EU Data Authority Wants Bloc-Wide Pegasus Ban

Close up of a smartphone with NSO Group logo and text on the screen

The European Data Protection Supervisor (EDPS) wants an EU-wide ban on the NSO Group’s controversial spyware tool, Pegasus. The regulator warns that the use of the spyware “threatens the essence of the right to privacy.”

Pegasus is perhaps the most potent hacking tool available. While the NSO Group claims to only sell spyware to “vetted” government agencies, there are numerous reports of its misuse around the globe. This includes instances where governments used spyware to snoop on human rights defenders, journalists, and members of the opposition.

In fact, these growing reports have led to calls for investigations into its misuse. For example, last month, Polish senators accused the ruling party of using Pegasus against opponents in the 2019 parliamentary elections.

Pegasus Gives Operators Near-Complete Access to Target Devices

In light of the growing reports about the misuse of Pegasus, the EDPS decided to conduct an investigation to provide its view on the subject.

In its report, EDPS says the spyware is capable of interfering with “the most intimate aspects of our daily life.” The watchdog points to Pegasus’ zero-click attacks and ability to gain near-complete control of target devices as particular concerns.

Furthermore, the spyware allows its operator to access and exfiltrate stored data like photos, videos, and messages. The operator can also control the infected device’s microphone and camera, which allows for round-the-clock surveillance.

Surveillance Under Pegasus Does Not Comply with EU Law

The NSO Group markets Pegasus as a tool to combat dangerous activities like terrorism. Surveillance involves violating the target’s right to privacy. Most rights-respecting nations allow law enforcement authorities to carry out surveillance to prevent threats to society.

However, the power to conduct surveillance is not unlimited. In the EU, any surveillance measure must be proportionate to the threat. The EU has one of the strictest privacy regimes and places the utmost care for the protection of sensitive data.

The EDPS says that since Pegasus provides near-complete access to a device, letting users access all sensitive data, and as such it cannot be considered “proportionate” under EU law. As a consequence, it has called for a ban on “the development and deployment of spyware with the capability of Pegasus in the EU.”

EDPS Says Spyware Is Required in Exceptional Circumstances

In delivering its opinion on the use of Pegasus, the EDPS stated there are exceptional circumstances that may require similar tools. This includes situations like preventing a “very serious imminent threat.”

Even in these exceptional circumstances, it is necessary to prevent the misuse of spyware tools. To ensure this, the EDPS has provided a list of steps that EU Member States should undertake. You can access the list and the rest of the EDPS report here.

If you found this article interesting, and want to learn more about spyware and how you can protect yourself, check out our detailed guide.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.