Sudan ist ein autoritärer Staat, dessen Herrscher politische Freiheiten und Pressefreiheit extrem einschränken. Aktuell kämpfen rivalisierende Fraktionen des herrschenden Militärs gegeneinander. Dennoch hat der EU-Staat Griechenland den Export von Überwachungstechnologien an die Kriegspartei Rapid Support Forces genehmigt.
Der Staatstrojaner-Untersuchungsausschuss im Europaparlament untersucht, warum die EU den Handel mit Überwachungstechnologien und Staatstrojaner nicht verhindert. Am 28. März tauschten sich die Abgeordneten mit zwei EU-Kommissaren aus.
Handelskommissar Valdis Dombrovskis schob das Problem auf die Mitgliedstaaten und deren nationale Kontrollbehörden. Einzelne Ausfuhrgenehmigungen von Dual-Use-Gütern (die sowohl zivil, militärisch aber auch zur illegalen Überwachung eingesetzt werden können) müssen die Mitgliedstaaten gegenüber der Kommission nicht berichten. Diese Monitoring-Lücke führt zu Skandalen wie dem Export von Griechenland an den Sudan.
Justizkommissar Didier Reynders äußerte sich zur Frage, wie es zukünftig gelingen kann, den Einsatz von Staatstrojanern zu verbieten oder zu kontrollieren. Er stellte in Aussicht, dass die Kommission auf den anstehenden Abschlussbericht des Untersuchungsausschusses einen Gesetzentwurf folgen lässt, der die Regulierung von Staatstrojanern in den Blick nimmt.
Der Untersuchungsausschuss legt am kommenden Montag in seinem Abschlussbericht dar, wie Staaten und Unternehmen bei Produktion, Handel und Einsatz von Staatstrojanern gegen geltendes Recht verstoßen haben. Dazu kommen politische Empfehlungen für Konsequenzen, die das Parlament an Rat und Kommission überreicht.
Von der Sitzung gibt es kein Transkript, daher veröffentlichen wir ein inoffizielles Wortprotokoll der Anhörung.
- Date: 2023-03-28
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Expert 1: Valdis Dombrovskis, Executive Vice-President and Commissioner for Trade, European Commission
- Expert 2: Didier Reynders, Commissioner for Justice, European Commission
- Links: Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editors: Jan Lutz
Valdis Dombrovskis, European Commissioner for Trade
Jeroen Lenaers (Chair): Okay, good afternoon colleagues, good to see you all again for the continuation of our PEGA-meeting, which already started yesterday afternoon. And I welcome very much, to start the afternoon session with the executive vice President, Valdis Dombrovskis, Commissioner for Trade. In the work of the committee and in the draft report and recommendation, there has been a lot of discussion also on the trade aspects of spyware. In the amendments tabled by members, there is quite a discussion on such subjects, including on the dual use regulation, something that we have seen and we have discussed also in many of our hearings.
So it’s a good time for us all to exchange views with you, commissioner Dombrovskis, on your assessment on the way how these regulations also function at the moment and on the current drafts and the amendments that we have tabled here in the committee and how you think this trade of spyware could be regulated. So I will first pass the floor to vice president Dombrovskis. If members, who would like to participate in the Q&A afterwards, would already indicate so to us here on the podium, so we can make the speaker’s list, we can do this in an efficient way as possible. But first, once again, thank you for being here and I give you the floor to make your introduction, please.
Valdis Dombrovskis (Commissioner for Trade): Mr. Chair, honourable Members. Well, thank you for this invitation. So today I propose to explain the implementation of export control rules that fall under my responsibility. To start, allow me to [incomprehensible] you on your important work, what you are doing. It goes to the core of European values, helping to protect the dignity and freedoms of individuals and therefore our democracies and society at large. Well, as you know, I grew up under the Soviet Union, and the Soviet Union has developed a popular army of spies, people who would report on their fellow citizens to the Secret Service for any imprudent word or action. And these kind of reporters were everywhere. It could be a neighbour, a colleague, a teacher at a school, even friends or relatives. So people were fearing each other. They were afraid to speak their mind. Parents would lie to their children about their family history or political views, afraid that the children would accidentally denounce them at school.
So having lived through all this I’m personally very committed to preventing cutting edge technologies from being used to violate and restrict individual freedoms. With this in mind, I hope today’s discussion will help us clarify two things. First: Which EU rules are currently at our disposal to perform export controls on cyber surveillance items from the EU to third countries? And a second: What are the respective roles of national export control authorities and as a commission? We should also keep in mind that these rules concern export controls. They do not apply to imports of spyware such as Pegasus to any user inside the EU. As I understand later today you will exchange views with [Commissioner Reynders] in relation to certain aspects of use of cyber surveillance items within the EU.
Originally the EU export control regime reflected multilateral export control arrangements. It thus focused on non-proliferation of weapons of mass destruction and other dual use products, as well as technology used to produce conventional weapons. The EU export control regime gave an effect to measures agreed multilaterally. Then, in 2021, after five years of negotiations, we completed a comprehensive review of the EU dual use regulation, adapting it to make our export control system more efficient and effective. We also stepped up significantly the control of cyber surveillance technologies.
As you know, the dual use regulation harmonises the rules and supports the consistent application of export controls in the EU. It allows national competent authorities and all EU exporters to follow the same rulebook and to control the same list of dual use items, including software and technology. This EU framework is even more important because not all member states are members of four multilateral export control regimes and the EU itself is only a member of one of these [incomprehensible] the Australia Group on chemical substances. The EU control list complies all items controlled by these multilateral regimes. It includes cyber surveillance items such as intrusion software, telecommunication interception systems, internet surveillance systems, or communication monitoring software.
Accordingly, any such cyber surveillance item that has been identified on the EU control list cannot leave the EU territory without being granted an export authorisation or licence. That list is updated at least annually to reflect changes to multilateral regimes. Individual decisions to authorise or deny a particular export are taken by the member states. This covers items listed in the EU control list and the member states perform a serious assessment of related security or human rights concerns. This division of responsibilities between national export control authorities and the Commission applies for all dual use items, including for cyber surveillance items.
The new EU dual use regulation, adopted in 2021, enhances the EUs capacity to effectively control these items in three ways. First, it includes provisions to strengthen the possibility of new controls by member states on cyber surveillance technology independently of multilateral regimes. Second, the regulation foresees that we should develop guidelines for exporters on human rights due diligence measures that should apply before exporting unlisted cyber surveillance items. During the last year, we have worked closely with member states to finalise these guidelines. These guidelines will support exporters in application of controls of non-listed cyber surveillance items.
Non-listed items are items for which no multilateral decision has been agreed, but that may be intended to use in connection with internal repression or that [incomprehensible] of serious violations of human rights and international humanitarian law. Thus, we hold the [incomprehensible] or commitment to go beyond what is agreed and listed in multilateral export control regimes. We plan to launch a public consultation in the coming days on the draft guidelines and look forward for further input from the European Parliament as well.
As I said, improvement of a new dual use regulation is about more transparency, about licensing decisions by national authorities. Under the old dual use regulation, member states were only requested to report about cases where they refused export requests, so therefore a commission had little visibility on authorizations granted by member states competent authorities. The new regulation strengthens provisions related to annual reporting under the regulation. Specifically, member states are to report not just on denials like under the old regulation, but also on aggregate level on applications, including on concerned destinations, on authorizations granted for exports of cyber surveillance items.
Member States should provide the appropriate information for the preparation of annual report. However, they have to take into account the protection of personal information, commercially sensitive information or protected defence, foreign security or national security information. So this new approach is a step towards higher transparency, as requested by European Parliament, and it will be reflected in the forthcoming 2023 annual report to be published by the end of the year. We have just completed a public consultation on transparency about this reporting obligations and will report shortly about the comments received.
Honorable Members, the work to improve the controls of export of cyber surveillance items done over the last 18 months has been advanced probably slower one could have hoped for because it was done in parallel to extraordinary work on export control measures related to Russia’s war in Ukraine. It has overtaken most of our experts time and resources, not only in the Commission but also in the export control authorities of the member states.
So on this point, I would like to use the occasion to commend the Commission’s export control experts. They have been working day and night together with their national counterparts to design ten consecutive packages of technology sanctions. We now work to close loopholes. We also support member states in their effort to fight a sanction circumvention. This reinforced focus is on items found on battlefields in Ukraine. To conclude forward, I look forward for today’s exchange on the important work that the committee is undertaking. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much, executive vice president Dombrovskis. And very interesting to hear about the new ideas for the new regulation and of course, also all the work that the commission is doing with regard to the sanction packages on the on Russia. Thank you. Thank you very much. I open the floor to our colleagues. The first one is our rapporteur, Sophie in ’t Veld. Any other people that would like to take the floor and haven’t indicated so far? Please do so, so we can close the speakers list. Thank you.
Sophie in ’t Veld (Renew): Yes. Thank you, Chair. And thank you, Commissioner, for the opportunity for this exchange of views. The trade in and exports of spyware is a very important component of our work, of our reports. And I think we note with great concern that exports of spyware is taking place from the European Union, despite the fact that that is actually not allowed and the exports are taking place not to model democracies who would probably not need them, but to countries where spyware is being abused, you know, by repressive regimes. And that is why I think we as a European Union, we have not just the legislation in place, but we also have a moral duty.
I have a couple of questions to you in in random order. First question is, how does this work in practice? Because in one of the replies you sent me to one of my written questions, you said member states are primarily responsible. Which is true. But if you note, if you get signals, that the member states authorities are not doing their job, are not properly implementing, not properly applying, in this case the dual use regulation, then do you rely exclusively on information provided by that Member State or do you also react to signals that you get from the field, from the media, from, I don’t know, inquiries, from whatever?
Second question relating to this, and you’ve already indicated it a little bit. Simple question Does the Commission have sufficient capacity to respond adequately to that kind of signals? Do you have the capacity to actually, you know, go on a fact-finding mission and see for yourself how it works in practice.
Then, some concrete cases: In December 2022, the Greek government disclosed that it had provided [Intellexa] with two export licences in 2021. Following these revelations, the responsible minister stepped down. Now we know that one of those export licences was granted for exports to Madagascar, a country which is not exactly on the top of the list of democratic countries. How does that, in your view, correspond to the standards set by the dual use regulation?
And secondly, do you know what the second export license was for? Have you contacted the Greek authorities, and do you know what’s happened? Have you looked into the case? Because we put our written question to you about the illegal exports of surveillance technologies from Greece and Cyprus to Sudan. For these, no expert licenses were granted, as far as we know, and that makes it doubly illegal. Have you contacted the authorities of Greece and Cyprus? And if so, have you gotten a reply? And can you inform us about this? Have you contacted the authorities of Bulgaria, where we have concerns about very unclear situation when it comes to granting export licences, in particular to the NSO Group.
