Ireland's New Surveillance Bill Opens Door to Spyware Abuse

Vas Panagiotopoulos is a fellow at Tech Policy Press.

Ireland is considering a new bill that would legalize the use of spyware by the police — including commercial spyware offered by companies like NSO Group, Intellexa and Paragon Solutions.

The Communications (Interception and Lawful Access) Bill, which will update Ireland’s existing surveillance law dating back to 1993, aims to apply “to all forms of communications,” including the content of encrypted messages on apps such as Signal and WhatsApp, as well as related metadata, according to the Department of Justice, Home Affairs and Migration.

Ireland is home to several spyware-linked businesses, including the US-blacklisted Intellexa Limited and Thalestris Limited.

It is unclear whether the Irish state already uses spyware. However, in 2024, the Irish state police, Garda Síochána, paid spyware maker Cognyte €276,433, the Irish Times reported.

“If [the police] have used spyware, we see no clear legal basis to do so,” Olga Cronin, Senior Policy Officer with the Irish Council of Civil Liberties, told Tech Policy Press. 

A new legal basis for spyware, with risks of misuse

The new legislation is about to change that. It will introduce a new basis for the use of covert surveillance technology, placing Ireland among the relatively small number of states that have enacted laws specifically regulating spyware: Austria, Canada, Denmark, Finland, Germany, Italy, Luxembourg, the Netherlands, Norway, Spain, Sweden, Switzerland, and the United Kingdom.

“Ireland’s proposal fits into a worrying broader European and global trend towards the normalization of spyware use,” says Aljosa Ajanovic, policy advisor at European Digital Rights (EDRi), which currently leads a pan-European campaign to protect encryption and ban spyware.

Apart from spyware, the new law would cover the deployment of forensic tools, such as those by Cellebrite, while it makes a special mention of the deployment of IMSI-catchers, an eavesdropping device essentially faking mobile towers.

The bill promises ‘robust’ legal safeguards, including judicial authorization for interception requests, aimed at ensuring that lawful interception is permitted only when properly authorized in specific cases and where it satisfies the tests of necessity and proportionality in addressing serious crime or threats to state security.

“While we need to see the detail here, from what we do know, we would be very concerned about the potential misuse and abuse of these kinds of tools,” said Cronin.

What makes the introduction of the new law even more significant is the fact that Ireland does not have a standalone intelligence service and national security is handled by a division within the police.

The new law would give the police a set of new powers without clear oversight. There is no separate legislative basis or oversight of intelligence, so this would lead to a very unclear division between criminal investigation, law enforcement and intelligence gathering.

“Without details, it's difficult to understand what oversight is planned, how it would be implemented, and how robust those mechanisms would be,” stressed Cronin, adding that the lack of definition of ‘national security’ in Irish law “could leave [the police] with an almost unlimited degree of discretion in determining which events or acts constitute a threat and whether that threat is serious enough to justify secret surveillance.”

Brussels sets the tone

According to the Irish Justice Department, Ireland’s new surveillance bill goes hand in hand with the EU Commission’s new technology roadmap on encryption, published in June 2025, that promotes the “need to reconcile technology and lawful access” — something experts warn is technically impossible without compromising the security of communications.

“I think there’s an official realization that this can’t be done at national level — it must be done by an EU measure, and the state hopes that progress in Brussels will relieve it of the need to legislate domestically,” explained University College Dublin Associate Professor TJ McIntyre, adding that “historically, [Ireland’s] state surveillance measures have been held back only by European law.”

Yet, the Commission’s roadmap has raised significant concerns among civil society, industry, and cybersecurity experts for its potential impact on end-to-end encryption, calling for the protection of the integrity of cyberspace against increased security threats.

“The EU roadmap is problematic because it is built on the false premise that it is possible to 'reconcile technology and lawful access' to E2EE communications. In practice, this assumption is highly contested by cybersecurity researchers and engineers,” said EDRi’s Ajanovic.

He stresses that there are fundamental rights implications with the Commission’s plans. “The European Court of Human Rights has already ruled that measures that undermine encryption can lead to indiscriminate surveillance and violate the right to privacy. This is why many civil society organizations and security experts argue that protecting strong encryption is essential for both privacy and cybersecurity,” he explained.

Muted political reception

The reception to the introduction of spyware powers for the Irish police has been muted, as sources say the bill has not yet been drafted. As a result, it is impossible to scrutinize. That position is likely to change once the specifics are made public.

Next steps include the publication of the General Scheme of the bill — an early draft outline of the proposed legislation to which stakeholders will be invited to respond — before it goes before a parliamentary committee for more detailed discussion. Following the committee’s report and recommendations, a full bill will then be introduced to parliament. Minister for Justice Jim O’Callaghan has stated that he plans to publish the General Scheme in 2026.

So, is this law needed? “So far, spyware has been deployed by states exploiting grey legal areas, although its use is already incompatible with our fundamental rights acquis, as we hope courts across Europe will start ruling soon,” said Aljosa Ajanovic.

“But every new law that legalizes spyware, like the one proposed in Ireland, sets a blueprint for others and further normalizes its use. They don’t affect just one country: they create templates that others can follow.”

Particularly, this takes place against the backdrop of Irish police already expanding their “eyes and ears” through separate legislation allowing Garda Síochána to use body-worn cameras, access private CCTV feeds in real time, and deploy drones and automatic number plate recognition. There are also plans to introduce facial recognition technology and other powers to biometrically categorize and identify citizens.

“It's our position that this incremental introduction of laws conferring extraordinary powers risks entrenching a durable surveillance architecture in Irish society,” said Cronin.

“The proposed [spyware] law promises regulation but effectively gives permission for the use of highly intrusive technology without any proven case for its need in Ireland,” said Fionnuala Ní Aoláin, former UN special rapporteur for protection and promotion of human rights while countering terrorism and professor at the University of Minnesota Law School and Queen’s University School of Law in Belfast.

“Ireland lacks a meaningful oversight capacity for spyware and this law is a boon to surveillance abuse in a country that should not be leading on enabling spyware normalization,” she said.