Panel 1

• Ángel Vallejo, Head of Institutional Relations THIBER
• Jesper Lund, Chairman of IT-Pol, member of EDRi
• Wojciech Klicki, Lawyer, Panoptykon Foundation

Panel 2

• Ioannis Kouvakas, Senior Legal Officer and Legal Coordinator – Privacy International
• Achim Klabunde, Uni Bonn & Deutsche Vereinigung für Datenschutz

Ángel Vallejo refers to the UN Commissioner for Human Rights, who produced a report in October with three important points: The abuse of spying software by state authorities, encryption as a potential legal right and the abuse of surveillance in public spaces.
Pegasus is a new kind of threat, turning mobile phones into a 24-hour surveillance device that victims don’t even have to activate. The revolutionary thing about it is the zero-click attacks, which give authorities unlimited possibilities to snoop on people, all the data that goes in and out of a mobile phone. When the similar technique by the Italian company Hacking Team became known in 2014, not all content was affected, and the malware was also easier to detect then than Pegasus is today. This shows that the speed of development is increasing. This creates serious difficulties in fixing the problems that arise.
Vallejo points to the lack of EU intervention ex ante and ex post, leaving matters of „national security“ to member states under Article 4(2) of the TFEU. Therefore, it is difficult to enforce appropriate legislation to contain spyware across the EU. While there are similarities in regulation across member states, their approach is not always identical. In Spain, for example, one has to prove that there is a real need for the measure, that it is exceptional, extraordinary and proportionate. Every such intervention must always be approved by the courts, is then valid for 3 months and can be extended. It needs to be considered whether we can provide tools like Pegasus with such controls in general.
In Europe, according to Vallejo, there is indeed an export control of dual use, cyber surveillance products are also subject to it. But there is no such legislation for imports. So third countries are protected, but Europe is not. The European Data Protection Service (EDPS) has also outlined this in its report.
There is a controversy between security and freedom, says Vallejo. We are recklessly giving away our communications secrecy to the big tech companies.
The authorities‘ alibi for using spyware is that they are fighting crime. The UN report says that while this is true, human rights activists and journalists are also being spied on. Vallejo sees a contradiction between the EDPS and the Commission on the need for action. The EU data protection commissioner should not interfere because it is a matter of national security, as stipulated in the treaties. The EDPS, however, demands a complete ban on mercenary spyware.
When asked, Vallejo says that election processes in Spain have also been influenced by spyware. But there have been no convictions yet. In criminal proceedings, the source and the order must be presented; if this has not been validated, then in 90% of cases it is rejected as prohibited evidence. Proportionality is also considered in this review. There are exceptions for surveillance without a court order in the case of serious offences, imminent danger, danger to life; but this must be properly justified. Afterwards, however, it must be approved by the investigating judge, otherwise the information may not be used in the proceedings. In the case of political motivation, however, this is not allowed, completely excluded by law.
From a purely technical point of view, there are also indirect victims in the use of spyware, for whom EU data protection and the protection of privacy must also apply; there is no difference between this and the directly affected persons.
National security, as described, is the exclusive competence of the Member States, it would be complicated to change this principle, but it does not have to be in order to solve this problem. European standards are sufficient to stop the use of mercenary spyware, according to the EU Data Protection Supervisor, Vallejo said. Introducing new legislation will lead to additional procedural difficulties. So a ban would be the most extreme option, perhaps better would be a moratorium as a possibility. This software and its use violate principles of proportionality and necessity. To want to use them exclusively in the right way is „wishful thinking“, because they hold such power that cannot be stopped.
If there is no containment here, there is no trust in democracy. This would also have an impact on the freedom of the press, which would be another problem.