And a final question: The United States are a lot more determined when it comes to fighting, you know, illegitimate use of spyware, commercial spyware, an illegitimate trade in and they’ve just yesterday adopted new rules. Now that concerns mainly imports, but are you in touch with the American authorities to see if it is possible to align the policies? Because they say that they want to create an international ecosystem for the trade in in spyware. Have you contacted your counterparts in the United States to make sure that we are aligned as quickly as possible? Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you very much for those questions indeed. So quite a broad range of questions. So first of all, on what is under the competence of member states. Member states are competent for taking decisions on specific cases of experts and underlying assessment of security and human rights considerations. As I was saying, member states are obliged to report according to dual use in relation on individual denials, so transactions of concern, but they are not obliged to report on individual authorizations under a dual use regulation. We have, however, contacted member states. So Greece, Cyprus, that you asked and also France and asked them clarifications for their individual decisions under the provisions of the dual use regulation.
Greece and Cyprus have not yet responded. France has confirmed that in general it has complied with the terms of the regulation. I understand that this committee also, on its part, has invited member states to cooperate and you have received transfer from Cyprus today… That’s the information we received … Okay…
In any case, we continue to engage with member states to clarify their consistent application of regulation. And also we are discussing with member states what additional information they should report on authorizations of cyber surveillance items on view of preparation of 2023 annual report and enhanced transparency requirements of new regulations, because those are the new requirements. As I was mentioning, Member States are not obliged to report on individual transactions, but they have to provide aggregate data and we are discussing now exactly the level of, so to say, detail on the date the member states would need to provide them. So that’s on as a first element.
What data we are using? Clearly, we are ready to consider any reliable data pertaining to implementation of EU regulation, including dual use regulation. At the same time, if we look at the dual use regulation itself, it, in a sense, does not authorize European Commission to conduct in-depth investigations of individual export licenses granted by the member states. So if, however, we would see the risks of underline case to case decisions that member states are not fulfilling the requirements of regulations, there is a standard procedure of launching, well, infringement procedure on the EU law. So that’s how those different instruments interact as well.
On capacity, as mentioning obviously the focus, especially last year and also early this year, was on sanctions against Russia and export controls in this context. But one can say that this really has been exceptional year from this regard. Even so, currently we still need to focus on anti-circumvention and other aspects.
Then you asked specifically on Bulgaria. That I would need to double check and we will follow up to this committee, I would ask colleagues to provide a written answer on what outreach has been there concerning Bulgaria.
Then on US, on the specific legal act you mentioned, which was published yesterday and provisional on use by the US government of commercial spyware, that poses a risk to national security. We have taken a first look at this legal act. We do not see an export angle in this specific measure. But on your question on cooperation on export controls or indeed we are in constant discussions and contact with US authorities on export controls. That’s one area where we want to deepen the cooperation, where we have been cooperating very closely and, I would say productively, on export controls concerning Russia. We are discussing how further to align our approaches. Primarily a tool for doing this is trade and technology council, so EU-US trade and technology council, and indeed, we certainly can bring up to the discussion all sorts of questions related to export controls on spyware.
Jeroen Lenaers (Chair): Thank you very much. We first continue the round, and if there is …
Sophie in ’t Veld (Renew): Sorry, there are some fairly relevant questions that I would still like an answer to. On Madagascar, Sudan and the unexplained export license from Greece.
Jeroen Lenaers (Chair): Yes, but we’ll continue the round of speakers first. Just to point out also that we have not received anything from Cyprus to our knowledge. So we will contact the Cypriot authorities to see if maybe something got lost [incomprehensible] way. And just to point out that for the speakers list I have now: Braunsberger, Heide, Neumann, Lebreton [and Kouloglou] …if anybody else… Diana Riba. And then I will close the speakers list. Thank you. If you want to get into the Sudan. Yes. First, briefly. And then we move on?
Valdis Dombrovskis (Commissioner for Trade): Sorry there were so many questions. To come back to the question on specifically Madagascar and Sudan: Indeed, we already contacted the Greek authorities in relation to exports of spyware to Sudan and have asked clarification on this issue. Similarly, to this case, I have instructed my services to ask Greek authorities for clarifications also regarding Madagascar and keep European Parliament fully informed on this issue.
Jeroen Lenaers (Chair): Thank you then for the EPP, Karolin Braunsberger-Reinhold.
Karolin Braunsberger-Reinhold (European People’s Party): Thank you very much. Thank you, executive vice president, for being here and giving us being here and giving us an overview. And I have two questions. Do you consider the export control regulation for dual use technology to be sufficient? Why? Why not? Has the Commission conducted a comparative analysis of [incomprehensible] use technology export controls, in like-minded countries? If so, has the commission found a more robust legal framework in this regard? And how does the commission plan to better implement the export regulation that are already in place regarding this type of software? Thank you very much.
Valdis Dombrovskis (Commissioner for Trade): I am sorry, what was the last question?
Karolin Braunsberger-Reinhold (European People’s Party): How do the commission plan to better implement the export regulations that are already in place regarding this type of software? Thank you.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions. So on first question: Is a dual use regulation sufficient? Well, the amended dual use regulation is in force relatively recently, it was agreed in September 2021. So in a sense, we are still gathering also experience working with this new regulation. I was mentioning a number of guidelines which we are still working on, including on a level of detail to be provided by the member states in the annual reports also on export authorisations. So this is all a work in progress. Certainly, one can say that this new dual use regulation is a step in the right direction, but we also know that it was a difficult political compromise. It took five years to negotiate and it goes deeply in member states national security matters, for member states tend to be, so to say, very protective of their prerogatives. I would say we still need to gather experience bit on the functioning of regulation to draw conclusions and see what further enhancements would be needed.
Do we compare this dual use export frameworks with like-minded partners? As already mentioned, our cooperation with US, with export controls, where we are certainly cooperating very closely. Well, on the dual use … regulation export controls, of course, we are in a bit specific situation because we have distribution of tasks between national export control authorities and EU level, which is also reflected in our discussions with countries because sometimes their counterpart is national authorities, sometimes their counterpart is European Commission or other EU institutions.
Also, it’s worth noting that it’s not always easy for the EU even to be at the table of negotiation. For example, EU is not a member at the Wassenaar multilateral agreement. So we’re not even there. Currently, just to give another concrete example, we are now trying to get in as a European Commission if you allow in a G7 export control monitoring group. Hopefully we manage, but it’s also not obvious. And also there is certain reluctance by member states just to give some examples how these different levels of competences are interacting.
Well on the third question on a better implementation. Clearly we are currently, as I think, gathering experience. I think important element will be, how we will reach agreement on level of detail of member states annual report and aggregate information they are providing on export authorisations. I think that can help also with implementation and also, well, I would say, clearly it depends also on cooperation with member states who are in a sense not … As European Commission, we are getting a quick and forthcoming responses from member states on the questions we are raising. Also our [cells], suddenly there is still scope for improvement, I would say, also within existing regulation and its implementation.
Jeroen Lenaers (Chair): Thank you very much. A quick and forthcoming information from the member states is not something we are very used to in this committee. So I hope you will have better luck for the S&D, Mr. Heide.
Hannes Heide (Socialists and Democrats): Thank you. I would like to thank the vice president of the commission for joining us for this debate. Production and trade in spyware is the business model. As we have seen, the market in the European Union is quite extensive. So how do we control this market? We’ve heard some thinking. I would be interested to know whether the Commission has a comprehensive overview of this market within the European Union. And following on from what the vice president said about information from member states, you said you don’t always receive it quickly enough or that it is comprehensive enough. And so my question is, might this be down to a lack of awareness? Or: The fact that they don’t know enough about these markets, these products.
There are many different producers within the European Union. Just to give you an example: In recent years in Australia, the authorities were made aware of a product and company only because Microsoft detected a number of security gaps in the software sold. And so the authorities in Austria carried out an investigation and then there were questions raised in the Austrian Parliament, and it emerged that there had been no authorisation given by the Finance Ministry in Austria and no export authorisation issued in the last ten years. So that could be interpreted as meaning that there is no such trade taking place. But you could also argue that there’s a lack of knowledge, lack of awareness as to the extent of this market and this particular business model. Thank you.
Jeroen Lenaers (Chair): Thank you. Hmm.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Well, thank you for those questions. So. Well, clearly, spyware and production and the sale of spyware within the EU for export, it’s clearly a business model. It has its own legitimate uses for law enforcement, for public security. So the question is, in a sense, how to ensure that it’s not abused, but it’s used for its legislative uses on how to control it within the EU market doesn’t.
And the next speaker in this committee is going to be Commissioner Reynders, who will be focusing exactly on the issues on use of spyware within the EU. So as regards this question, as you’re saying on lack of awareness, well there or well, it’s I would say they are a two part part of this. Well, first of all, we are talking about well, specific service, specific a model. And there is this EU list of goods under control. And spyware is in this EU list, including a famous Pegasus spyware is in the EU list of controlled items. So clearly member states are aware who are the producers, what is being sold because they are the ones who are granting or denying the licenses for those producers. Of course, they also may be, as you said, to certain gaps of knowledge, because software is not subject to customs duty. So it’s not controlled on the border by nature. If it’s a, it’s a software.
So they also may be assured a shortage of reliable data at our disposal. That is information which member states how from their producers or importers or exporters. But as I say, some, they say electronic transmissions of software or any other electronic transmissions are not always easy and obvious to control. So that also may be some are some information gap, as you noted.
Jeroen Lenaers (Chair): Thank you very much. For the Greens, Hannah Neumann.
Hannah Neumann (Greens): Thank you, Commissioner Dombrovskis, for being here. Yes, Here. Hi. I would have questions on on on the aspects of what you touched already. The first one goes into the current dual use regular regulation and the implementation. Well, by but by us, by your organisation and the member states. The first question is quite simple given that we see Member States misusing spyware internally against its own citizens, how can we have trust that they don’t try to circumvent and misuse it also in terms of the exports? Do you have the trust that they don’t do that? The second question, and maybe we can just pick it up from the Greece Cyprus export case to Sudan, What happens concretely if member states do not follow the dual use regulation? So what does the first step of escalation? What is the second? What is the third? What is number four and what stands in the end? I mean, are there sanctions or do you have kind of can you force them to give you information? What happens next? And I mean, in the end it should be that they are no longer allowed to export any such technology if they don’t comply. Is that really the end or are we weaker?
Question number three on this aspect, you mentioned the guidelines that are at the moment on the developments where there are discussions now happening between Member States guidelines on the specific spyware tools that haven’t been part of the first dual use regulation. For me, the question is what will what kind of capabilities or tools with these guidelines cover? Am I correct that these kind of tools and capabilities are at the moment not being exported until everyone agreed on these guidelines?
