The spyware scandal rocking Greece has spread beyond national borders.
Both the European Parliament and the European Commission become actively involved in the search for answers.
A growing number of MEPs is calling for an investigation and a plenary debate devoted to the issue, while the executive asks the Greek government for clarifications.
At the core of the growing dispute between Brussels and Athens is the perennial question of competencies.
The EU institutions are trying to determine whether the mounting spying accusations infringe upon the bloc’s data rules and fundamental rights, and constitute a European case.
The scandal erupted in late July when MEP Nikos Androulakis revealed an attempt to hack his mobile phone through Predator, a system that allows the extraction of files and the surveillance of conversations.
Androulakis has served in the European Parliament since 2014 and acts as the vice-chair of the subcommittee on security and defence. Last year, he also became the president of the Panhellenic Socialist Movement (PASOK), the third largest party in the Greek parliament.
The attempted Predator attack was detected when Androulakis submitted his personal device to the European Parliament’s services, which now feature spyware-detecting technology. The check-up showed the MEP had received a suspicious text message with a link, which was meant to install Predator on his phone.
Unlike Pegasus, the programme used against high-profile politicians such as French President Emmanuel Macron and Spanish Prime Minister Pedro Sánchez, Predator requires its targets to open a link in order to infiltrate their devices.
Androulakis did not click on the link, averting the cyberattack.
‘Legal but politically unacceptable’
Following the confirmation from the Brussels lab, the MEP filed a complaint with Greece’s supreme court and accused the government of Prime Minister Kyriakos Mitsotakis of downplaying the severity of the case.
“Revealing who is behind such sick practices and for whom they are acting is not a personal matter. It is my democratic duty,” Androulakis said at the time.
The government insists it has never purchased or used the Predator spyware, which was developed by a little start-up called Cytrox and based in North Macedonia.
Research by Citizen Lab, a renowned group that is part of the University of Toronto and specialises in the spyware industry, showed that Greece was among the “likely” customers of Cytrox, together with Armenia, Egypt, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.
What the government did acknowledge, however, was a more traditional surveillance operation on Androulakis’s phone, which began in September 2021, around the same time the attempted attack with Predator took place.
The bugging, launched by the National Intelligence Service (known as EYP, in its Greek acronym), ended three months later when the MEP became leader of PASOK.
As the scandal deepened, opposition parties began searching for culprits: Panagiotis Kontoleon, the EYP’s director, and Grigoris Dimitriadis, general secretary of the prime minister’s office (and also his nephew), submitted their resignations in early August
“It was a mistake,” Mitsotakis said in a speech broadcast days after the resignations.
The EYP is directly attached to the prime minister’s office, a controversial decision made by Mitsotakis himself when he came to power and that now attracts greater scrutiny over his authority.
“I didn’t know about [the bugging] and obviously, I would never have allowed it,” the PM said, promising to carry out a series of reforms to the agency.
Mitsotakis, however, argued the three-month wiretapping was done in accordance “with the letter of the law,” although neither he nor any member from his team has explained the reasons behind the operation against the MEP and future electoral rival.
Speaking before the national parliament in a session called by SYRIZA, the main opposition party, the prime minister described the EYP’s operation as “legal but politically unacceptable” and invited Androulakis to appeal to Greek and European courts in order to settle the dispute.
A ‘highly debatable’ connection
The spyware revelations quickly reverberated across Brussels, where issues such as cyberattacks, espionage and electoral interference have become a top priority.
Ana Gallego Torres, head of the European Commission’s justice and consumers division, sent a letter in late July to Ioannis Vrailas, Greece’s permanent representative to the EU, with questions related to the Predator hacking attempt and the bugging operation.
Gallego’s letter has not been made public but touched upon “the possible interplay between the EU’s data protection rules and the national security framework”, a spokesperson said.
In his reply, seen by Euronews, Vrailas tried to assuage the executive’s concerns and dispute the notion that Brussels should have a say in the matter.
“Neither EYP not the police have embraced Predator. Thus, there is no issue of violation of the EU data protection acquis,” the ambassador wrote, noting a probe into the incident was ongoing.
