Source: European Parliament
The Commission has followed closely the work of the Committee to investigate the use of Pegasus surveillance spyware (PEGA) conducted during the previous parliamentary term.
Based on the report and the recommendations, as well as its own fact-gathering exercise, the Commission will decide on the most appropriate way forward.
The Commission’s position is very clear: any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable, if confirmed.
Even where the use of spyware is linked to national security, and in instances where it falls outside the scope of EU law, national checks and balances need to ensure that safeguards are in place.
The Commission has followed up on developments concerning the alleged illegal use of intrusive surveillance software in its annual Rule of Law Reports, in particular as regards the functioning of national checks and balances in response to such allegations.
The EU data protection and privacy acquis offers comprehensive protection to the confidentiality of communications and users’ personal data and terminal equipment. EU data protection law is applicable to the processing of personal data by private entities, even where such processing is required for national security purposes.
Under the provisions of the ePrivacy Directive[1], the interception or surveillance of communications by public or private bodies is prohibited without the consent of the user.
While restrictions to these provisions are permitted for important public objectives, they are subject to strict conditions and safeguards.
The Law Enforcement Directive[2] is also applicable when competent authorities process personal data for law enforcement purposes. Processing of personal data under these instruments is subject to control by supervisory authorities, which have effective powers to examine any allegations of misuse, as well as subject to judicial review.
- [1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37.
- [2] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89-131.