Cyprus has become a centre for the export of surveillance software in recent years, a report on the use of Pegasus software presented at the EU parliament on Tuesday by Pega committee rapporteur and Dutch MEP Sophie in ’t Veld said.

One of the main reasons cited by in ’t Veld that led to her conclusions were the discrepancies observed between Cypriot laws regulating illegal surveillance cases and their implementation in court cases, with the most notable one being linked to the infamous ‘spy van’ case that broke out in late 2019.

The report, with a 13-page chapter on Cyprus, also took into account the links to surveillance cases in Greece.

“Cyprus is an important European export hub for the surveillance industry,” the report said.

“On paper there is a strong legal framework regulating the matter, which includes EU rules, but in practice Cyprus is an attractive place for companies selling surveillance technologies.”

The report went on to say that recent scandals have damaged the country’s reputation and new legislative initiatives aimed at tightening up the legal framework concerning exports of surveillance software are expected to be completed in 2023.

“The Cypriot government is alleged to have used surveillance systems itself, although less is known about the victims compared to other member states, nor is it clear whether spyware or other surveillance methods, or both, were used,” the report added, referring specifically to journalist Makarios Droushiotis’ findings on the subject.

“On paper there is a legal framework providing for the protection of private communications, the management of personal data and the individual right to information, but in practice, when national security is allegedly involved, there are no clear rules on the use of interception devices and the protection of people’s constitutional rights,” the report, which also contains chapters on Poland, Hungary, Greece and Spain, said.

“In practice, Cyprus is reportedly rather lenient in providing spyware companies with export licences. Companies use tricks to circumvent the rules. That is, the physical hardware of the product is sent to a recipient country without the software loaded on it. After that, the activation software (also referred to as the ‘licence key’) is sent separately by means of a USB memory stick to the destination country. Another way is to state that the product is exported for demonstration purposes only, although a detailed description of the product is added.”

On the ‘spy van’ affair, Pega recalled that the attorney-general stayed the prosecution against the three individuals charged.

“The reasons for the decision not to prosecute them are classified, as is the report of the special inquiry that had been commissioned by the (previous) Attorney general. There is a remarkable contrast between the assertion on the one hand that the episode with the Black Van touches upon matters of national interest and critical infrastructure, and on the other hand the apparent light touch sanctions for the perpetrators.”

Concluding on its findings on Cyprus, the Pega committee said the island appears to have a robust legal framework for the protection of personal data and privacy, for the authorisation of surveillance, and for exports.

“However,” it qualified, “in practice it would seem that rules are easy to circumvent and there are close ties between politics, the security agencies and the surveillance industry. It seems to be the lax application of the rules that makes Cyprus such an attractive place for the trade in spyware. Cyprus is also of considerable strategic interest to Russia, Turkey and the US. Furthermore, close relations with Israel seem to be of particular mutual benefit with regard to the trade in spyware. Export licences for spyware have become a currency in diplomatic relations.”

In a statement released ahead of the report’s release, in ’t Veld said the widespread use of spyware in the EU by national governments against their citizens is a cause for concern.

“In four to five EU member states there is a clear misuse of spyware for political purposes, which is a serious threat to democracy.

“Whether legal or illegal, the use of spyware takes place with little to no accountability. There is no meaningful oversight at the European level, neither to curb the illegal use of powerful surveillance software against individuals, nor to oversee the trade in these digital goods,” the MEP concluded.

MEPs of Pega – the European parliament’s committee of inquiry on Pegasus and other spyware – visited the island last week and met ministers to discuss the current legal framework.

Pega left “with more questions” than they came with despite constructive exchanges with government representatives, journalists and civil society representatives, committee chairman Jeroen Lenaers said on Friday.

But they said they found no “clear signs of corruption” and gave instructions on how such allegations should be investigated.

“When it comes to defending the most important thing, democracy and freedom, Europe is weak and impotent,” in ’t Veld said at a news conference in Athens. She is demanding an “immediate moratorium” on spyware throughout the EU.

However, her draft has not yet been discussed among other members of the committee, and Lenaers said the report should not be understood as the conclusions or the position of the committee as a whole.

“Only the final report and recommendations, as adopted at the end of our period of activity, represents the position of the European Parliament as a whole,” he said.