On April 21, 2026, four civil-society organisations — Access Now, the Committee to Protect Journalists (CPJ), Data Rights, and Human Constanta — filed a joint amicus brief with the European Court of Human Rights (ECtHR) in a cluster of cases over the use of NSO Group's Pegasus spyware against Azerbaijani journalists and activists. Their core claim is blunt: Europe's current legislative and policy frameworks are insufficient to prevent, deter, or remedy spyware abuse, and the Court should read the Convention to require strict safeguards, independent oversight, and accessible remedies for victims of secret surveillance (CPJ).
The underlying litigation is concrete, not abstract. Media Defence, working with Azeri lawyers Zibeyda Sadigova and Elchin Sadigov, brought four applications to Strasbourg on behalf of journalists Sevinj Abbasova, Aynur Ganbarova, Natig Javadli, and Gular Mehdizade. Each appeared on a list of numbers selected for Pegasus targeting; each asked Azerbaijani authorities to investigate; and in each case the authorities and courts refused. The applicants invoke Articles 6, 8, 10, 13, 17, and 18 of the Convention, arguing that the state's failure to investigate destroyed their privacy and expression rights and exposed their journalistic sources (Media Defence).
The strongest case for the brief
It is worth stating the petitioners' case at full strength before quarrelling with any of it. Pegasus is not an ordinary investigative tool. As the brief describes, it can silently convert a phone into a 24-hour surveillance device — reading the full contents, activating the camera and microphone, and capturing encrypted messages at the endpoint before encryption can protect them. When that capability is pointed at reporters, the harm is not only to the individual but to the confidentiality of sources that press freedom depends on. And the European track record is genuinely poor: the European Parliament's own Committee of Inquiry (PEGA) concluded that Greek, Polish, and Hungarian legal frameworks and practices violated Union law and left citizens without sufficient protection (Lawfare). If member states inside the EU's accountability architecture abused these tools, the case for stronger, judicially-enforced minimum standards writes itself.
A diagnosis Europe already accepted — and then shelved
What makes the brief persuasive is that it is not asking the Court to invent new principles. It is asking Strasbourg to enforce a diagnosis Europe's own institutions reached three years ago and then failed to act on. In May 2023 the PEGA committee adopted its recommendations by 30 votes to 5 with 2 abstentions, and the full Parliament endorsed them that June (European Parliament). Those recommendations map almost one-to-one onto what the amicus now asks the Court to require: deployment only on prior authorisation by an independent judiciary, in exceptional cases, for a defined purpose and limited time; heightened protection for journalists, lawyers, doctors, and elected officials; mandatory notification of targets after the fact; independent ex-post oversight; and meaningful legal remedies.
The gap is enforcement. As Lawfare noted, those findings produced no binding action from the Commission or member states, and no targeted victim has yet obtained justice. That is precisely the vacuum the petitioners want the Court to fill — and on the remedy side, they are right that a notification-and-investigation duty is the linchpin. A surveillance regime that lets the state refuse even to investigate credible targeting allegations, as Azerbaijan did, is one in which no other safeguard can function.
Proportionate, not prohibitionist
Here is where the editorial line matters. The right reading of this brief is the one civil society itself has converged on: Europe's problem is not that lawful-access and security tooling exists, but that its use escapes oversight. Even the PEGA committee, after a year-long inquiry spanning fact-finding visits to Israel, Poland, Greece, Cyprus, Hungary, and Spain, declined to call for an outright ban, recommending instead that only states able to demonstrate that abuse allegations are properly investigated be permitted to deploy spyware at all (Lawfare). That is the proportionate instinct, and it should survive the journey to Strasbourg.
The risk to guard against is mission creep — that a justified push against unaccountable state hacking hardens into blanket hostility toward encryption-adjacent security research, lawful interception with genuine judicial warrants, or the legitimate cybersecurity industry. The same European policymakers demanding endpoint protection for journalists have at other moments pushed client-side scanning mandates that would weaken encryption for everyone. Consistency requires choosing safeguards over surveillance in both directions.
What a good outcome looks like
A Strasbourg ruling that does the most good would be narrow and durable: hold that Article 8 and Article 10 impose a positive obligation to investigate credible spyware-targeting complaints, to notify targets once an investigation can no longer be prejudiced, and to provide an effective domestic remedy under Article 13. That converts the PEGA committee's stalled political consensus into binding, individually-enforceable rights — without dictating procurement bans, without chilling defensive security work, and without pretending that secret surveillance can ever be regulated by a state investigating itself. Europe diagnosed this problem in 2023. The Azerbaijani journalists are simply asking the Court to make the prescription enforceable.