And the last questions is the human rights considerations. So you said the current dual use regulation has human rights considerations, but it’s on the member States to assess this human rights considerations for exports. Does it make sense that 27 member states individually assess these human rights considerations and maybe come to very diverse outcomes? And is that not the biggest loophole possible to circumvent by basically just making the one member states with the weakest considerations, the the place where you have your company if you want to export, or is there anything that can mitigate that?
Second question relates to the EU Emergency Trust Fund for Africa, because we had the ombudsperson here presenting a report how the European Commission assessed the human rights impact before providing support to African countries to develop surveillance capabilities, clearly saying that currently the check under the American under the EU Emergency Trust Fund for Africa is not sufficient. Are you aware of her report? What is your feedback to this report? What will you put in place to better ensure that the human rights impact assessment in the EU Emergency Trust Fund for Africa is met?
And the last question that’s a bit more of a political one. So I’m asking you as a politician on this one. When it comes to the export, at least we have a regulation in place and EU regulation in place, we expect member states to follow. You have certain oversight capacities and certain potential for you as an EU body to sanction them. You mentioned infringement yourself. So if we can have this oversight on the export dimension of spyware, why can we not have it on the internal use or misuse of spyware, especially as it infringes fundamental rights of EU citizens? Do you think this makes sense?
Jeroen Lenaers (Chair): Thank you, Ms. Neumann. Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): So, yeah, thank you for those questions. So maybe let’s start on what happens. What happens if member states are not following as a regulation? As I was saying, a regulation is in a sense limiting the amount of information Member States are obliged to provide to the Commission, and also its limiting as a competence of authority of the Commission. As I say, we cannot, under the regulation, make some specific in-depth checks on whether or not a regulation is properly applied.
So correspondingly, indeed, if we conclude and there is evidence of Member States is not properly applying, the regulations at all, at our disposal, is an infringement procedure against that Member State for non application or non transposition or whatever. Also, well, in case of a regulation we are not talking about transposition, so let’s stick with non application. So that’s the tool which is our proposal. And as I was saying, suddenly the Commission is ready to use any reliable information. So it does not has to be limited to Member State information only. Well, you asked a good question, Do we trust the Member states? Well, I would say by default we trust member states. Of course, if we have evidence to the contrary, we are willing to look at this evidence and to take action.
So. Then as regards this point you raised well, was it it makes sense that there are 27 different member states doing the assessment on export controls, including human rights consideration. Well, this is what is a regulation forsees. So the coalition forces and its member states export control authorities, which are taking those decisions. I was giving you a bit initially as a historical overview how this export control system was developed, how it came to the EU level. And initially it came from quite a clear military uses weapons of mass destruction, conventional weapons. So we are quickly are in a domain on Member States foreign and security policy considerations. So where member states are deciding authorising or denying specific transaction, they are doing those considerations, including considerations on national security policy, human rights, other relevant considerations. So that’s just what is currently foreseen under the regulation. And as I was saying, it took five years to agree this regulation and it was a difficult political compromise. And the reason for this difficulty is that it goes often to the core of member states national security policy.
So that’s that’s the limitations which we are currently opposing. Well, on the misuse of spyware internally. Well, as you know, the commission is obviously also looking on this. The legal basis, which is applicable for internal and exports is different. Clearly, we as I said at the beginning, we should make sure that the spyware is not misused to spy on citizens, to spy on political opponents, whatever. And I personally feel quite strongly about this. So it has to be done both as regards exports and internal use while on internal use. On the specifics, I leave it to Commissioner Reynders who is dealing with those issues more specifically. Then on the question you reported or asked on the Trust Fund for Africa and (incomprehensible) findings, I’m not immediately aware of the issue. I may of course inquire to the relevant colleagues in the Commission who are working with this topic since I have some comments and observations on this matter. Thank you.
Jeroen Lenaers (Chair): Thank you very much, for the I and D, Mr. Lebreton.
Gilles Lebreton (Identity and Democracy): Thank you very much indeed for your words. It’s very interesting for us to be able to really to look at this 2021 regulation on the export of dual use goods, which includes this spyware software. Now, listening to your words, I have a strange feeling because very often we talk about foreign trade and that external trade that’s part of your portfolio. And we feel that there’s a sort of steamroller effect of the commission who is rolling over member states decisions. But this seems to be the opposite today. You’ve say that it’s quite hard to pass this. You’re facing a certain amount of resistance and certain member states. And I am pleased that, in fact, that to have a lot of leeway in this. So I have some very specific questions to you.
First of all, you said that it’s hard to get information from Cyprus and Greece. All the other 20 have the other 25 member state provided all the information you’ve asked for. Secondly, you have pointed out that the reports that you sent to on to the member States don’t talk about individual cases just aggregated. So are you planning to be able to have a really good overview of what’s happening with exports? Not all the data lumped together. And thirdly, I remind you that member States consider that we’re looking at security matters here, and therefore, in fact, is that not perhaps why you can’t have a very clear view of exactly what’s happening? Because, I mean, when we evoke national security. For obvious reasons, understandable reasons. That means that a member states all withholding information. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Commissioner.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Okay. Thank you for those questions. Let me start with a broader question you raised. Well, you know, in different policy areas, there is a different legal basis and a different competences for the Commission and EU level in general. So you specifically asked about that trade. External trade is EU exclusive competence. So indeed, on many occasions the Commission is in the driving seat, including negotiating free trade agreements. Well, obviously based on the mandate of Member States and at the end of the day ratified by Member States and European Parliament, or should it be mixed agreement, also national parliaments. So even in a trade policy, we cannot help this steamroller effect, as you said, because at the end of the day it’s still member states who are deciding whether or not to ratify what the Commission has negotiated.
That the dual use regulation is much more restrictive in terms of the Commission competences. So we are not in a driving seat. It’s Member States export control authorities who are taking the decisions. Then on a question we ask on a member states. So what? What is the outreach? So if we have some specific problems, obviously we individually outreach to the member States. So we discussed specifically the outreach we are doing from to Greece and Cyprus, a related for example, Sudan. And we are working with all member states on preparation of that annual report. So we were discussing it before and indeed so on into those cases. There is a difference. Already now, member States need to report individual rejections. So if they reject export authorisation, they have to report it to individual to the Commission and other member states. It’s considered as a well transaction of concern and other member States need to take into account this when deciding their own export authorisations. So that’s already there. So Member States can learn from each other on transactions of concern on authorisations, as the regulation does not foresee obligation for Member States to inform on individual authorisations.
So correspondingly, it’s this aggregated information which you are going to get on in the annual report and that obviously as European Commission we are insisting with Member States to have as granular and as detailed information as possible, while Member States once again may be invoking some of some limitations on national security grounds, so on not disclosing commercially sensitive information. But there from the commission side, obviously we insist on to the extent granular information which we are able to get.
Jeroen Lenaers (Chair): Thank you very much. For the EC and R, Ms. Beata Kempa.
Beata Kempa (European Conservatives and Reformists): Thank you very much. Thank you, Commissioner. Thank you for your presence and for the information you have provided, you have partly answered the question I want to ask. I think if I ask two more questions, your reply would certainly be uniform and concrete. Working on the recommendations for the European Commission and the Council, the PEGA committee is considering what should be the criteria to adopt concerning the sale, imports and exports of spyware software in the European Union, to have protection against abuse in the future.
Therefore, my two questions one, whether the regulation of 2021, 821, fresh from May 2021: establishing the European system on control and intermediary technical control transit transfer of double use products is sufficient as the legal basis for protection against exports from Europe to countries which do not comply with the basic human rights, and what are the regulation needs any amendments or any specific executive acts. That was my first question and second question.
How do you perceive an opportunity that within the current legal system of the European Union? How can we control and the sale of spy software in the European Union? And I’m thinking about situation when such software is produced outside the EU and situations when it was produced in the single market. So for what mechanism and whether such mechanism could be available? And whether it’s possible to regulate the sale of such products. Is it feasible at all? You have partly answered, but I think you might answer quickly. Once again, thank you.
Jeroen Lenaers (Chair): Thank you, Ms. Kempa, Mr. Commissioner.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions, I think we partly already discussed those questions. So is the dual use regulation as now amended in 2021 sufficient? Well, we’re currently still gathering experience on the functioning of this new dual use regulation. We are preparing annual reports. We are working with Member States in relevant committees and bodies. So I think it’s too early to draw definite conclusions. Well, clearly, as we can see from our discussions, there are limitations in this regulation, but those limitations are by design because there are limits in a sense to how much competence Member States wanted to delegate to this issue at the EU level
In the case of already existing regulation obliges the Commission to carry out the evolution of regulation in five years, where we can draw all possible conclusions on possible shortcomings and reflect on the amendments. Of course, we can see whether some clarity emerges already sooner and since we need evidence based decision making. So what we do in a review also needs to be on evidence, and then we always question how much political space we will have to make next steps as regards EU level export controls and so on. Second a question on how to control and regulate the production and use of spyware. This once again comes more to the question on internal application of of controls within in the single market. The questions you will be discussing, my colleague in a short time.
Jeroen Lenaers (Chair): Thank you for the left, Mr. Kouloglou.
Stelios Kouloglou (Left): Mr. Dombrovskis, you started your intervention describing this cruel and very expanded, expanded system of spying on the citizens in the ex-Soviet Union. And I was working there as a correspondent in Moscow for five years so that I can fully corroborate and confirm what you have said. As you remember, the general secretary and the secret services were spying on journalists, but not only journalists put it all not only a political open openness, there were spying also on its own ministers, Right. Ministers of the state. This is happening in Greece with the prime minister. He was spying for the ministers.
You remember that this internal secretary was spying on the the leaders of the armed forces. And what happened in Greece is that the prime minister was spying on the leader of the chief of staff. On the chief of staff. You remember that day the general secretary was spying on his relatives, for instance, his sister and, well, the Greek prime minister was spying on his sister. You remember? He was spying on the general secretary or he owned his nephew and well, Mr. (incomprehensible) it was fine. If you remember, he was fine on his knees. And then, Mr. Mitchell, that grows pain in his knees. So you will tell me there is a difference? Of course does. Of course. But there are also aggravating circumstances in the present case, because, you know (incomprehensible)Soviet Union was a member of the European Union. Now we have here Greece being a member of the European Union, and we have two deputies of the European Parliament being inspired. And we know this case since nine months. So I have certain questions to ask you, very brief questions.
