An eagerly anticipated plenary debate yesterday on the state of play two years after Parliament’s PEGA inquiry into the illegal use of spyware in the EU – and following fresh revelations of abuses in Italy and beyond – offered little in the way of new insight into the Commission’s intentions but MEPs seized the opportunity to chastise Tech Commissioner Henna Virkkunen over the EU’s continued inaction.
Last week, human rights organisation Citizen Lab forensically confirmed that Italian journalist Ciro Pellegrino and another prominent European journalist – who requested anonymity – had been targeted via an iOS vulnerability using Paragon’s Graphite spyware.
The same spyware appears to be active in other EU countries, including Denmark and Cyprus. While, earlier in June, an Italian parliamentary committee confirmed that the Italian government had used Graphite to hack multiple activists involved in sea rescue operations for migrants.
Commission EVP Virkkunen used her speech to Parliament to reiterate the existing legislative framework, citing data protection rules, the European Media Freedom Act, Rule of Law report, EU Privacy directive, the Cyber Resilience Act, and the Pall Mall Process, among others.
“The investigations into the alleged misuse of spyware are a matter for national authorities, not for the Commission,” she emphasised, adding: “We expect, of course, national authorities to examine any spyware allegations thoroughly.”
Jeroen Lenaers (EPP, the Netherlands), who led Parliament’s PEGA inquiry, noted that the Commission had said it was exploring the possibility of a non-legislative initiative – in the form of a communication. But even this underwhelming step has been “overpromise[ed] and underdeliver[ed],” he said.
“You don’t even mention [the communication] anymore,” chimed in Saskia Bricmont, a Green MEP from Belgium. “What are you waiting for… to regulate the purchase, sale, and use of these technologies?”
Sophie in ’t Veld, the former MEP who authored the PEGA inquiry report, also had a withering assessment of the EU’s spyware buck-passing – writing on Bluesky that “the words of Commissioner Virkkunen sound spectacularly hollow”. The EU keeps saying it’s a matter for national authorities, yet they are “the perpetrators themselves”, she pointed out.
Hannah Neumann, a Green MEP from Germany and another former PEGA member, sought to debunk the national security argument that’s often invoked by member states to evade scrutiny of their use of spyware. “Spyware companies claim they make us safer, while the evidence proves the opposite,” she suggested. “The exploits they use are later picked up by Russia and others, and used against us. Their most frequent targets are lawmakers, military officials – even governments.”
“The odds are high that people in this very room are infected right now,” she added, nodding towards Adam Szłapka, Poland’s Minister for European Affairs, whose country currently holds the Council’s rotating presidency.
“Get your act together and fix this before it’s too late. You in Poland, of all people, should know this,” Neumann concluded.
Civil society has also been vocal about the urgent need for action to curb spyware-related abuses in Europe. A position paper published yesterday by European Digital Rights advocacy group (EDRi) concluded that the only approach compatible with human rights is a full ban.
(nl)
