The European Parliament in March last year had set up an to analyse the use of NSO software Pegasus and other spyware in the EU after an investigation in 2021 had revealed thousands of potential surveillance targets, including politicians, journalists and activists.
“The illicit use of spyware is not only an attack on individual freedoms and privacy, but also an attack on our European values, democracy and the rule of law,” Luxembourg MEP and European Parliament vice-president (LSAP/S&D) told Delano. “That’s why it is crucial to come up with a European answer.”
In a sweeping set of recommendations, the so-called Pega committee called for bloc-wide rules on the use of spyware by law enforcement and a common legal definition of the use of national security as a grounds for surveillance.
National security, said Angel, “is currently invoked all too often to justify the deployment and use of spyware to justify abuses.”
A majority of 411 MEPs supported the recommendations during a vote on Thursday. This included Angel as well as fellow Luxembourg MEPs Christophe Hansen and Isabel Wiseler-Lima (both CSV/EPP), Charles Goerens (DP/Renew) and Tilly Metz (déi Gréng/The Greens-EFA). Monica Semedo (DP/Renew) was missing from the roll call.
The ball is now in the court of the European Commission and the council, which brings together member state governments.
The Pega committee in its report had said the commission and council had failed to “fully cooperate with the inquiry” and seemed disinterested in “efforts to fully investigate spyware abuses.”
Rule of law at risk
Nothing less than the rule of law is at stake, said . “The limits must be clear,” she said of the use of surveillance technology. “They must be used to protect the population, to protect our democracy and not to go against the people. If we look at how they were used in Hungary and Poland, the rule of law is endangered.”
The European Parliament urged Hungary and Poland to launch credible investigations into abuse cases and ensure citizens have access to legal redress. Across the EU, MEPs said independent and judicial authorisation before using spyware and judicial review after its use should be in place.
Every country must have a legal framework.
“Every country must have a legal framework,” Wiseler-Lima said. “There should be a moratorium on the use of those types of spyware in question in EU countries that do not respect specific, strict conditions,” said Angel.
The recommendations adopted by the parliament on 15 June also advocated a joint EU-US spyware strategy, “including a joint whitelist and/or blacklist of spyware vendors whose tools have been abused or are at risk of being abused to maliciously target government officials, journalists and civil society.”
The US in November 2021 blacklisted Israeli spyware firm NSO, saying it had acted “contrary to the foreign policy and national security interests of the US.”
Luxembourg role
The Pega committee in its report had labelled Luxembourg an “important business hub” for NSO. None of the firm’s nine entities based in Luxembourg is authorised to export cybersurveillance products but they perform important back-office activities, including handling invoices, contracts and payments.
For example, Hungary’s ministry of the interior bought the Pegasus spyware for €6m via an NSO company in Luxembourg, the committee’s investigation said.
Luxembourg must strive to avoid playing any role in enabling the illicit use of spyware.
“Luxembourg must strive to avoid playing any role in enabling the illicit use of spyware,” said Angel. “It must not tolerate that companies operating from or via Luxembourg contribute to human rights violations.”
Foreign minister Jean Asselborn in the wake of the Pegasus Files publication had written a letter to NSO, saying the country would under no circumstances tolerate export operations from Luxembourg to violate human rights in other countries.
The minister had previously said his hands are otherwise tied.
“Luxembourg applies all the obligations in terms of export control to the letter,” said Wiseler-Lima (CSV/EPP). “Luxembourg in and of itself is not at fault.”
NSO itself has repeatedly denied any wrongdoing, saying it sells it software only to vetted clients with the aim to fighting crime and terrorism. “NSO is a technology company. We do not operate the system,” it said in a statement, adding that it would investigate “credible proof of misuse of its technologies” and shut down systems where necessary.
Human rights due diligence
“The state lacks the told to protect people affected by economic activities,” human rights group ASTM said. “This powerlessness is particularly tangible when it comes to taking action in concrete cases of alleged or established human rights violations.”
ASTM with the support of the Pirate Party and déi Lénk in parliament to introduce mandatory due diligence obligations for companies.
Under the proposal, NSO’s entities in Luxembourg would fall into a high-risk category. The firm would be “obliged to conduct human rights due diligence within all of its activities, commercial and financial, downstream and upstream, and it could be held liable for any eventual human rights violations, which occur in the context of these activities,” ASTM said.
The European Commission last year adopted a due diligence directive, but it is limited to larger corporations and therefore would apply to merely 0.2% of businesses in the EU. The European Coalition for Corporate Justice (ECCJ) had the directive as “wilfully ignor[ing] many harmful business operations.”
The example of NSO, Angel said, shows “that we need ambitious legislation on corporate sustainability due diligence.” The parliament is due for talks with the council on the text, with the ASTM urging Luxembourg to “take an ambitious stand.”