Why the commission has not made any statement about the Greek case. When it comes to the two other cases, the commission is coming out and saying, well, this current yes or no, you now nothing. Mrs. von der Leyens outlet disappeared. This the first one. Second question: The scandal is already nine months. When did you ask the the Greek government for explanations and everything about what? I don’t know what exactly what you have asked. Third, is there in your request a limit, a time limit? Are you waiting for an answer under as a kind of certain period of time? Or is it just a general question. And fourth, the last question, Mr. Dombrovskis, I would like to ask you, taking into account your personal, very painful experience living in the country, where the spying was a method of governing. You know, what is your personal opinion on the issue? This already documented. I already described you. Happening in Greece. Between us and you. What’s your personal opinion of that. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Just just to remind colleagues that, of course, Mr. Dombrovskis is here in his capacity as responsible for the trade issues. Of course, everybody is free to ask any question they want, but we have Commissioner Reynders later this afternoon also to discuss the use, etc., and the rules internally in in the European Union. So, of course, Mr. (incomprehensible) has invited us to to answer all the questions as he pleases, but in his specific portfolio is the questions of of trade and export dual use regulations. Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions, my buddy. Let me start with a specific questions on our request of information for Greece. So the requests we were sending to Greece in my area of competence were concerning the export of spyware, specifically to Sudan. So this is what we had been approaching as a Greek authorities, and we are currently awaiting that response. So clearly, yeah, when we requested colleagues will try to find the exact date, when we requested this information and to find it, we had it somewhere here and useful for okay colleagues. So try to find exact dates.
So as I was saying, by default, in dual use regulation, Member States are not obliged to report on individual authorisations of dual use items, including spyware. So that’s why we made this ad hoc request following some information which had become available. We’ll find specific dates for this. Well, on your broader question, well, clearly, as I said at the beginning, I lived myself in a system like this. I know what it means. And therefore, I’m clearly of the view that that kind of spying on fellow citizens and political opponents or whatever should not take place, that spyware has to be used strictly according to its legitimate uses. And there are legitimate uses for law enforcement, for national security. And that’s indeed the task of the National Home and Justice systems to ensure a legitimate use of this kind of tools, which indeed, as Mr. Chair already outlined, brings us to the next topic and a hearing with the Commissioner Reynders. So on a specific question on one, we reached out to Greek authorities on as our export export authorisations, 14th of February. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Then Diana Riba i Giner.
Diana Riba i Giner (Greens): Thank you. Good afternoon. I have a more general question to ask. A lot of the questions has been very specific. When we talk about this spyware, for example, when we talked to when we went to Israel mission, we talked about these programs as a weapon. There was saying this is a weapons import export issue. In listening to your presentation and when we talk within the European market of the spyware, we’re talking about something as if it were any other commodity and not a weapon. So. How how are we seeing this kind of good. Is it a weapon? Should we see it as such or. I mean, what category the spy will fall into? Because things change according to what category you put this good in. And there’s an investigation committee and we need to come up with a report. We need to know what the legal framework is that we need to use for the future of use. So this dual vision within and without the EU, I mean, where do we put these spy goods? Are they weapons or not?
And then on human rights, I have a very concrete question on the new directive. There is a new reason for denying export licenses for cyber vigilance, cyber surveillance, especially in cases of threats of human rights violations, I think is Article 4.2 and 3.8. Has any member state use this human rights clause since its introduction? It’s a bit the same question as my colleague has, but I wanted to know if this article has already been implemented through use by any member State. So have we already identified any infringement of fundamental values in the EU?
Jeroen Lenaers (Chair): Thank you very much, Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions. So indeed, while you referred to weapons, I was telling in my introductory remarks, where is the EU export control regime originates from? And indeed it originally focussed on non-proliferation of weapons of mass destruction and other dual use products as well as technology used to produce conventional weapons. So there is sort of a link clearly with those issues and correspondingly with national security issues. So therefore, how’s the dual use regulation functions? We are having an EU watch list of goods and services which are subject to this dual use regulation and spyware. And as I was saying, also different components and related technologies are on this watchlist. So that’s the reason why it’s under the scope of dual use regulation. So we’re not treating it as any other commodity because any other commodity typically is not covered by a dual use regulation. So that is the reason why spyware is covered by dual use regulation. So so that’s on the first part of the question. On information on whether and any member states have been using the human rights clause so far as it’s something I probably would seek further information and I would come back to the committee in writing to the specific question.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Executive Vice President, Dombrovskis. First of all, for for being with us today for making the time available to exchange views with the members of our committee and also to to follow up on some of the questions where we didn’t have specific answers yet in writing. Later, this much appreciated. We will, of course, continue to work on our recommendations following the leadership of our rapporteur, Sophia in ’t Veld. We also hope that you will keep a clear, a close eye on what we will recommend and we count on you for the cooperation in the face after this committee has been dismantled. And we will work on, hopefully the legislative rule out of the recommendations that we make. I see that there is a very, very brief, urgent follow up question of our rapporteur, very briefly to.
Sophie in ’t Veld (Renew): Two tiny things. Chair, Thanks for for allowing this. First of all, I understand the Commissioner asked clarification from Greece on the 14th of February, whereas the news on the Sudan flights broke on the 30th of November. That’s two and a half months earlier. Why did the Commission wait so long? And my second question is, I hear you say the commission is not authorised to conduct in-depth investigations of individual cases, even if you have indications that there’s something wrong. Plus, member states invoke national security. And in though in that giant gap, I understand it is entirely possible as it is happening today for member states to export spyware to non-democratic countries. And the European Commission has no powers to intervene because you can not intervene in individual cases. And this means that companies which have been blacklisted by the United States can freely export spyware from Europe, from the European Union, as long as national governments are willing to to cooperate, which is happening. So we’re basically helpless. Is that the conclusion?
Jeroen Lenaers (Chair): Thank you, Mr. Commissioner.
Valdis Dombrovskis (Commissioner for Trade): Yeah. So on first of a question, I was already describing the context in which we were working. For most of the last year and also beginning of this year was a clear focus on export controls related to 2010 sanctions packages against Russia and export controls on those goods, which may or may not appear on the battlefields in Ukraine. But clearly we are keeping a focus also on as a spyware related issues. And as I was saying also, we see scope for further discussion and cooperation also with the United States in this specific area.
Well, this a comparison of US. Well, we were discussing extensively, so we are not necessarily following the same legal base. So I would not describe the situation as hopeless because we have two layers of defence. We cannot completely dismiss what the member states are doing is they are export control national authorities, which has helped to implement as a regulation. As I said, the standard procedure in case of non-implementation of regulation is infringement procedure and this possibility is there if there is substantial evidence. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much also to all colleagues for the exchange of views. It’s 5:30, Mr. Reynders, commissioner Reynders will arrive at 5:45. So we’ll break off for 15 minutes and then we’ll have the next item on our agenda. Thank you once again, Executive Vice President for process. And we continue we look forward to continuing cooperation in the future. Thank you.
Didier Reynders, Commissioner for Justice, European Commission
Jeroen Lenaers (Chair): Dear colleagues, if everybody could take their seats, we will continue our meeting. I am very pleased to welcome Commissioner Reynders to our committee meeting. It’s a is the second time we meet in the framework of our committee work. I think the last one was in May last year, which is ten months ago. I think a lot has happened in the past ten months that that warrants a renewed exchange of views, both in terms of developments in some member states, but also developments, of course, in the work of our committee, the draft report, the amendments, the draft recommendations that are on the table now. And since, of course, the purpose of our committee is not only to adopt a report in the end and to adopt the recommendations, but to make sure there is also follow up to these recommendations and that these recommendations are implemented in practice. We count on your cooperation also after our commission ceases to exist.
So therefore, I’m very pleased that you were willing and able to meet with us again. I propose we follow the same format that we always do. We happily pass the floor to you for your introductory remarks, and then we open the room for questions and answers for the members. And of course, as always, I would also like to ask already the members who would be wanting to take the floor during the exchange of views to already indicate so now, so we can draw up the speaker’s list and keep an eye on the timing. Yes. Thank you very much. And first, the floor goes to you. Commissioner Reynders, thank you very much for being with us.
Didier Reynders (Commissioner for Justice and Rule of Law): Thank you, Chair and honourable members, of course, the normal way to try to discuss with you before the adoption of your work of operations. And then, of course, we will see how it’s possible to organise the follow up recommendations. But as I have already highlighted, when I came to your committee last year and in various written replies, the Commission recognises the important work you are doing to investigate the use of spyware and European Union. We are closely following the preparation of your report and the resolution and we are waiting for the adoption. We know that your report will cover several aspects of the use of spyware by the Member States, including compliance with privacy and data protection rules, but also the functioning of the spyware industry or export and import of spyware.
As the Commission has stated on numerous occasions, including before the European Parliament, we strongly condemn any illegal access to interpersonal communications. Those be very clear. Spyware is a particularly intrusive technology, and we have seen the consequences of its use through the various testimonies of individuals that appeared before your committee. It is paramount that the fundamental rights to privacy and data protection as enshrined in EU law are fully respected all over the Union. The legal framework governing the use of spyware can differ depending on whether its use falls under EU law or national law.
Now, use of spyware, confidentiality of communication and privacy of data protected by GDPR. So the enforcement directive and private life electronic communication or e-privacy directive. Surveillance authorities in national jurisdictions are competent under these tools to guarantee compliance with the legislative framework. EU law on data protection applies when it comes to processing personal data by private entities, even where such processing is required for security national security reasons. EU law is also applicable when public authorities process personal data for criminal or repressive purposes, in the case of spyware. In such cases, individuals must be in a position to exercise their rights when it comes to data protection under EU law. That includes the right to information an effective legal recourse. The right of information and access to personal data is key in the EU judicial system. It is a prerequisite to enjoy other rights, including the right to take legal action if said rights are breached. The commission stresses that it is important for supervisory, supervisory and judicial authorities to have sufficient powers here and to enforce these rights. These authorities need to make full use of their powers to take an in-depth look at any breach of rights in this area.
EU law does not apply to cases where public authorities directly access the data, so not the telecom operator and process them for genuine national security purposes, which is a different issue than law enforcement. An important question is in this debate is therefore the delegation between the application of EU law and national rules on national security. It is for the member States to define their national security interests and to adopt appropriate measures to ensure their internal and external security. Nevertheless, the European Court of Justice made clear that Member States must be able to demonstrate that national security would be compromised in the case as issue. The Court of Justice also held that threats relating to national security are the ones that are capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country such as terrorist activities.
Therefore, based on the court case law, Member States cannot merely refer to national security in a general way to exclude the application of EU law in cases reported by the press, the real issue seems to be whether the use of such a spyware is generally justified by national security when such a restriction to the right to privacy and personal observation protection cannot be justified as fighting and national security, EU law must apply with all the safeguards it provides. Where there is a dose on the interpretation of EU law, national courts can make a reference for a preliminary ruling to the Court of Justice. It is also important to bear in mind that where EU law is not applicable, the European Convention on Human Rights still applies as well as national constitutional law safeguards.
