize a meeting with the Spanish authorities and to speak with victims,” she said at the hearing.

"With 65 known Pegasus victims, Catalangate is the largest spyware scandal in Europe. During an independent mission to Spain, I heard allegations of serious and widespread political persecution - as well as indications that victims were also targeted in Germany and Switzerland, without the consent of these governments.”

Lack of judicial framework

Belgian MEP Saskia Bricmont (Greens/EFA), who has been nominated as Coordinator in the Committee and chaired the hearing, highlighted the absence of any judicial follow-up, lack of victim support and lack of legal framework on the use of spyware in Spain.

The size of the scandal in Catalangate is much smaller than in for example Greece, where more than 15,000 persons have reportedly been targeted by the spyware Predator on grounds of national security. In Spain, illegal surveillance carried out via ‘mercenary spyware’ against peaceful members of a movement for independence, added with the lack of effective judicial redress, is causing concerns over democratic backsliding.

None of the targeted persons at the hearing had been prosecuted for any crime and knew why they had been targeted. The only explanation they could imagine was that the authorities wanted to have access to information about their political and legal activities. Now the victims demand justice and compensation for the violation of their privacy.

Silencing opposition and critics

In the concluding 'explanatory statement', the draft report confirms their feelings of helplessness as the surveillance left "individual victims completely exposed and defenceless against an all-powerful government."

Furthermore, the abuse of spyware violates more than just the right to privacy of individuals, the report says. “It undermines democracy and democratic institutions by stealth. It silences opposition and critics, eliminates scrutiny and has a chilling effect on free press and civil society. It further serves to manipulate elections.”

Although it is not officially confirmed, the draft report writes that it can be safely assumed that all EU member states have purchased one or more commercial spyware products. One company alone, the Israeli NSO Group, sold its products to 22 end-users in 14 member states, among which are Poland, Hungary, Spain, The Netherlands and Belgium.

The Pegasus spyware needs an export license. Since the Pegasus scandal was disclosed last year, the Israeli rules appear to have been tightened and the list of eligible countries has been reduced from 102 to 37, among them all EU member states. According to the report, NSO Group companies can also obtain their export licenses in Bulgaria and Cyprus.

The spyware was intended to be used by law-enforcing agencies for certain contexts, such as battling terrorism and organised crime, but in private hands it was sold to authoritarian and democratic countries alike and was misused for political reasons by EU member states.

M. Apelblat

The Brussels Times

Copyright © 2023 The Brussels Times. All Rights Reserved.