Spyware: European Policy Brief

Keefer Denney-Turner
Ananya Das

How the European Commission’s Draft Corporate Sustainability Due Diligence Directive can contribute to curbing the negative consequences of use of spyware.

The use of spyware and surveillance tools, the associated lack of transparency, and the consequences of its use and abuse have long been viewed as an attack on human rights. Over the years, a growing international and highly lucrative market for government-grade spyware has emerged and enabled human rights abuses, damaged user privacy, and played a part in the deliberate weakening of security protections. In short, spyware tools undermine the safety and security of individuals and the trust in technology[1]Stéphane Duguin, “Renewed call for moratorium on sale and use of spyware”, May 25, 2022, https://cyberpeaceinstitute.org/news/renewed-call-moratorium-spyware/

One of the measures proposed by the European Union (EU) to address the challenges posed by spyware is an EU directive proposal aimed at codifying the due diligence principles for businesses to avoid adverse human rights implications in their operations.  

While the proposed text is an important step for an increased role for businesses in ensuring technology isn’t used to violate human rights, the future directive can maximize its potential positive impact by adding a provision covering the manufacture, distribution, and licensing of the dual-use technologies industry to the high impact areas. The European Parliament (EP) should include companies operating in this sector to the scope of the due diligence regime designed by the Proposal[2]CyberPeace Institute and Klara Jordan, “Accountability for illegal surveillance by spyware”, August 25, 2021, … Continue reading

Adding these measures has a significant potential for improvement of the directive’s potential impact.

The European Union (EU) and its member states have taken small, incremental steps to curb the consequences of the proliferation of spyware, established the European Parliament  Inquiry Committee investigating the use of Pegasus and other spyware, and imposed sanctions, and export controls. 

The blurring of lines between the State as clients of spyware vendors and the private vendors engaging in transactions involving spyware and surveillance tools shows the challenges to existing regulatory regimes of this industry. There is also growing recognition that businesses have a role to play in curbing the negative consequences of the use of spyware[3]“Spyware is a weapon, say civil society leaders”, CyberPeace Institute, May 27, 2022, https://cyberpeaceinstitute.org/news/spyware-is-a-weapon-say-civil-society-leaders

In February 2022, the European Commission adopted a proposal of a directive aimed at codifying the due diligence principles found in the UN Guiding Principles on Business and Human Rights, and the Organization for Economic Co-operation and Development’s (OECD) Guidelines for Multinational Enterprises and Due Diligence Guidance for Responsible Business Conduct (the “Proposal”). 

The Proposal, still to be discussed at the European Parliament, must be informed by the more specific debates around the issues of surveillance and spyware currently ongoing in the EU. Therefore, an important development is that of the Inquiry Committee of the European Parliament (“Committee”). This Committee is currently engaged in a series of hearings with industry experts, academics, civil society and private vendors. Through these hearings, a number of regulatory gaps have come to light. The most important of these is the increasing role of the private sector in the economy of spyware and the lack of any standardized system of accountability. It is therefore crucial to learn from these hearings especially as it addresses the EU system and its role in addressing the responsibilities and work of private vendors. 

The Proposal

The key functions of the proposed directive make it clear that states are the prime duty-bearers in respecting, protecting, and fulfilling human rights obligations. Nevertheless, due to the complex nature of transnational businesses, corporations are often directly, or indirectly through their supply chains, involved in many areas that can have adverse human rights implications.

The principles in the directive call for voluntary action by companies to undertake the proper steps to ensure that their activities do not harm, and in some cases actively work to fulfill, human rights. However, as noted by the Commission, “Voluntary action does not appear to have resulted in large-scale improvement across sectors and, as a consequence, negative externalities from EU production and consumption are being observed both inside and outside the Union” (Proposal). 

Therefore, the Proposal is an extension of the EU’s human rights obligations to take steps to ensure that companies under their jurisdiction and operating in their territory are not negatively impacting human rights. However, mere passive or omission based steps do not suffice. The Proposal also outlines proactive steps that should be taken to actually fulfill human rights.  

As the Proposal itself states, “[t]he behaviour of companies across all sectors of the economy is key…”. This is even more essential as these vendors operate on a global scale across different jurisdictions. Such surveillance technology is now essentially an economic sector requiring the same attention in the global supply-demand chain as any other contractual transaction involving public and private parties.

The Proposal has now moved to the European Parliament where debates over the substance will take place, and from there will need approval from the Parliament and Council to pass. Upon passing, States will have 2 years to adopt the Proposal into national law. The directive has had a slow journey, after the Commission announced action on this topic over two years ago. 

There have already been initiatives at the national level to implement binding legislation for human rights due diligence for corporate entities across Europe, with the most notable already in place in Norway, and a supply chain due diligence mechanism in place in Germany

A number of key aspects of the proposed directive could address challenges currently faced by individuals due to deployment of spyware and surveillance technology. The Proposal calls for covered companies to begin:

(a) integrating due diligence into their policies in accordance with Article 5;

(b) identifying actual or potential adverse impacts in accordance with Article 6;

(c) preventing and mitigating potential adverse impacts, and bringing actual adverse

impacts to an end and minimizing their extent in accordance with Articles 7 and 8;

(d) establishing and maintaining a complaints procedure in accordance with Article 9;

(e) monitoring the effectiveness of their due diligence policy and measures in

accordance with Article 10;

(f) publicly communicating on due diligence in accordance with Article 11.  (Proposal, Art. 4). 

