Panel 1:

• Ot van Daalen, Institute for Information law, UvA
• David Kaye, former UN special rapporteur for freedom of expression

Panel 2:

• Krzysztof Brejza, targeted with Pegasus while head of election campaign
• Giovanni Sartor, Part-time professor at Faculty of Law at the University of Bologna and at the EUI
• Iverna McGowan, Director, Europe Office of Center for Democracy and Technology

Ot van Daalen points out that existing device protection measures do not work against spyware because there are vulnerabilities. Therefore, these vulnerabilities need to be found, shared and disclosed. The NIS 2 directive and the future Cyber Resilience Act are relevant here. Regulatorily, of course, it would also be possible to simply not look for vulnerabilities and then assume there are none. Under the Cybercrime Directive or the Copyright Directive, people who research vulnerabilities may even be liable to prosecution – or sell the findings for many millions of euros. But this research is actually useful.
The question is whether EU governments need to change these circumstances, which he says they do. In 2008, there was a case in Finland where medical data was accessed without authorisation. Such attacks must be prevented. Nevertheless, the balance of interests between confidentiality and crime prevention can be maintained. However, knowledge of vulnerabilities could improve security.
There is a right to science, the EU must affirm that the search for vulnerabilities is not punishable by criminal or civil law. There needs to be an obligation to publish vulnerabilities so that they cannot be sold to brokers. Before disclosure, the affected party must have the opportunity to repair it. Are states allowed to keep vulnerabilities for themselves to exploit? In Germany, the Constitutional Court ruled that they must be disclosed.
Information security is currently at risk. All measures must be based on the Charter of Fundamental Rights.
When asked, van Daalen explains that he does not want to ban the sale of vulnerabilities, but an obligation to disclose them. There is also support for this in the case law on freedom of expression. The most difficult aspect of his recommendations is how to deal with „national security“. He is cautious about this; if you look at the case law of the European Convention on Human Rights and the Charter of Fundamental Rights, there is room to keep vulnerabilities secret, for a certain period of time and in a very limited way. But this has to be based on a concrete legal framework. This is an important conclusion, because vulnerabilities affect everyone, not just the system under attack.
Two points are not working well at the moment: researchers are facing serious consequences because of the Cybercrime Directive, among others, so there has to be an exception there. There also needs to be a framework to ensure that vulnerabilities found are returned to the system in some way. The NIS 2 Directive even says that member states should ensure this, but that is not defined clearly enough.
Van Daalen does not know of any cases where spyware has led to convictions, but he has not done any research on this. He condemns the use of spyware on MPs or lawyers, which is an attack on the confidentiality of lawyers.
If there is a vulnerability in, say, all Windows or iOS 11 systems, all devices are affected, so it is imperative to close them. Some companies have set up a vulnerability feed where vulnerabilities can be reported. But these could also be used for attacks.