In this context, it is also important to consider the following points: Whether Member States have in place a national legislation framing the use of tools such as spyware for national security purposes. Whether the national legislation foresees specific and sufficient safeguards given the high level of intrusiveness of the use of spyware. Recently, my services have requested information from all the member States about the national legal framework governing the use of spyware from a data protection perspective. We ask the member states several questions, including the purposes under which spyware is permitted under the national law for law enforcement purposes, for national security or other purposes. The safeguards that are applicable when spyware is used for law enforcement purposes and for national security purposes.
The large majority of the member states are ready, replied, But we are still in the process of collecting the member State responses to this mapping exercise. We will assess carefully these replies. I have also discussed the matter with Minister in some Member States to give. To example, in the travels I have made in Spain or more recently in Greece. Before concluding, I must underline that the Commission is no investigative powers in this field, so we are not in a position to assess individual situations. We cannot therefore assess whether the conditions for the national security exceptions are met in the specific case. We do not have the ability to go on the ground to hear testimonies or to seize documentation, for example.
In conclusion, based on your final report and on our own fact gathering will decide on the most appropriate way forward. I want to say that in the last discussions I have had with some that opposition authorities or independent authorities in relation with this kind of situation in some member States and on the basis of the response that we have received from Member States, I am sure that we will have to examine if it’s needed to come with a legislative proposal at the EU level. We will see also on the basis of your recommendations. And in such a kind of framework, the questions that we have, of course, is to see what kind of legislation is needed at a national level to organise the process. What kind of safeguards are in place to protect individual rights and to give some example, who will be in charge to authorise the use to give an (incomprehensible) of the spyware of spyware for national security purposes.
In some member state I received of remarks, this may be enough to do that with one judges, one judge, able to decide about the authorisation. In others, it’s maybe more important to have a college of judges to do that. And so to organise a process. But then what would be in charge to control the full respect of the safeguards and the real access to a possible redress for the individuals? Having seen such a kind of access to their own data, so again will have to take into account your recommendations in your resolution and will take into account the actions of the Member State. Of course, when I’m speaking about a possible legislative initiative. You know that we need to work with two co-legislators. So the Parliament, of course, and you will video resolutions, but also the member states and, you know, the sensitivity of the national security issue at the level of the member states. But it’s not a reason why we don’t have to to continue to work on this. I thank you for your attention. And I’m, of course, looking forward to listen to your interventions that may be modern, that read your recommendations when you will have had your body to adopt your resolution.
Jeroen Lenaers (Chair): Thank you very much, Commissioner, and thank you for taking our recommendations into account. And of course, of course, in order to adopt any legislative proposal, we need to co-legislators that is clear to launch a legislative proposal. Of course, the commission has the the full right of initiative. So taking our considerations into account, I hope it will also make use of that of that initiative. We have on the list at the moment. Sophie in ’t Veld, for the EPP Braunsberger, López Aguilar, Cañas, Solé, Lebreton, Kempa, (incomprehensible), Neumann, Riba i Giner. I just want to underline that we have one hour ant then our interpretation will finish or I would really ask for it as a bit of discipline in the members. Also, in asking that questions do not take too much time because this will only be at the expense of other colleagues who also have a right to take the floor. We will start with our rapporteur, Sophie in ´t Veld.
Sophie in ’t Veld (Renew): Thank you Chair, and thanks to the Commissioner for being here. I recognise what you say about the difficulty of this particular area, but what you referred to as sensitivity of some Member States relating to national security, unfortunately, in reality very often is just a jealousy of the national governments who want no interference in their absolute power. It’s not exactly the same. They are using national security as a blank check to, you know, hide wrongdoing behind because national security can never mean spying on journalists or critics or opposition politicians.
On that point. There are elections this year in several countries, in particular several countries about which we have concerns over the abuse of spyware. The spyware has been and is being used to silence critics, journalists, but also independent oversight bodies and to to target specifically opposition politicians. Now, how can we be sure that the elections in those countries, in those EU member states are going to be free and fair and not corrupted? This is very, very problematic. So I think I can point to one country in particular. And that brings me to the second point, because the problem is, of course, that the commission on the one hand says, yes, we have to rely on the member states to respect the treaties and the law. At the same time, we know that there are member states that do not respect the law, two of which have actually, you know, are in an article civil procedure. But there are several others where we see they do not respect the law.
How is the commission? I mean, we cannot keep saying yes, but this is national prerogative. We cannot go there. We have to protect the values laid down in the treaties. And I know that you have launched the commission has launched another case against Hungary on the basis of Article two. Surely it should be possible to to use that more extensively. Two final points you have written, if I remember correctly, to five Member states, pointing out to them that national security is not some sort of unlimited blurred area where they can do whatever they like. Have you got a reply? And can you also say where the boundaries of national security are if there are boundaries?
And finally, last but not least, what about the internal inquiry in the European Commission? Because I have to say that we are quite dissatisfied with the replies we got from the Commission. We send a long list of questions and the answers we got was we cannot reply this because of matters of security. But the Commission, with all due respect, cannot invoke national security. That’s not a ground for there is a refusal of access to information. Commission. No, we are concerned with the security. The point is, the point is that if there have been attempts and successful attempts to target devices of commission officials, then the security of the commission and of all of us has been breached already. And I think this House has the right is entitled to know exactly what is going on. I think we need more information. This is already almost a year ago. Thank you.
Jeroen Lenaers (Chair): Thank you, Commissioner.
Didier Reynders (Commissioner for Justice and Rule of Law): First of all, I want you to confirm that we are working on the situation in different member states. And you mentioned the difficulties to have a real access to redress maybe for some people in some member states. I give you the last example. I was in Greece and I have discussed with the two independent bodies in charge in Greece of such a kind of situation. And they said to me they have collected a lot of informations and then, and this is a logical process, they have sent those informations to the prosecutor’s office. And so they’ve asked to the different authorities also at the level of the prime ministers to receive information about the state of play of the investigations in the justice system, because at the end what is at stake, It’s a real good functioning of the justice system.
The reason why I’m paying so much attention to the independence of the justice system, but not only the independence, the quality and the efficiency that we are working on, you know, all the time. And we are publishing a different kind of information with the Justice scoreboard and the Rule of Law report. And if you look through the different situations, what is at stake, it’s not a secret national security issue, it is a correct implementation of the rulings of the Court of Justice, because the House, some elements and some culture in the rulings of the Court of Justice about the possible use of different kind of application like spyware or others in the field of national security. And, you know, I repeat that many times the decisions of the Court of Justice are abiding. So we need to have a correct implementation. The criteria are there concerning the control. I have just said that in the discussions I’ve had our people speaking about maybe additional possible rules, and I said it’s made possible to the floor, to the commission to come as sure that we have the right of initiative as a legislative proposal will see, you know, that before that it’s possible to come with a recommendation to explain what are the different criteria in the rulings of the Court of justice. And it’s very important to to try to to do that.
But for the moment, what is what is at stake? I ask to a different member state to explain the situation. And I received some different kind of response about the investigations that are now ongoing on those different cases. So what is very important to me is not to see if we will receive some informations about, again, the state of play of those different investigations and what kind of results you have seen or so decisions in Spain to be very concrete with different kind of investigations at different levels. But now what we try to see if is what kind of follow up on this. But for the moment we are waiting for the different evolutions in the different member states.
And we have I said send a letter in December to all the member states on the top of the first request to some. But now we have asked all the member States to ask what the situation is at the national level about the legislation and the implementation of the legislation. But we are waiting for some response and such a resolution. It’s possible to go further about the situation in the Commission. I’m not in charge for the cybersecurity in the Commission, so I have explained myself in the previous discussion last year already that I receive information not about one specific spyware, a possible intrusion on my smartphone, and after the verification organising the commission, there was nothing.
So I don’t have anything else to say concerning my situation is very clear. So I receive a message from Appel, because, it’s not a secret, I have an iPhone, and from Appel that it was possible to have such a kind of intrusion. But after verification, we didn’t find anything in the commission for the rest. There are some other people in charge of cybersecurity, not only in the (incomprehensible), you know that we have a management board, organised to take some some decisions on on this situation.
About the infringement proceedings concerning Hungary. I’m sure that’s about the legislation on LGBTI law and protection of children. If I take the name of the Hungarian authorities to us, maybe it’s a possible discrimination due to the sexual orientation. Of course, we ask if it’s possible to to have a decision of the court against such a kind of law, because there’s a discrimination. And to take a decision about the law, here, it’s not the same. We don’t want to go to the Court of Justice to have a new definition of the concept we have, I said. It’s about the possible investigations on the ground, on the situation, and that is the task for the data protection authorities and all the bodies.
In Greece, there is another body in charge with the data protection authorities.
And then to the justice system. So, again, we’ll continue to see if there is a correct implementation by the justice system in the prosecutor’s office on all the decisions taken by the authorities in our nation with national security. You have described to conclude the action of the member States in and of themselves and most myself, I spoke about sensitivity. You explained the same maybe with your words. I try to be more prudent because, again, if I want to come with a proposal, I will have to work with the legislator of so with you, but also with the council and to try to find a majority also in the council.
Jeroen Lenaers (Chair): Thank you, Commissioner. Thank you very much. And for the EPP, Ms. Braunsberger-Reinhold.
Karolin Braunsberger-Reinhold (European People’s Party): Thank you. And thank you, Commissioner Reynolds, for being here. I have two questions. Considering the worsening of judicial independence in Poland and Hungary. How will the commission guarantee that spyware will be used lawfully by these governments? And what improvements are the commission considering to strengthen the guarantees and checks and balances around the use of spyware with the Polish and Hungary legal architecture? And like Sophie in ’t Veld questioned: How will the commission guarantee that spyware is not used to influence upcoming elections in these countries? Because we already have the case of Polish Senator Krzysztof Brejza, whos messages were manipulated and leaked to public broadcasters. Thank you.
Jeroen Lenaers (Chair): Thank you, Commissioner. Thank you. Commissioner Reynders.
Didier Reynders (Commissioner for Justice and Rule of Law): To be very, very concrete. If you take the case of Hungary. You have received a reply about the role of the Data Protection Authority and the discussions on the authorities, because you you spoke about the justice system, but before that we have a network of data protection authorities and I try to work with those authorities first of all. An after that, if it’s needed, is possible to go to to justice and to see that that abolition of it is going to do justice. In the case of Hangover, you didn’t see that, but there were some actions maybe introduced by individuals. I don’t have the precise element about that.