Jesper Lund looks at the existing e-Privacy framework and describes how it can provide protection against spyware. The e-Privacy Directive is to be replaced by a Regulation. It is aimed at communication service providers to protect their users.
National laws impose obligations on public authorities to comply with Article 15(1) of the 2002 Directive on privacy and electronic communications, such as data retention. There are also disclosure obligations for operators; the ECJ said in 2021 that if Member States have provided for exceptions, this is not covered by the Directive.
The e-Privacy Directive and rulings also apply to national intelligence services, according to Lund. With Pegasus, a device is hacked, either directly by state authorities or via private providers. However, Article 5(3) protects user devices against such intrusion, for example for data retention. In contrast, user consent is needed. In his view, Article 5(3) also covers spyware as a kind of exception, because the protection of the devices is also affected. National legislation on this would therefore fall under the e-Privacy Directive, as would data protection regulations. However, the ECJ still has to rule on whether the conditions apply as described.
The use of spyware could also be regulated in other legal acts, such as the upcoming e-Privacy Regulation. There is a proposal for a media freedom act; in its Article 4, spying software is to be regulated. However, according to the proposal, there should be exceptions that are broadly defined. Parliament could demand a change here and extend the envisaged law to all citizens of the Union. The protection of fundamental rights must be guaranteed for all.
With its new regulation, Europol will be allowed to receive and process mass data, which should therefore even include data from the use of spyware, there have already been relevant examples of this.
The way spyware is currently used, all digital content can be accessed, which violates e-privacy and data protection. When asked, Lund explained that the 2002 Data Protection Directive must also be applied to spyware. In addition, the EU Charter of Fundamental Rights is relevant, as is Article 13 of the European Convention on Human Rights. After all, spying software is different from traditional wiretapping, where data subjects have and are to be notified.
There needs to be a moratorium on the use of spying software, says Lund. EDRi has set 11 conditions in its encryption paper for state authorities. It is not possible to intercept only certain communications, which would require a special authority to actually filter them. Only then could spyware actually be used as an emergency measure, the very last exception.
Data protection of electronic devices would also have to apply to state agents, Lund reiterates, and this could also be enshrined in the Data Protection Directive by means of minor amendments. Or with changes in the recitals so that they also apply to states. Things like satellites are already mentioned there.
Another way out would be to regulate the measures in the member states more specifically. Individually, it would be possible to go to the ECtHR; in January, there were proceedings there because people thought they had no legal remedies, but these are lengthy procedures. Otherwise, a generally better protection of our phones could also help, they should already have protection against spying software built in, because the devices could be attacked by states as well as criminals. Governments should not be allowed to exploit vulnerabilities, as we have seen with the NSA in the US, where known vulnerabilities were stolen and used for ransomware.
This is of course a global issue, because the internet is a global arena. Mere EU action would be a waste of effort. It would require also other governments to take action, such as the US and Canada, or even China, which has a huge IT sector.
It also needs a mix at the technical level with responsible disclosure policies and also legal measures against criminal use of spyware. State spyware is used across borders, including in the territory of other countries. This may be permissible within the framework of judicial cooperation, but otherwise it is a violation of sovereignty.

Wojciech Klicki describes the Polish background, which clearly shows the challenges. Existing laws there ignore the rulings of the ECJ. There are EU laws on personal data protection (such as the Law Enforcement Directive), but they are poorly implemented in Poland, if at all. Police services and the anti-corruption bureau CBA, for example, are exempt, but the latter has also purchased Pegasus.
The e-Privacy Directive is also ignored. Moreover, the ECJ says when phone data can be tapped and how it can be stored. In Poland, however, there is no control over this. This is also an issue before the ECtHR, the judgement on which must determine whether Poland really respects such standards.
In the Member States, the secret services and the police need to be monitored more closely; judgments by the ECJ and the ECHR have established that.
An e-privacy regulation is needed instead of a directive, and it must state that the ECJ rulings on the principle of confidentiality must be respected, because this is about the fundamental rights of EU citizens. Individual rights in criminal proceedings must be strengthened, and spying software such as Pegasus must be banned.
The EU must adopt at least minimal standards to protect individual rights. As far as Poland is concerned, he believes this is closely related to respect for the rule of law: there is a need for independent bodies to monitor the situation.
Asked if anyone has been convicted on the basis of evidence obtained through Pegasus in Poland, Klicki explains that this question is asked by all the experts and defence lawyers he knows. He knows of no such case. It is possible that these pieces of evidence or their origin are not even known to the persons concerned and the court. He also does not know whether Pegasus was used to manipulate devices, he only knows of two such cases from India; but this is complicated to prove, in the cases mentioned this only worked because the metadata for the files was not changed equally.
Regarding the spying on the opposition Polish MP Brejza, it cannot be proven whether it influenced the election campaign, but it may have.
In every member state there is a tension between the powers of the state services and the rights of the persons concerned. As in Spain, a court actually has to verify whether evidence was really collected legally. In Poland, on the other hand, it would be hard to trace how evidence was collected in the first place.
The Fundamental Rights Agency, which has repeatedly published documents on security measures against spying, as is the case here, could be used.
There needs to be EU-wide standardisation for compliance with ECJ rulings. The EU should have mechanisms to force member states to comply with these minimum standards. This is not happening in Poland. As an example, any handing over of documents to institutions such as this committee here could be prosecuted as espionage, which would then be a serious crime and would allow the use of Pegasus. Actually, anyone can get into such a situation and therefore be charged, Klicki says.
According to Klicki, we are dealing with an arms race and will probably not always be able to keep up when it comes to respecting privacy.
On the independence of the courts in Poland, Klicki says the hands of judges are tied. If there is a piece of evidence, even if it was obtained illegally, it can be used in court. Judicial supervision should therefore not be the exclusive form of supervision. If at any moment one wants to ask whether intelligence services are using such information, it must then be possible to do so through other institutions.
The provisions on „national security“ are undoubtedly not within EU competence. However, if we look at the ECJ case law, the EU is not allowed to intervene, but at the same time it imposes obligations on telecommunication companies. And that’s where the EU can intervene, at this border between the companies and the services. According to Klicki, the most important problem is the lack of notification, which is why those affected must be given this opportunity. This also has a preventive character for the future use of mercenary spyware.