David Kaye says the committee should set standards for invasive technology. He goes into his report on spy software, which covers the period up to 2020. It is about rights such as data protection and rights of association. Specifically, this is not just about NSO and Pegasus, but a whole industry for spyware. Against the background of legality, one has to look at these tools.
Their power is unprecedented, attackers can monitor all digital life, in real time. This is because all activities are carried out via digital devices. These give the attacker the ability to capture and monitor the digital life of their target, without distinguishing between a criminal conspiracy or personal opinions, contacts, location data, browsing habits, banking data, meal plans and much more, sometimes in real time.
It is not just about the rights of individuals and their human rights, based on the ECHR and the Charter of Fundamental Rights. They are the foundation of democratic societies. Through spyware, people are no longer sure whether they enjoy fundamental rights and can freely express their opinions. Withdrawal from public life, as we as legislators know, can be fatal.
Given the scale of the attacks, the burden of proof actually lies with the attacker. States and companies declare that they need the technology to defend themselves against terrorism. They hide behind secret contractual agreements. Even if these pretexts are partly legitimate, they must be substantiated. They would also have to prove that and how these tools are compatible with basic human rights. Legality, legitimacy and proportionality must be proven. As long as this does not happen, one must assume that state Trojans violate international laws for the protection of human rights. Restrictions on those affected must be as least intrusive as possible. These are cumulative norms, so the attacker cannot simply say that it serves „national security“.
Pegasus poses such a serious threat to personal rights and democratic freedoms that special conditions must apply. There must also be legal remedies available if rights are violated, and states must ensure that this is the case. Unfortunately, they too often cite „national security“ and „sovereignty“ to evade these obligations.
Human rights only apply to private individuals, not to the state, it is often said. But this is not true, because all those living in its territory must be protected. The Human Rights Council adopted guidelines 10 years ago, but they must be implemented correctly. It does not believe that spyware like Pegasus complies with human rights and therefore it must be banned.
As a minimum measure, he reiterates his call from 2019 for a moratorium on development as well as sales, there needs to be export controls and oversight, impunity needs to be abolished.
When asked, Kaye explains that it is currently the case that spyware is not subject to regulation, and that is what the committee wants to achieve. Of course, spyware can be helpful to governments and others. Nevertheless, this instrument must be placed under control. The instrument is needed, and that is precisely why it must follow principles of the rule of law. Pegasus is part of a series of technologies, but it does not stand alone. All kinds of information are collected and that is illegal. Therefore, this cannot be legally regulated at all.
Europe sets standards. Other countries have even more instruments about which we don’t know anything concrete or only from leaks. But this is about technology that can be bought, and that is a very concrete and special threat. A legal framework is needed for this.
There is the question of sovereign immunity. States are protected from transnational remedies, that would have to change, there is also momentum there. This immunity should not apply to transnational use of spyware. He does not live in a dream world where the PEGA Committee adopts a regulation and then everything is solved. But there is also something like a domino effect that can be used to remove obstacles.
On „national security“, he does not think of redefining it or changing the concept. He understands the practice of states to justify their actions on the basis of „national security“. Last year, however, the Indian Supreme Court ruled that „national security“ is not a magic wand in a case, but that it must always be justified in very concrete terms. So the state has to justify it.
National order and protection of national interests may be a reason for the measures, but legal standards must be met and this must be formulated precisely and proportionately, in accordance with the rule of law. So we should not discuss with the state what is meant by „national security“, that battle would be lost. Rather, it is about the legal framework. Human rights and the application of individual rights – protection of privacy, freedom of assembly and freedom of expression – are, after all, about the public sphere, and are intertwined.
Even Kaye knows of no case where a criminal investigation was based on Pegasus evidence. Nor was there any testimony on this in NSO’s testimony to the PEGA Committee. So it is hard to prove that Pegasus obtained evidence to convict a person. Of course he would agree that attacks against public figures is illegitimate, illegal. If one wants to justify the use of the software, then the attacker must be legitimate; so it is a question of the legitimacy of the use. Many invoke defence against danger and „national security“. Against political figures like lawyers, these are illegal uses without further evidence, even beyond Pegasus. They are meant to intimidate and expose, so they are not about legitimate interests of the state, these uses would not pass any test of legitimacy.
If states themselves, rather than third parties, develop the spyware, and exploit vulnerabilities, it still creates a window for their illegitimate use. If the vulnerabilities are not communicated, there is often no remedy at all. Some states have Vulnerability Equity Processes (VEP), but they often have no legal force. All states would have to set up these processes and thus limit the exploitation of vulnerabilities.
How could the surveillance industry be legally contained? After all, the courts are responsible for control. Many countries have set up special courts for the prevention of terrorism, which pay special attention to data protection, etc. In the USA, for example, there are surveillance courts. In everyday life, however, normal courts have to control orders. These courts must therefore be involved by the legislator. The „national state sovereignty“ has been used too often, but this has to be checked by courts.
He believes that this category of technology, which does not distinguish between legitimate and illegitimate goals, raises questions of legitimacy. If you ban it, you may create incentives to drive it even further into the shadows. The problem of surveillance is increasingly being pushed into illegality.
It is claimed that the software is not used against ordinary crimes, but only for state terrorism. But that is not true. This therefore speaks for more transparency and disclosure.
The export control system must also take human rights into account. The US blacklisting of NSO may be good, but it is a unilateral manoeuvre that would have to be implemented worldwide. The Wassenaar Arrangement is helpful for export controls, but it offers some risks. In the EU, we have the Dual Use Regulation, where spyware is specifically listed.
Coordinated Vulnerabilities Disclosure is a process that has been established for years. Everyone who is able to close loopholes has to be involved. First of all, the company must be informed so that others do not exploit the vulnerability. It is advisable to establish a specific place for notification. The question of when and to whom the message should be sent is important.

