EU Needs Better Export Enforcement, Control of Surveillance Products, Parliament Says

“One of the questions I ask myself all the time is: Is the European Union equipped to deal with these kinds of problems?” said MEP Sophie in ’t Veld from the Netherlands, who leads a committee that approved recommendations May 8 calling for tighter EU export enforcement over cyber surveillance items. “The answer is no, because the European Commission, in intergovernmental Europe, is showing nothing but deference to national governments, and it's working on the presumption of compliance of governments, which doesn't work.”

Members of the committee, which was established last year and is investigating EU countries’ use of spyware, said several member states appear to have export control procedures in place but don’t follow them. Greece, for example, has “a fairly robust legal framework in principle,” the committee said, but legislative amendments have weakened those safeguards, leading to exports of the products to countries with poor human rights records.

In ’t Veld, speaking during a May 9 news conference, said “there is evidence” Greece has licensed the export of spyware to Sudan, which shouldn’t be receiving surveillance tools because of its current armed civil conflict. She said the European Commission has written to Greece and other countries asking for “clarifications,” but “they get a reply saying ‘everything is fine here and nothing to see.’ That’s not good enough.”

Committee Chair Jeroen Lenaers, MEP from the Netherlands, said the group sent questionnaires to every member state asking for more information on export licensing procedures for spyware products, “and only a very, very few of them came back with relevant information,” and “some did not reply at all,” including the Netherlands. “It’s very disappointing,” Lenaers said during the news conference. “And it also means that we will have to continue our fight with a lot of energy in order to make the absolutely necessary changes in Europe.”

In its recommendations, the committee asked the European Commission to take the “firm position” that EU exports of spyware -- including Pegasus spyware developed by Israel-based NSO Group -- to countries with poor human rights records are a “gross violation on Union export rules.” The U.S. Commerce Department added NSO Group to the Entity List in 2021 (see 2111030010) and is working on an intelligence assessment on sanctions and export controls imposed on commercial spyware (see 2303270029).

The committee said the EU also needs to assess how it treats spyware exports, calling for an "in-depth investigation of spyware export licenses, stronger enforcement of the EU’s export control rules, a joint EU-US spyware strategy, talks with Israel and other third countries to establish rules on spyware marketing and exportation, and ensuring EU development aid does not support acquisition and use of spyware."

Spyware should be allowed only in countries where “allegations of spyware abuse have been thoroughly investigated” and national laws comply with EU export restrictions, the committee added. It specifically called on Greece to repeal any export licenses that don’t comply with the bloc’s dual-use regulations and asked the European Commission to more aggressively seek oversight information from any countries with questionable spyware export practices.

“You'd expect the European Commission” to act “if it considers that those countries or those governments are overstepping their powers,” in ’t Veld said. A commission spokesperson didn’t comment.