Ioannis Kouvakas describes that the e-privacy framework is a complement to other data regimes, such as the General Data Protection Regulation (GDPR). It is about obligations for telecom providers. National authorities had more freedom, which rather diminishes data protection. Article 15 of the e-Privacy Directive allows exceptions for public authorities, but these must be tailored. Especially in the case of human rights, there must be necessity and proportionality. Poland and Hungary in particular have pushed for exceptions by referring to the Treaty on the Functioning of the European Union. However, the European Court of Justice (ECJ) has said that the services of the companies fall under the GDPR.
EU law therefore also applies before the data is handed over to the authorities. Couldn’t the Data Protection Directive also apply here? The companies have direct access to the devices, for example via cookies, which would indicate that spyware is also covered. However, courts have not yet dealt with this. But it could also be interpreted in such a way that the spyware interferes with services that have to be provided by the companies according to the directive.
But human rights should take precedence over national law. Privacy International reviewed 21 member states in 2017, none of which complied with ECJ standards in two key rulings.
The European Court of Human Rights has ruled that democracy is destroyed even when it is claimed to protect it, says Kouvakas. Spying software can never be reconciled with human rights. Among his recommendations are that new legislation should provide more guarantees and that national exceptions should be restricted. Data retention must be limited to the shortest possible period. The EU must provide long-term protection for connected devices, which the EU is currently trying to do in the Cyber Resilience Act and the Consumer Protection Regulation.
The PEGA Committee has the possibility to protect the fundamental rights of millions of citizens.
When asked, Kouvakas said that in addition to the Data Protection Directive and the e-Privacy Directive, the Charter of Fundamental Rights, including the principle of proportionality, could also be applicable to spyware. If a law is passed that a provider is to pass on data to other parties, then this would be a circumvention of these legal acts, because they are supposed to guarantee confidentiality. If a service nevertheless instructs a provider, then this falls under it. Article 15 provides for exceptions, but still imposes obligations. The ECJ has already made this clear, for example on data retention.
Governmental hacking with mercenary spyware is extremely intrusive, because all sorts of things are stored on mobile phones today, and attacking them allows huge access. Before safeguard clauses are tackled, it must be checked whether these measures are really proportionate and compatible with the Charter of Fundamental Rights, for example. It is possible to make restrictions to the Charter as long as the heart of these rights is not restricted. But human dignity is an elementary feature of it. It is impossible for spying software like that by NSO to take this into account, because it involves intrusions into the deepest spheres of human beings if there is access to really all the data stored there.
There needs to be stronger obligations on companies. People who have hardly any possibilities for legal redress should be especially protected. The problem is that EU laws don’t always do any good if member states don’t implement them correctly, as with data retention. „National security“ is an elastic concept into which governments try to fit all sorts of things.

Achim Klabunde used to work for the EDPS, is now retired, his association DVD is a civil society organisation, non-profit and member-funded. It has been publishing the Data Protection News since 1977.
According to Klabunde, the e-Privacy Directive is not only meant to ensure data protection, it is also the most important secondary instrument for the confidentiality of communications, whether one follows the wording of the ECHR or the Charter of Fundamental Rights, the TEU or the TFEU. The legal framework for electronic communications is also now included in the ePrivacy Directive. There was a proposal for the e-Privacy Regulation already in 2017, but then came big difficulties. The co-legislators want to curtail it, namely in the part for electronic communications, where e-mail and messenger are specifically determined; it is to be allowed to scan them to find child sexual abuse material.
Confidentiality of communications is a fundamental right in its own right, historically much older than data protection. As a reference to this, Klabunde cites the former Thurn und Taxis railway station, a hub when letters were still transported without being opened. This secrecy of correspondence was also the reason for economic success, he says.
It is also possible with spy software like Pegasus to alter messages or content, i.e. create false evidence, so the integrity of devices is very, very important, according to Klabunde.
Klabunde urges MEPs to pass a real e-privacy regulation. They should stop their discussed restrictions for all kinds of reasons given. Services must be controlled, everywhere. „National security“ also is a matter of the rule of law, but no secret service should be able to decide on that.
When asked, Klabunde says that spying software is like a time machine for security services, with an enormous by-catch of confidential information, including that of third persons. In Germany, there is a law that states that under certain circumstances, wiretapping can be done at home; however, the action must be stopped when it comes to personal conversation. There needs to be checks and balances for such measures, which is important in democracy, as well as accountability and redress.
The current EU framework for this is inadequate; there are supposed to be exceptions, also with regard to the security of the devices, when providers are supposed to meet the authorities. There are also liability issues for software and hardware providers with a long tradition of exempting hardware. The number of loopholes is huge, with 21,000 vulnerabilities. It is unclear what the ECJ will do with the interpretation of secondary law regarding the use of spyware.

See here the stream of today‘s hearing.