The Polish politician Krzysztof Brejza is a member of the Senate, comes with a legal advisor with whom he jointly led 13 criminal and civil cases on the use of Pegasus against his person. He has served in three legislatures in parliament, including as campaign manager, and was also targeted by Pegasus himself when he ran for election. He is a patriot; in his beloved country, people had committed crimes against democracy. Since the PiS has been in power, it has removed all guarantees of slipping into dictatorship, for example by politicising the courts, as well as the intelligence services. There is no longer a system of checks and balances with regard to the secret services, and public broadcasting is government television that incites hatred of the opposition. There was no longer any protection of democracy, hence total impunity for the use of Pegasus. The government thought this would never come out.
He had not been suspected of any crime, nevertheless he had been spied on – like every other election official. This was a European Watergate. In the USA, Watergate was merely attempted, in Poland it actually took place. Data was stolen and used, manipulated, falsified and broadcast on public television as a smear campaign, in the middle of an election campaign. Therefore, Watergate to the power of 10.
In 2019, as Brejza sees it, the elections were organised by the intelligence services; they were under surveillance, spied on. They wanted to attack them directly with the help of the Pegasus results. This is unprecedented in a democracy in Europe; he compares it to Russia and the attacks on Nawalny. The surveillance affected not only him, but also those around him, such as his father. Incidentally, his father was voted „best mayor“ by a magazine.
The Pegasus operation cost 4 million euros. Brejza believes that the operation was intended to discredit the entire opposition. The results of the operation were the foundation of this government campaign. As a result, even his children were threatened. The spyware was officially supposed to be used against terrorists.
Courts are paralysed, afraid, he says. In May, the intelligence services denied that he was being spied on, the government does not react at all. That is why he thanks the invitation to the PEGA committee.
When asked, Brejza insists he has never committed a crime, there have never been any investigations or summonses by the public prosecutor’s office. Defamatory material about him had been published in a television programme lasting several hours. He started a restraining order on this, among other things. If he wanted to try to restore his reputation, he would have to pay 5 million for the equivalent broadcasting time he needed for it. Ambergold had been a Polish scandal, he had been a member of the investigating committee. There, the role of the public prosecutor’s office was investigated. The same prosecution then released information about him.
He cannot say certain things openly, but he knows how it is done, the media have reported. For example, people are summoned by secret services and pressured to provide compromising information about him. Brejza stresses that every new tool has to be certified by the counterintelligence agency. In the case of Pegasus, this cannot have happened because the instrument comes from Israel; intelligence services there could now have its data. Such information, including on MEPs, is said to be invaluable to intelligence agencies, and could be used for other purposes.
Pegasus was bought in Poland through an intermediary by a company with links to the „communist“ or „neo-communist“ secret service. His family is in an anti-communist tradition. The same methods, now with cutting-edge technology, were used now; the goals were the same then as now. Back then, manipulated letters were sent. Poland had then become part of the democratic family, but for the last seven years there had been a backlash by the nationalist party. The lack of separation of powers often remains abstract, but for him it is very tangible. Independent media in Poland had been destroyed, prosecutors were afraid, paralysed, their hands were tied because otherwise they would be driven out of office. There is a Bermuda Triangle of media, prosecutors, government, intelligence services.
Brejza does not know whether he is still being spied on. Because the legal system does not allow politicians, journalists or prosecutors to defend themselves or ask questions about whether they were being monitored. Institutions that could have done that were nationalised. He is taking legal action, for example against state television. It is possible, however, that the intelligence services simply delete the material in question without a trace.
When a person is a minister, a politician and a public prosecutor at the same time, that is outrageous. He reported the tampering on his device, travelled hundreds of kilometres to a district prosecutor, who shot the matter down like a robot. So, he said, it was difficult to fathom the facts, but hopefully after the elections next year the truth would come out.
Renowned professors would have established the illegality of the surveillance with Pegasus. Had this been known in 2019, a court could have found the elections illegal. Why did the Office of the Director of Public Prosecutions fail to do this? The separation of powers was probably undermined even then. Now, therefore, the entire legal toolkit was being used. Judges would not pass independent sentences because they were worried about their careers. Information was being collected for a future parliamentary committee of enquiry. The democratic values he believed in were fragile, as the affair had shown.