But what is in our mind now is to continue to collect information about the exact situation in the member state, because again, the first concern that we have is do we have some specific rules at the national level about the possible use of this kind of instrument, like the spyware? And that means what kind of law do you have? And I said it’s what we have asked in December to all the member states and then what kind of safeguards. But again, the framework is very clear. We have very clear criteria coming from the Court of Justice. So what is at stake now is to see if there is a real control on this. So is it possible for individuals to introduce some actions before the national justice system and maybe for the national justice system? It is.
Is it possible to go to the Court of justice, maybe to ask a question to the court of justice? And, you know, that is the reason why we have introduced different infringement proceedings and other (incomprehensible) about Poland. Because in Poland it was possible to have a disciplinary procedure against justice due to the fact that if they ask a question to the court of justice, of course, it’s very important to stop that as the reason why we have obtained interim measures from the Court of Justice and then a fine. And we are asked to go to Poland to pay the fine. So it’s I know it’s a complex situation, but we are going to the court, when it is needed. We are using all the tools when it’s possible here we will continue to complete all mapping of the situation in all the Member States and to see what kind of conclusions are possible after that.
Like, on the basis of your your recommendation: Is it possible to engage the discussion about the recommendation from us to all the member States or to do more? Because I know that in the first discussion you have explained that this may be possible to come with a legislative initiative, but you know, that may be more difficult. But so we are working on all those issues. And about the next elections, you know, that we will try to work a solid defence of democracy package. It was announced by the director of the Commission. But it’s true that there are a lot of safeguards that is needed to to having all the member states like the independence of the justice system and again and again is the reason why we are working so much on the independence of the justice system. But it’s not only about Poland and Hungary that we have some concern about the process. We have asked questions question to all the member states, but we have seen the possible use of spyware in all the member states and those true. So we need to have a more broader approach to it to see what are the next steps for the commission.
Jeroen Lenaers (Chair): Thank you, Commissioner. Thank you very much. Mr. Lopez Aguilar for the S&D.
Juan Fernando López Aguilar (Socialists and Democrats): I can make it short because surely you have been consuming a substantial amount of time and energy in discussing the issue. This issue is so far of our highest concern for many months now. And we have touched upon all the implications which are relevant, particularly for the Committee of (incomprehensible), which is of course fundamental rights, media freedom and data protection and non-discrimination. And of course, whether the whole thing is compatible or not, whether your standard of fundamental rights. My question goes first.
We had the mass surveillance special committee, and as a consequence, the commission brought the initiative, which has turned out to result into the whistle blower directive. We just don’t have to resort to whistle blower legislation to protect whistle blowers in all of the member states of the European Union. Do you see some possibility that after the work of this committee, the Commission would bring some legislation that would encompass or would frame or would refrain, for that matter, the legislation on spyware or intelligence services, secret services by the member states. Is that feasible? Is that possible? One thing.
Second, do you consider touching upon the violations of fundamental rights as the consequences of spyware in your annual report? Country reports? Those countries in which there has been evidence gathered that there have been violations of fundamental rights, that could be worth noting in your annual report. And third, you made a point on the European Court of Human Rights. In the European Court of Human Rights, there is a so-called margin of appreciation, as to the restrictions of fundamental rights that can be imposed by the Member States, domestic policies in certain areas and certain securities. What do you think? What do you account of the possibility of striking a new balance in which security is made forcibly compatible with the EU standard for protecting fundamental rights, in particular the privacy and confidentiality of data, which for sure is the highest in the world. Thank you.
Jeroen Lenaers (Chair): Thank you, Commissioner Reynders.
Didier Reynders (Commissioner for Justice and Rule of Law): First of all, to be very precise, as I have said that we have sent a letter to all the Member States in December to have a mapping. Of course, we have started the process before. So before the summer last year, we have sent the first letter to four member states, of course, Spain, Greece, Poland and Hungary. Due to the information that we have seen about the possible use of spyware. And I must say that we have received a reaction for from three of those four countries, except Spain. And we are waiting for a more concrete rejection of that. We have received now and the action of Spain on the last letter of December, but about the exact situation due to the information that we have seen that before the summer, we didn’t receive a reaction. And I have asked the Minister of Justice to think about possible concrete actions in my visit to to Madrid last year and maybe in other contexts we have had letter in the Justice Council in order for.
About the rule of law. We thought it was already the case last year. We have introduced some remarks of the use, the problematic use of spyware in some member states. Of course, it’s possible that we will do the same this year. You know that we will come out with our report in in July and we will see if it’s needed to put some remarks again on such a kind of situation. It’s true that I need also to repeat that we have already a set of rules, maybe some rules I said about that the protection or law enforcement activities at EU level and maybe the ePrivacy. I repeat that it would be needed maybe to to make some progress on the discussions about ePrivacy with the co-legislators. But if it’s not the case, we have the European Convention of Human Rights. Of course it’s applicable. I have said that in my introduction. Also, if you don’t have the application of the EU law, you have (incomprehensible) convention, (incomprehensible) rights, and there are some decision to reopen the Court of Human Rights about the situation. So we have already a set of rules.
Of course, the easiest way to true to go forward for the Commission will be to come with a recommendation just to put together all the elements that we have. So in the EU law and the European Convention on Human Rights, but as I said in the rulings of the Court of Justice and of the European Court of Human Rights, possible to that, was that to come with a lot of elements. But again, I’m not in a position to say that we will come with a recommendation or not all. Maybe if you propose to come with a legislative proposal, will try to see what kind of proposal. And you know that if there is a resolution in the Parliament to come with a legislative proposal, we are open to examine it and certainly if should come as so is have an idea about the content of of the proposal, because it’s not just to say it will be needed to organise a regulation about that, but maybe to say and what kind of orientation it’s possible to to work.
But for the moment, what we try to control, if I may, with the letters that we have sent to the four member states before the summer and the discussions that we have had. With different member states. It’s to see how it’s possible to do. It’s possible to enforce the existing rules. Oh, it’s possible to be sure. That’s also in the case of the use of spyware for national security reasons, it’s possible for individuals to have information and to go to a possible redress. And this is the reason why, again, I have asked in some member states who receive a state of play. It’s, of course, an independent decision of the prosecutor. But after sometimes it’s needed to explain where we are with the investigation. I don’t want to put pressure on independent prosecutors in the member states, but if there are investigations in the hands of prosecutors after a period of time, it’s important to know where we are.
To give us an example, you know that we have had the murder of a journalist in Greece just less than two years ago. Next month, it will be the second anniversary. They are investigations, but we want to know just the state of play, not to ask the content of the investigations, but to ask where we are and is the same. Here is the enforcement as the of the essence of your right. We need to continue to work on it to know what is at stake in the different investigations. I’ve seen in Greece, investigations and actions from the different independent bodies involved in the process. But then I said it was sent to the prosecutor’s office and we want to see if they are some follow up in the prosecutor’s office.
Jeroen Lenaers (Chair): Thank you, Roza Thun.
Róża Thun und Hohenstein (Renew Europe): T you very much. A lot will happen, I think, really in this domain waiting very much for the report of the commission. And ours is being prepared and we will have probably some proposals for the future. An we will have some kind of law which would protect the citizens from such practices. And I hope very much that we will have a good cooperation, the Parliament and the Commission on the on this, because as as we have already discussed, the member states hide behind the national security sphere and they don’t like to interfere in, what they say, are their national powers, you know.
But you also said that the commission has no is not an investigative body and that you have no possibility to no ability to go on the ground. But which services have the ability, European services to go on the ground, or are we to rely only on what the member states do?
Now, the second question, I have two more, and the second is, I wanted to come back to this: targeting yourself and other commissioners in the European Commission. You say that the digital services have the competences and are not yourself, but the digital services will not speak to us. So couldn’t the college agree that maybe there should be one person who would tell us what the situation really is? Because if there are commissioners were targeted successfully or unsuccessfully, I mean, we know that there were targeting took place. We don’t know if anybody was targeted successfully and who and how many and etc.. This is really an extremely important information that touches all of us. And maybe it would be good if I understand this, not in your powers or competences to talk to us about it, but maybe there could be someone and otherwise there are plenty of gossips, you know, in the atmosphere is not so good about it. And, and the issue is extremely important and scandalous, in fact.
And my last: you didn’t really answer to what Sophie asked about the elections this year, because in our proposals we would even like to propose a pilot project that could start already in 2024. We will talk to the commission about it because also of the issue of money, etc.. But what about 23? There will be elections, and as we know, this spying on persons who were responsible for the electoral campaign? Yesterday we listened to the parliament, pardon, I’m finishing, to talk to the person who was responsible for the for the list of candidates to the lower chamber, anyhow. Evidently, I mean, many say that the it had influence on the final results of the elections and we must avoid it this year. In several countries, as Sophie said, elections are approaching. Is there anything that the European Commission considers to protect the democracy in the European Union this year from destruction that such surveillance could bring? Thank you very much.
Jeroen Lenaers (Chair): Thank you. Thank you. I don’t want to rush anybody, but it’s just because you have many more speakers to go and we have only until 7:00. We can’t all take 4 minutes to ask our questions. Commissioner Reynders.
Didier Reynders (Commissioner for Justice and Rule of Law): Well, just to repeat, first of all, about myself, I have said that we have organised verification in the Commission different times above my smartphone and without any indication of possible access of spyware. For the others I don’t have informations about situation of others because I’m not in charge of this. But it’s all the time possible to to ask again to the services about that. But I do not have information to share with you as a situation of all the people in the Commission are also in the Parliament because I know that there were still some informations about the possible use of spyware against some of Parliament members about the protection of democracy, except the fact that have said we will, that we will come with a defence of democracy package which was announced by the President, the Commission in the last speech on the State of the Union.
We are continuing to work concretely in the Member States. I don’t want to repeat to you what we are doing in one country, that you are doing very well about the independence of the justice system, but we are using the front also saw the (incomprehensible) to do that and we are waiting for new laws maybe to move in a good direction. Then we have tried to to to to to work with the government in Poland to be concrete on this. About individuals. It’s not in the competence of the commission. It’s true to to organise. Set investigations and to see the recommendations in the member states is the task, first of the data protection authorities or all the kind of independent body task for that by the national authorities. And then, of course, is the task of the prosecutor office to do that when there are some reasons to think that there is a problem in the way to act, to use those kind of spy words or the kind of instruments.
And, you know, that is possible for the commission to organise investigations in the competition files, but we can not do the same for such a kind of situation. We don’t have I don’t have such a capacity as Commissioner for Justice. I’m not a prosecutor. I’m not in such a position. And so again, what we try to do is to see if the national authorities are independent bodies in charge of the data protection. All the prosecutor’s office are doing the job. And I repeat again, what we ask in the member states, is to receive a state of play about investigation. We don’t want to push pressure on the independent prosecutors in the member state because I’m trying to push pressure to have independent prosecutors. But is the normal way to explain what they are doing and how far they are with the investigations. And we try to do that in all, I’ve said, the member states where we have seen a possible use of such a spyware and a necessity to have maybe some actions due to complaints from individuals.