Importantly, in relation to surveillance technology companies, the framework proposed by the directive could require companies to “seek contractual assurances from a business partner with whom it has a direct business relationship that it will ensure compliance with the company’s code of conduct” (Art. 7 (2b)), which should correspond to the human rights obligations included in the Proposal, and:

As regards actual adverse impacts…the company shall refrain from entering into new

or extending existing relations with the partner in connection to or in the value chain of

which the impact has arisen and shall, where the law governing their relations so entitles

them to, take one of the following actions:

(a) temporarily suspend commercial relationships with the partner in question, while

pursuing efforts to bring to an end or minimise the extent of the adverse impact, or

(b) terminate the business relationship with respect to the activities concerned, if the

adverse impact is considered severe (Art. 7(6)). 

Together, these articles could require covered surveillance technology companies to implement full transparency and due diligence procedures, and to ensure that the actions of their business partners do not adversely impact the human rights covered in this directive. Therefore, this directive would be able to ensure legal requirements for surveillance companies to ensure that those they license their software to and enter into contractual partnerships with, (fulfilling the “business relationship” definition outlined in Art. 3 (e)), respect human rights throughout their partnership. Entities that do not ensure this would be liable to provide redress to potential victims and pecuniary sanctions. Therefore, this could be a powerful instrument in ensuring that the European private surveillance technology industry ensures that their products are not used to violate human rights worldwide. 

However, as many commentators and critics have noticed (Human Rights Watch, Maastricht University, Share Action), the Proposal’s scope for covered companies is exceedingly small, amounting to only 13,000 EU companies, as the Proposal covers only:

(a) the company had more than 500 employees on average and had a net worldwide

turnover of more than EUR 150 million in the last financial year for which annual

financial statements have been prepared;

(b) the company did not reach the thresholds under point (a), but had more than 250

employees on average and had a net worldwide turnover of more than EUR 40

million in the last financial year for which annual financial statements have been

prepared, provided that at least 50% of this net turnover was generated in one or

more of the following sectors:

(i) the manufacture of textiles, leather and related products (including

footwear), and the wholesale trade of textiles, clothing and footwear;

(ii) agriculture, forestry, fisheries (including aquaculture), the manufacture of

food products, and the wholesale trade of agricultural raw materials, live

animals, wood, food, and beverages;

(iii) the extraction of mineral resources regardless from where they are extracted

(including crude petroleum, natural gas, coal, lignite, metals and metal ores,

as well as all other, non-metallic minerals and quarry products), the

manufacture of basic metal products, other non-metallic mineral products

and fabricated metal products (except machinery and equipment), and the

wholesale trade of mineral resources, basic and intermediate mineral

products (including metals and metal ores, construction materials, fuels,

chemicals and other intermediate products).

2. This Directive shall also apply to companies which are formed in accordance with the

legislation of a third country, and fulfill one of the following conditions:

(a) generated a net turnover of more than EUR 150 million in the Union in the

financial year preceding the last financial year;

(b) generated a net turnover of more than EUR 40 million but not more than EUR 150

million in the Union in the financial year preceding the last financial year,

provided that at least 50% of its net worldwide turnover was generated in one or

more of the sectors listed in paragraph 1, point (b). (Art. 2).

Based on the scope of the directive, a question remains how many companies would actually fall within its scope and whether those most specifically involved in the spyware business would be capture within its scope.


As the Parliament can still adjust language of the Proposal, there is an opportunity to ensure that this groundbreaking legislation has the ability to cover a wider range of sectors and actors, including those that may have been contributing to human rights violations. 

Already present in the document are provisions that allow for inclusion of companies in “high impact areas” (Art. 2 (b)). These areas mostly stem from environmental impact, but they should also include sectors that have the potential to have a high impact on human rights due to the nature of their products. In this case, the European Parliament should ensure that a provision is added to include the manufacture, distribution, and licensing of dual-use technologies as a further “high impact” area to ensure that this sector is included in the due diligence regime to ensure that their products, through the use by business partners, do not adversely affect human rights. 

Furthermore, allowing each company’s code of conduct as the basis to deciding human rights compliance opens the door to pluralistic ideas of human rights. Instead, it is recommended that the Parliament considers drafting and agreeing a standard set of criteria to determine the suitability of an organization. Only once a potential client meets these criteria could the company engage in business with such client. Additionally, in case of subsequent violations of such standards, the company must immediately terminate business with such clients. To re-engage in business, there must be a decided moratorium period after which there may be a review to determine if the client is in compliance again. 

The EU has taken important steps to curb the negative consequences of the use of spyware and surveillance technologies. The proposal of the European Commission for a directive aimed at codifying the due diligence principles in business could be another tool in its toolbox, if it includes provisions to better address challenges arising from dual-use technologies. 

Keefer Denney-Turner was a Research Associate at the CyberPeace Institute and Ananya Das is an Intern in the Advancement Team, CyberPeace Institute.


1 Stéphane Duguin, “Renewed call for moratorium on sale and use of spyware”, May 25, 2022, https://cyberpeaceinstitute.org/news/renewed-call-moratorium-spyware/
2 CyberPeace Institute and Klara Jordan, “Accountability for illegal surveillance by spyware”, August 25, 2021, https://cyberpeaceinstitute.org/news/accountability-for-illegal-surveillance-by-spyware/
3 “Spyware is a weapon, say civil society leaders”, CyberPeace Institute, May 27, 2022, https://cyberpeaceinstitute.org/news/spyware-is-a-weapon-say-civil-society-leaders

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.