Sun. Dec 4th, 2022
Brussels, 8 August 2022
See question(s) : E-001713/2022
EN
E-001713/2022
Answer given by Mr Reynders
on behalf of the European Commission
(8.8.2022)
The EU has legislation to protect data privacy, including General Data Protection Regulation (GDPR)1, the Law Enforcement Directive2, Directive 2013/40/EU on attacks against information systems3 and the ePrivacy Directive.4
Where EU law is not applicable, Member States are bound by the guarantees laid down in the European Convention on Human Rights. The monitoring and enforcement of the EU data protection and privacy rules fall primarily under the competence of the relevant competent national authorities and the courts, without prejudice to the role of the Commission as guardian of the Treaties. The national authorities should use their supervisory powers to thoroughly investigate any allegations regarding spyware and restore citizens’ trust.
The 2022 Rule of Law Report5, published on 13 July 2022, indicates that the use of Pegasus and equivalent spyware software was subject to an investigation by the Ombudsperson and judicial proceedings. The Ombudsperson closed its investigation on 18 May 2022 and the judicial proceedings are still ongoing. The Spanish authorities announced the revision of the organic law on the National Intelligence Centre in order to increase judicial and internal controls.
The Commission continues to monitor and gather information, including from Spain, in this regard and is looking forward to the results of the European Parliament Inquiry Committee on this issue. The Commission is working on a proposal for a European Cyber Resilience Act, which will set out cybersecurity requirements for digital products and ancillary services. This will contribute to making digital products more secure and less vulnerable to spyware attacks.


1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, p. 1–88.
2 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89–131.
3 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, 14.8.2013, p. 8–14.
4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47.
5 https://ec.europa.eu/info/policies/justice-and-fundamental-rights/upholding-rule-law/rule-law/rule-lawmechanism/2022-rule-law-report_en
GDPR Cookie Consent with Real Cookie Banner