Jeroen Lenaers (Chair): Thank you. For the Greens, Mr. Solé. Thank you.
Jordi Solé (Greens): Thank you very much, Mr. Commissioner. I have two questions. The first one, according to what you said in your initial statement. My first question my first question would be, do you believe it would be legitimate or even legal or both that member states would spy through spyware or any other means on opposition politicians defending Democratic goals with Democratic means on the basis of Democratic mandates? Do you believe political espionage, and I underline this particular category of espionage, when it is not about criminal purposes, it’s about political purposes. Do you really think this kind of espionage can be ever justified with reasons of national security according to EU law? And my second question: In Spain, several complaints have been filed in court, but there’s been no real progress in the judicial proceedings for the last months in what concerns the cases of espionage against Catalan pro-independence figures. And today, Amnesty International released its annual report on human rights and mentioned this anomaly, let’s say in this in this report. What will the commission the commission do in your contacts with national authorities? If member states are not willing to duly investigate these cases in the judicial system.
Jeroen Lenaers (Chair): Thank you. Thank you, Commissioner.
Didier Reynders (Commissioner for Justice and Rule of Law): So, first of all, about the situation in the different member states. I have said and since the case for Spain that you have described, we will try to understand what are the investigations in Spain about such a kind of situation at a different level, because there were some discussions in the parliament some times was an inquiry committee, sometimes there are actions from the data protection authorities, sometimes by the prosecutor general or the prosecutor office in general. And so we try to see what are those different kind of actions. And again, what is the result?
I’ve said on the concrete cases that we have seen, we have sent a first letter before the summer of last year to Spain. We did not receive a concrete answer. And so we are continuing to discuss with the authorities because I have seen in different occasions, of course, different members of the government are in Spain or in Brussels or in other places, and we have received no response about the legal framework and the safeguards were not about the very concrete case. So we continue to do that. And again, I have said the same and then have what I have said about Greece. We need to have a state of play about the investigations with some conclusions is possible or not.
Because you mentioned, opposition in the parliament of the politicians coming from the opposition, and we may mention all the kind of very sensitive situation, of course, it is very sensitive if there are some possible use of spyware against people in the opposition. But I’m one to say that it was the same criteria then for other people with more sensitivity, of course. But following the court of justice, if there are good reasons of national security to do that, because maybe some people are concerned by terrorist activities or are in discussion with a foreign states. To give an example, during your war. If there are people speaking with Russia, it’s maybe useful. I don’t know. I’m not in charge of national security, but there may be good reasons to try to collect information about that. That is for national security. Of course, for other reasons, like for the law enforcement authorities, they need to follow the full criteria of putting into place in the EU law and in the rulings of the Court of Justice, always an authorisation and different kind of processes. But, you know, also in this House that it’s possible sometimes to use special techniques to try to listen to the conversations of members of a parliament, but for criminal cases, not for national security in such a way.
So again, your right is very sensitive if it’s about oppose opposition leaders in the parliament. And so certainly on the top of all the credit, it must be very prudent to organise social action. But it’s possible. Again, I’ve said that, if I may, sometimes about journalists too. I know that we try to protect in many situations different journalists, and it’s rightly so, but it’s also possible to have some criminal activities of journalists or maybe other kind of activities in contradiction with national security. But like for leaders in the opposition is very sensitive. So I will say it’s needed to verify many times before to start something like that. And this is the reason why, again, at the national level, we ask to the member states to provide a state of play of all the investigations that they are ongoing. And that’s very important, of course, to see if there are some protection of individual rights.
Jeroen Lenaers (Chair): Thank you for the I&D group, Mr. Lebreton.
Gilles Lebreton (Identity and Democracy): Thank you commissioner, for your presentation. I have a more general comment before asking question. And my comment would be the deference, because it’s your role that you have vis a vis the European Court of Justice and it’s case law, with all due respect for it, in keeping the personal data, the case law has caused a revolt in member states, including those very good pupils such as France, in unilateral sentence. The Council of State has nullified the European Court of Justice because of reasons of national security. It talked about the screenplay, judges dialogue and the defence in this case for the first time, and the government has asked not to apply the case law of the EU Court of Justice, which is what happened in the end. So it’s all very nice to invoke the case law, but it doesn’t always suit the Member States. Now let me come to my question. You said that you are mapping out the national legislation on spyware and that you are collecting this data. But if I understood you well, it’s not easy because some member states don’t are not happy to give up this information. When do you think you will collect all this information? Because it’s quite interesting.
Didier Reynders (Commissioner for Justice and Rule of Law): Two simple things. First of all, case-law. We regularly recall that there’s three easy principles. First of all, EU law is the top law, even with the national law, and the EU court is the only one that can interpret EU law. And the State Council in France did not set aside the EU law, actually, and I don’t want to get into that debate. It was a case of interpretation. When there is a world of working differently, then the only thing you can do is change a European law. The only thing the Commission can do is ensure that the law is followed.
So with the regulations that are current and applicable, such as GDPR or police justice, there are some provisions. And there are provisions in the Fundamental Rights Charter and in the treaties, which are based on the primacy of EU law. The Court does not, by this, exclude certain national interventions as long as the general principles are respected. And as far as a collection and use of data goes, there are some precepts along which the court can do it, and the court is ready to explain how and when it does.
The case law isn’t as rigid as we sometimes seem to think. The same thing goes for what’s applicable to armed forces, sometimes almost because a character of the court does not demand that wars cease every day at 5 p.m.. I mean, here again, we have a whole slew of opportunities as our disposal. Otherwise, as we done in other cases, we can always bring a case before the court like we did with the German Constitutional Court, if we feel that there’s been an infringement. So as far as our mapping out the situation for the legislation, spyware goes, we’ve already received about 20 answers. So we are going to use your report, your recommendations, but also the information that we have we will have received from member states. And this is what is going to justify the commission recommendations.
Beata Kempa (European Conservatives and Reformists): Thank you to our Commissioner. The PEGA-committee, in the recommendations, considers proposing a conditional moratorium on the use of spying software. And I understand that would be an obligation for Member States to meet a number of conditions, probably. And it would be it was to be approved by the Commission and after conditions are met and Member States will be allowed to use spying software.
I would like to ask you how this rather complex, questionable project looks like from the legal point of view. Do the existing treaties, the law on the EU give any basis to produce such a mechanism? And if so, then how? Because I’m very concrete, I stick to the regulations in the treaties and I am not interested in various ideas. One of the ideas referring to PEGA recommendations is to define the scope of national security. You have mentioned that already. But I believe that the very issue would be what the definition of national security. And that could be a problem with specifying the framework in areas relating to national security. As you said, you already sent letters to member states. But I would like to know from you, how would that refer to hybrid conflicts which are on a regular basis in consequence of the Ukrainian war? And that complicates the issue significantly, and thus the current legal state makes it possible to specify what is the scope of national security to be defined by the EU. Thank you.
Didier Reynders (Commissioner for Justice and Rule of Law): I’m ready to go back to my memories and I might be mistaken, but I didn’t. I never propose any moratorium on spyware I didn’t go looking into. Yeah. Your committee. It’s in your committee. So I know where it comes from is the problem, but I didn’t go and check whether there’s a legal basis. I did not come here with the intention of proposing a moratorium. I did not check whether there is a legal basis. I mean, I could always look into now, I’m not going to say whether moratorium might be useful or not, but let’s be careful on how wide we want to go, because if we decide to have a moratorium for a certain period, it would prohibit the use might create problems. You know what I mean? There are some cases in which it might be very useful to have a whole toolbox at our disposal, whether you’re fighting organised crime or the sorts of things.
As far as national security is concerned, it is difficult to define. And that’s why the Court of Justice has a whole series of references. And I’ve been using elements of its case law because it has to show that there is a threat to constitutional rights. And terrorism is a typical example. But once you have a specific use of spyware, for example, in a specific case, it will then be up to the courts to decide. So the definition will be assessed by the judicial. So if I the use of spyware is legitimate or not, in a certain case, it will be up to the judiciary to determine. And then we will see at the end of the investigations what the national justice system will decide. You know, as much as I do that if we’re trying to see whether a law is applied as things are evolving, we know that we have to wait for the courts to decide. We can only give preferences and then we’ll see if they’re applied.
Stelios Kouloglou (Left): Commissioner, I know of cases where detectives ask the suspect to provide information. It’s not easy. So please: Tell me, you know what your state of play is. But let me be more precise. Couple of questions. One is you you mentioned you you were in Greece and you met the do they do independent authorities concerning their wiretapping and their individual rights each other. So are you concerned that those two individual authorities have been subjected to heavy pressure and attacks by the both by the government and by the press?
And the second question is, there is a specific case that concerns all of us. Well, two specific gives of two Euro deputies there. There were under espionage and specifically the case of Mr. Androulakis who is an old member of the parliament, and he’s the chief of the Socialist Party in Greece. So, did you, did you during your your visit and your meetings with the government’s officials, did you ask for more specific information about that case? Because it looks like there is no any kind of national security issue involved in that? You know, I mean, they were following him when the the campaign for the new leader in the Socialist Party started. And they just ended the wiretapping when the campaign finished. You know, this is not a matter of national security. For God’s sake.
Jeroen Lenaers (Chair): Thank you, Commissioner Reynders.
Didier Reynders (Commissioner for Justice and Rule of Law):Thank you. So I went, in fact, to Greece. And first of all, we are concerned about all the possible attacks against independent bodies. So I have asked to refrain to attack such a kind of independent body like we are doing the same when there are some attacks against judges or tribunal or courts, because it’s a full respect for the independence that we need to have. It’s possible to organise some procedures against decisions, but not to come with some public attacks. And I have discussed with I did the chair of I they are one of the two bodies in Greece about the situation.
But the second element about the independent bodies that I’ve mentioned in Greece is to be sure I know the financial and budgetary difficulties in Greece since many times, but I’ve asked to provide enough resources, human resources and financial resources to those bodies. If I’m looking to the that the Protection Authorities authority, they are working, if I well remember with 52 people and it was just more than two millions and they ask to receive more than 100 people and more than five millions on the budget, I know that will be made maybe difficult in one year, but is needed to do more and to give full capacity to act. So as that library of asking all the member States about the human resource and financial resources. So again, we need to protect those independent bodies. But at the end I have discussed the situation as of a concerning some leaders of the opposition with the Government and the Parliament. I have had a meeting with the President of the Parliament and Vice of the Parliament, as always, the Leader of Opposition in the Parliament.