“The issue of whether the questions raised in your letter fall within the scope of competence of the [European] Union would be highly debatable in any case.”
Regarding the three-month surveillance, Vrailas explained that, according to Greek law, all subjects are informed when they are monitored and their data is processed by the government. But, he pointedly noted, a recent legislative amendment introduced an exception to this obligation when the operation “occurs exclusively on grounds of national security.”
The law was amended while Thanasis Koukakis, a journalist who investigates Greek banks and businessmen, was trying to obtain an official confirmation that his phone had been under the EYP’s surveillance in 2020. Koukakis was also affected by Predator, according to information provided to him by Citizen Lab.
The intelligence service later confirmed the operation against Koukakis, in addition to the case involving Androulakis, sources told Reuters.
The Commission is still assessing the official response from the Greek representative and gathering information about the potential use of Predator.
Officials maintain Brussels’s competence cannot be so easily dismissed because the bloc has already passed EU-wide laws regarding data privacy and has therefore gained a shared oversight with member states.
“Yes, national security is a member state’s competence,” said a Commission spokesperson. “However, when guaranteeing national security, member states must apply relevant EU law, including the case law of the European Court of Justice when doing so.”
This is not the first time that wiretapping in Greece is brought to the executive’s attention.
In the latest edition of its annual rule of law report, which tracks developments country by country, the Commission highlighted cases of alleged surveillance in the country, but only related to journalists – not lawmakers.
“Attacks and threats against journalists persist and journalists’ professional environment has deteriorated further,” the report noted, citing physical attacks, arbitrate detainment and unfounded criminal lawsuits.
‘Very much a European competence’
Meanwhile, in the European Parliament, Androulakis’s workplace, some his colleagues are striking a combative tone against the Greek government.
Sophie in ‘t Veld, a senior Dutch liberal MEP, is pushing for the parliament’s Pegasus committee (PEGA), where she sits as a member, to launch an investigation into the scandal. The committee has in the past looked into spyware cases in Poland, Spain and Hungary.
In ‘t Veld disagreed with the Greek ambassador’s clarifications and said the present case was “very much [a] European competence” due to the targeting of a directly-elected European legislator and the potential violations of the GDPR, the bloc’s ground-breaking data protection law.
“[Mitsotakis] blamed the lack of political judgement of the EYP chief, but as the EYP falls under the direct responsibility of the PM, why was he not made aware of such a highly political wire-tap?” she wrote on her Twitter account.
PEGA is currently chaired by Jeroen Lenaers, an MEP from the centre-right European People’s Party (EPP), the same political family as Prime Minister Mitsotakis.
The committee is scheduled to hold two hearings next week centred on “spyware against citizens.” Greece is not featured in the draft agenda, although lawmakers will be free to bring up the issue during the discussions.
Asked if a session centred on the Androulakis case could be held a later date, the Lenaers team did not have any comment or update to share.
An EPP spokesperson told Euronews it was up to the PEGA committee to decide whether to investigate the “possible use of spyware by the Greek authorities.” The party has not issued any statement weighing in on the substance of the allegations.
Further outrage is brewing in Androulakis’s socialist camp.
Gabriele Bischoff, vice-chair of the Socialists and Democrats group (S&D), said that, in addition to opening an inquiry, the PEGA committee should organise a fact-finding mission to Greece.
“It is incredible that the EPP is trying to put this under the carpet and not seeing the potential this has,” Bischoff told Euronews in an interview.
“It is absolutely essential that when we are all back next week [from the summer recess], that we put it high on the agenda, and also that the EPP does not play games here like they always do when governments of their political party are involved.”
The S&D leadership has called directly on Roberta Metsola, the president of the European Parliament, to break her weekslong silence around the wiretapping scandal and convene a special plenary debate. The group is particularly concerned about the potential violation of Androulakis’s parliamentary immunity.
Under EU law, MEPs cannot be subject to any form of inquiry, detention or legal proceedings due to the opinions expressed in their legislative capacity.
Metsola, who belongs to the EPP group, did not reply to a request for comment.