Giovanni Sartor begins by saying that democracy always needs privacy, and that this has been written about since the 1970s. The right to privacy is important to distinguish democratic from undemocratic regimes. The impact of spyware on individuals is huge; immense data is collected without the user even clicking on it. As soon as information reaches the mobile phone, it then is intercepted; traces of this attack could be erased. Devices like mobile phones play a special role, offering us access to all digitally mediated spheres. When these are controlled by others, it is an unprecedented intrusion.
When surveillance affects people like journalists or judges who participate in public life, it is especially dangerous because the data can be manipulated or placed in other contexts. Many people self-censor because of these risks, do not engage in politics and prefer to live outside the public sphere.
Responding to this with EU law is not a simple problem. According to Article 4 TFEU, „national security“ remains the sole competence of the member states. If the measures violate EU rules, this can be reviewed in court, says Sartor. The legal problems, however, are that „national security“ activities are not subject to the GDPR or other data protection regimes. Restrictions are therefore only legitimate when it comes to „national security“. The Council’s e-Privacy Opinion also excludes this, independently or a public authority or someone acting on behalf of the public authority.
This means that the planned directive does not address the concerns that Brejza just raised. So action must be taken so that this cannot always be invoked to minimise data protection. It should only be about things that really and exclusively have to do with „national security“. How this is outlined is actually also an EU matter. Nor should data be used that was actually collected for other purposes.
The non-applicability of the e-Privacy Directive and the GDPR had to be changed into absolute exceptions, which had to be legitimate and proportionate. If Parliament and Council managed to clarify this point in the Data Protection Directive, it would be considered a very big success. With the e-Privacy Directive and the GDPR, we need to be involved in order to anchor this in it.
Effective legal remedies and redress are needed, Sartor said when asked in the Q&A session. With regard to elections, there are still no European standards, for example for election committees at the European level. When it comes to cross-border integrity, this must be addressed in the Digital Service Act. This is another opportunity to exercise control. Of course, „national security“ must also be regulated. In the cases we have heard today, it was no longer about such a „national security“. But the question is whether the ECJ can adopt such a proportionality test. There could be a class action before the ECJ. Lawsuits could also be brought in other EU states, for example if companies there are involved.
The EU is at a crossroads. Democracy could be destroyed without secure ICT tools, which have long been part of our everyday lives, but which are capable of being monitored. The PEGA Committee plays an essential role in this. Surveillance must be more controlled at European level.

Iverna McGowan wants to speak for civil society. Her organisation also works at the international level, for example in the USA. She will speak on the consequences for democracy and human rights and the impact on elections and dual use.
The right to secure communication is the cornerstone of the pillars of democracy. A vibrant civil society is a prerequisite for fair and free elections. Hundreds of thousands of people are organising to this end, including online. In 2019, the Fundamental Rights Agency had already identified three major threats to civil society, all of which took place online. The fact that Pegasus mainly affects journalists, lawyers and dissidents is no coincidence. A vibrant civil society is a must for free elections. But we have heard that information about opposing politicians is being leaked in order to use this for smear campaigns, as in Poland in 2019. Similar means were also used in the US in 2016 and in France, she said. The timing 11 hours before the election prevented victims from taking action against it. This violates the principle of equality of candidates.
Spyware poses an extremely great danger here, which must be effectively regulated. The Dual Use Regulation is supposed to regulate this, but what about within the EU?
Spyware also means that data from minorities and non-white people are particularly affected, says McGowan.
Data protection laws need to be strengthened. She joins the call for a moratorium by UN human rights experts from 2021. Her organisation is looking into the proper implementation of the Dual Use Regulation. The PEGA Committee’s recommendations should go beyond Europe’s borders. Since its recast, EU law has moved forward and is no longer in line with it, for example with regard to due diligence obligations of companies and states. Europe must protect technology that enables secure communications. The CSAM proposal, for example, suggests corrupting end-to-end encryption (E2EE). The Center for Democracy and Technology calls for checks and balances and independent investigations when rights violations have occurred. The Committee may ask the Commission to ensure the rule of law. E2EE must be secured, due diligence by companies must be strengthened, a moratorium is needed. Like the USA, the EU should blacklist NSO.
When asked about evidence of influence on the elections, McGowan explained that it was difficult and needed an investigation to prove it.
We need EU regulation that does not restrict freedom of expression beyond what is in the Digital Services Act. It’s also difficult to go to court if you don’t know you’ve been wiretapped. Private sector actors are another problem in this regard.
The ECJ said in a ruling that state-organised surveillance must inform those concerned, but only after it has ended. This information is important for the data subjects; according to the GDPR, there is also a right to it. McGowan again argues for a moratorium and a legality check.