And of course my request is to see what are the investigations into Parliament, if they are and what are the results of those investigations into Parliament, because we know that in all the national parliaments it’s possible to organise that. But what are again the investigations organised by the prosecutor, because the two independent bodies that I have seen have said to me, we have transfer all information to the prosecutor office and again, it’s very important to have a state of play of the investigations because it’s impossible to read years before to have any information about the situation. But I’ve discussed this with the government and with the Parliament, the president, the vice will and the Leader of the Opposition. Be sure that I’ve tried to be in touch with all the different participants in such a kind of discussion. But again, the financial and human resources are very important for the independent bodies and the state of play need to be provided by the prosecutor office. It’s an independent office. I need to decide in what kind of ways it would be possible to do that. But after sometimes it’s important to have a little information about the and the process of the investigations.
Jeroen Lenaers (Chair): Thank you, Mr. Cañas.
Jordi Cañas (Renew Europe): Thank you, Chairman. Commissioner. We are all obliged to guarantee respect for and defence of European citizens fundamental rights. In other words, we need to guarantee illegal use of spyware to fight against organised crime, terrorist organisations, those promoting violence and the interference by third states and any threat to rule of law. That is how we defend the rights and freedoms of citizens. We can do that by preventing the illegal use of such spyware. So you can have legal use or illegal use of such surveillance software. If it’s illegal, it’s spyware. If it’s legal, it’s surveillance systems. And that’s key to how a rule of law is preserved. I think that there is confusion sometimes in this debate. And I think that the aim for the commission and you in this Parliament through this report and our recommendations is to guarantee legal use of such surveillance systems. We need to define the general framework at EU level.
What is the legal framework to use this type of program across the 27 member states? Now: We have a legitimate use of such systems. We just don’t know how such systems are being used illegally. Now, it would be helpful if the Commission had an overview of the current state of play. The legal use of such systems and illegal use undermines fundamental rights, and those fundamental rights have to be guaranteed by the commission.
So that’s my first question. On the basis of replies to the Commission questionnaires, do you believe that the recommendations could lead to a commission initiative to have some sort of harmonised European framework in place to guarantee legal use of this type of programme? You perhaps could try to sketch out a framework that would define such legal use. I believe that national security cannot be used as a pretext to infringe fundamental rights, but nor can we deny ourselves the right to use such programs to fight serious crime. Now: We need to ensure legal use. I’m finishing up, Chairman. I’ll just finish up quickly. That was my first question. So to finish up before the chair cuts me off, do you believe that politicians are above the principle of legality? If, you know. Politicians are being investigated under investigation, held above the criminal legislation. Have they some sort of human immunity when being investigated? Thank you.
Didier Reynders (Commissioner for Justice and Rule of Law): Let me come back to a couple of specific points. If the use is illegal, the commission reacts immediately and criticises the illegal use of this type of software. What is tricky is how we make that distinction and define the difference between legal and illegal. Of course, we have a definition of legal use, criminal cases. We know the procedures in place. National security. I mean, this is what we’re trying to ascertain in cooperation with Member States. We’re looking at the legal framework in Member States and we’re looking at the checks in place on conditions for use of such system. I think it’s known. And look at case law, the Court of justice, we have clear indications we could highlight the essential interests of member states. But bear in mind, you have the principles of necessity, proportionality. Those have to be borne in mind.
But I’m not going to give you a general list of indicators that would apply to all individual cases. And that is difficult. You have to have look at individual cases and look at the checks in place for how these systems are used. And that’s down to the judicial authorities to verify whether the use was legal or not, whether there was respect for the principles adopted, the will be margin of appreciation in such cases. You will have to see what is considered state interest or not.
Now on initiatives to be taken. On the basis of what you what you set out in your report and on the basis of the information we have gathered, we will ascertain whether there is a need for an initiative to be taken, whether this initiative should take the shape of recommendations. Perhaps for member states that don’t have legislation in place, that they do so, or if they don’t have sufficient checks and supervision in place, should they do so, or indeed should we take a legislative initiative? And as I said initially at the outset, I’m aware of the sensitivities of member states when it comes to national security. So if we do go down the path of European legislative initiative, then I think we’re facing into lengthy discussions with council. I’ll leave it at that and I’d be happy to do so. We have engaged in discussions on other subjects. We’re all we’ve been looking, for example, at translation of texts on E-Evidence. So we’re almost ready there and perhaps we’ll get something up and running. But I can’t assess how long it would take.
Jeroen Lenaers (Chair): Hannah Neumann and Diana Riba i Giner, I ask you to combine the two questions together. So we make sure that the commissioner earnestly gets completed to talk also with the interpretation. Hannah Neumann first.
Hannah Neumann (Greens): Thank you, Chair. I’m sure we will manage. And because it’s late, I’m going to take a bit of a different approach in my three questions. I hope everyone’s going to enjoy it. So you’re the Commissioner for Justice, which means basically you’re the guardian of the fundamental rights of EU citizens. And I can well see that it is quite frustrating if you observe massive misuse of spyware infringing on the fundamental rights of EU citizens. But there is little you can do. And we’ve spoken out more than one hour about what legally you can do and legally you can’t do. So now let’s just push all of that aside because we are the lawmakers. That’s the good thing. We can change this legal grounds.
So imagine I’m like a magic fairy and you have three wishes. What would be the three things that you would want to see changed so that actually you can become the true guardian of the fundamental rights of EU citizens when it comes to the use of spyware. Second question: I understand that you do not have the power to investigate yet, but for sure you do have the power to observe. So making use of your power to observe. One: Would you agree that there are Member States in the EU that misuse spyware and that this misuse should be stopped? Two: Which Member State has the best system or framework for the use of spyware? Which Member State has the worst? And third question. We have a number of colleagues here in the House, members of the European Parliament, that have been spied upon while they worked here in the European Parliament. So here my question is, well, who is in charge of protecting them? Is that not a core question of EU security or which member state should be in charge of the security? How do we deal with that? And isn’t that at least primarily your job?
Jeroen Lenaers (Chair): Thank you, Diana Riba i Giner.
Diana Riba i Giner (Greens): Thank you. I’ll be speaking Spanish. I, too, have a specific question. I will pick up on one of the answers you’ve given now. Let me start again. Let me put myself in the shoes of a citizen, a student, a journalist, a politician who feels that they may have been spied on. At the moment, in Europe, we don’t have anywhere where we could go to have our mobile phones checked so that people can see whether they’ve been spied on or not. Could we have some sort of scientific study? Could we check how you would take the matter to the judicial authorities, take the matter to the courts, and then if you feel that you’ve been spied on illegally, as may be in the case, in our specific case?
Well, the courts cannot offer us any solution. So. You say go to the courts if it’s illegal, but you’re facing in two years of some sort of legal proceedings to try and get an answer. So in the introduction, you said that we need to strengthen the justice judiciary in the member states, make sure that they work better. Well, I think we also have to offer answers, and I would like to know what your answer would be. How do we offer citizens tools so that they can get answers? Have they been spied on legally or illegally? Can they get an answer from the state? And what would your recommendation be? We’re considering this and trying to come up with solutions in our report. Thank you.
Didier Reynders (Commissioner for Justice and Rule of Law): So, first of all, so the reaction that we have about what is needed in the member states, I don’t want to you know, that to come with a ranking is not the role of the commission to make a ranking about the situation in all the member states will see the results maybe of your investigations about that. But the first element that we have asked of the member said. Is it possible to know what kind of legal framework you have to organise the process at the national level? And I’m sure that for the future it would be one of the question. Is it possible to see a real legal framework in all the Member States about the possible use of such a kind of of spyware?
The second element, what kind of conditions I’ve set myself at the end of the discussions, I’m sure that we need to think about who will be in charge to authorise the use of such a kind of spyware. And you know, in some member states, it’s possible to go to a judge to do that. So for national security reasons in some cases and in Spain, I’ve received in Greece, I have received a remark, why not a college? Why not two or three, maybe three? It’s better just to do that. And not only one, but that is for the the authorisation to work with such a kind of spyware. But then the most important element is the control enforcement of all those national legislations and maybe the process it was possible to follow, how it’s possible to verify that it was really in line with the national security definitions of necessity, proportionality of the decision and the correct use of the procedure.
In some member states there are ideas about that was controlled by the National Parliament to the Assembly to do that. Of course, to my mind as Commissioner for Justice, I’m quite sure that at the end it must be possible for individuals to go to justice, to go maybe to an independent data protection authority, but after that to go to justice and to have a clear decision is the reason why. And also to the last questions we asked to have independent authorities in the members, really independent. And I have to take some initiative to react against different member states for the independence of the data protection authorities to be sure that there are no conflict of interest, there are no difficulties in that in the composition also of the data protection of tourism, but and of resources to financial resources, human resource and technical resource to track.
About the level European level. It’s true that we try to build more and more a European, I would say security. I don’t want to you up a national security, so I prefer to say a European security. We have tried with some coordinators for terrorism, one after the other, with exchange of information between the intelligence service of the member states, with the services of the the Commission of the External Action Service. You know that due to the Russian aggression in Ukraine against Ukraine, this may be possible to receive more actions which we are thinking about day after day the way to build such a set of instruments, to have a real European security where it’s possible to go if you have a problem.
First of all, I would say to cybersecurity of the members of the parliament, it’s maybe first a competence of European parliament to try to organise a real control and a real protection because you invest a lot in different ways. I’ve seen that in the budgetary discussions. There are some requests to receive more about cybersecurity. I’m quite sure it is to do something. So it should be a first responsibility of the Parliament to take care of that like we tried to do at the Commission level. But then for individuals it’s possible to go to different authorities. Again. Maybe the data protection authorities have to have some confidence to do that. But first of all, the police I want to say, if you are concerned by a situation here in Brussels, it’s possible to go to the cyber criminal unit today.
There are some people involved in the process about cybersecurity and maybe open tools to help you in the way to detect if you were concerned by such a kind of situation? But they are for individuals, some possibilities and is a first step before to go to justice. It’s possible to go immediately to a prosecutor or to a judge, but the first step is maybe to go to a specialised, specialised police service. That’s the way to to work on it. So again, the most important element is to know what are the legal frameworks in the member states. But on top of that is the enforcement how it’s possible to be sure that is an enforcement of all those rules. What will be in charge to control the correct implementation of application of the different laws?
Jeroen Lenaers (Chair): Thank you very much. I’m afraid there’s no room for any additional questions. I’m sure we can. We can find other ways to to ask them and to get the answers as well. I want to thank Commissioner Reynders for for being with us on this Tuesday evening and for answering all the questions of the members to the greatest extent possible. I want to keep it short. The next meeting is on the 20th of April in Strasbourg. I look forward to seeing you all there. Not EU Commissioner, sir. And thank you all. And have a nice evening. Thank you.