The “Initiative pour un devoir de vigilance” (initiative for compulsory due diligence) issued a public statement on Thursday following claims that 50,000 phone numbers were selected as potential targets of NSO phone hacking spyware.
NSO group, the Israeli firm whose Pegasus spyware is at the heart of the revelations, has nine entities registered in Luxembourg, where the government was under pressure to respond.
Foreign affairs minister Jean Asselborn (LSAP) has since issued a letter to each company, reminding them of their human rights obligations.
Luxembourg law does not currently oblige firms to practice due diligence with regard to human rights and the environment, with the exception of some sector-specific obligations related to timber trade and conflict minerals. Corporate law includes reporting obligations which have a limited scope of applicability.
“We must ask ourselves if sending a letter from the MAEE [foreign affairs ministry] is the only means available to the Luxembourg government? Indeed, legislative means should finally be provided to remedy this lack of possible actions,” the due diligence initiative wrote.
The campaign group praised the minister for responding but concluded he had limited powers to respond to economic activities. The only solution for them is a national law on due diligence, which would “require companies to conduct a risk analysis of potential human rights violations.”
A report issued in April 2021, recommended that Luxembourg start outlining legislation to impose a human rights duty of care on companies domiciled in the country. Meanwhile, discussions are underway to impose a due diligence directive at EU level, which the current coalition government agreed to support.