Renan Bendel Vaughan (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – UMINHO/BIM/2026/40)
Setting the scene: eight days in April, one contradiction
In April 2026, two events gave rise to a situation that European Union law has not yet addressed in its entirety. On the 21st, the Court of Justice of the European Union (CJEU), sitting as a full court, delivered its judgment in Commission v. Hungary (C-769/22) and recognised for the first time an autonomous and self-sufficient violation of Article 2 of the Treaty on European Union (TEU): the Hungarian legislation stigmatising and marginalising LGBTI+ people was held to be contrary to “the very identity of the Union as a common legal order in a society in which pluralism prevails.”[1] Article 2 TEU thereby acquired the status of a justiciable provision with genuine normative force, capable of constituting an autonomous ground of infringement in its own right, provided that the violation is manifest and particularly serious – a threshold the Court held to be crossed in the Hungarian case on account of the cumulative and coordinated character of the breaches of Articles 1, 7, 11, and 21 of the Charter of Fundamental Rights of European Union (CFREU).[2]
Eight days later, on the 29th, the European Parliament adopted a resolution which examined the European Commission’s 2025 Rule of Law Report, and noted that 93% of the Commission’s recommendations are repeats from previous years, with only 6% having been fully implemented; furthermore, it condemned the use of spyware as a persistent and systematic threat to the rule of law, requiring binding response mechanisms.[3]
Read together, these two instruments reveal a contradiction that is constitutionally precise. Article 2 TEU acquired, in April 2026, an operative density that goes beyond declaratory commitment. The Parliament confirmed, at that same moment, that one of the most elementary structural conditions of the rule of law – judicial independence – remains exposed to a threat that Union law has yet to address: the clandestine surveillance of members of the judiciary by spyware tools operated by the Member States themselves. The legal basis for imposing a positive obligation has just been consolidated, yet the very problem that would call for such imposition remains without an articulated legal response. This text argues that construction is already possible – and that the time has come to undertake it.
The full-spectrum instrument
The starting point is empirical. The PEGA report, adopted in March 2023, documents the use of Pegasus against judges and prosecutors in Poland, Hungary, and Spain; Predator in Greece; and FinFisher in other contexts.[4] The Report concluded that it could reasonably be assumed that all Member States had acquired or deployed one or more spyware systems, which renders the threat to the judicial function independent of the identity of the operator.[5] In Poland alone, between 2017 and 2022, the number of individuals subjected to operational surveillance authorised by the public prosecutor reached 578 – a figure not restricted to Pegasus alone; among those under surveillance were members of the public prosecution service, including a prosecutor standing as a candidate in parliamentary elections.[6] The Parliament’s resolution on the 2025 Rule of Law Report confirmed that this pattern persists, placing it explicitly on the same level as political interferences in judicial appointments and pressure exerted against investigative journalists.[7]
Spyware is a full-spectrum interception instrument. Pegasus, developed by the NSO Group, is able to infiltrate the target device in its entirety, accessing encrypted communications, microphone, camera, and deleted data.[8] This analysis uses the term “surveillance” rather than “espionage” because the relevant object here is not the act of information collection, but the structural effect that the possibility of such collection produces upon the judicial function.
Bauman and Lyon describe this transformation as the passage from the panopticon to liquid surveillance. The classical panopticon – Bentham’s prison design, theorised by Foucault – required the potential presence of an inspector to produce compliance: the inmate behaved because someone might be watching.[9] Contemporary digital surveillance has dissolved even that structure. It moves silently, without fixed architecture, without a visible watcher. The subject no longer knows whether they are being observed, or when, or by whom, or to what end – and it is precisely that not-knowing that does the work. For a judge, that internalisation does not just affect the worker, but the function itself. The juridification of its effects, proceeds not through social theory but through the case law of the courts.
The harm that leaves no trace
The chilling effect is, before a legal category, a behavioural phenomenon: confronted with the possibility of sanction or surveillance, individuals fall silent or modify their conduct, even where no sanction has yet been applied.[10] The European Court of Human Rights (ECtHR) consolidated this as an autonomous legal category in Klass and Others v. Germany: the mere existence of legislation permitting secret surveillance constituted an interference with the right protected by Article 8 of European Convention of Human Rights (ECHR), irrespective of any proof that the applicant had actually been monitored.[11] In Szabó and Vissy v. Hungary the Court held that the mere possibility of surveillance sufficed to produce inhibitory effects on the exercise of rights, without any requirement of individualised proof.[12]
The CJEU operationalised an equivalent logic in Digital Rights Ireland (joined cases C-293/12 and C-594/12): Directive 2006/24/EC (the Data Retention Directive) could generate, in the minds of users of electronic communications, the feeling that their private life is subject to constant surveillance, and that this effect alone constituted sufficient grounds for invalidity.[13] The harm derives not from the damage suffered, but rather from the uncertainty maintained.
Fajdiga and Zagorc show that the chilling effect on judges with greater institutional visibility amplifies its inhibitory efficacy disproportionately: the threat directed at a prominent judge communicates to the judiciary as a whole, without words, the cost of an autonomous decision. In a particularly striking formulation, the authors describe this condition as the transformation of guaranteed freedom into feardom – a state in which one formally possesses freedom yet lives in fear of exercising it.[14]
When the target of surveillance is a judge in the exercise of a jurisdictional function, the chilling effect ceases to be a private matter. The judge who learns, or reasonably suspects, that members of the judiciary have been subjected to surveillance deliberates under a structurally altered condition: an ambient uncertainty that can neither be proved nor contested, because the specific act that produced it remains, by definition, unknown. Bárd shows that a chilling effect of this kind strikes as the very condition of effectiveness of Union law: without judges who are genuinely free from undisclosed external pressure, the mechanism of preliminary reference and the guarantee of effective judicial protection lose their substance.[15]
The harm is not suffered by the individual judge alone. What is damaged is the jurisdictional function itself, as a constitutional guarantee of the Union’s legal order. This displacement – from the level of subjective rights to the level of constitutional architecture is the central doctrinal step of the argument. It explains why this cannot be treated as a simple matter of data protection, and why it demands a response at the level of Article 2 TEU. In A.K. and Others (joined cases C-585/18, C-624/18, and C-625/18), the Court established that the appearance of judicial independence is not a prerogative of the judge but a right of the litigant: Article 47 CFREU requires a court that those subject to its jurisdiction can perceive as genuinely free from external influence.[16] Where the structural possibility of surveillance undermines the appearance, it simultaneously and prospectively infringes the right of every litigant whose dispute is adjudicated under conditions of ambient uncertainty. The harm migrates from the private sphere of the judge to the constitutional architecture of the judicial function.
The intersection of exclusions
The case law developed since Associação Sindical dos Juízes Portugueses (C-64/16), through Repubblika (C-896/19) and Commission v. Poland (C-619/18), offers robust protection of judicial independence against normative and institutional pressure – legislative reforms affecting irremovability, alterations to appointment regimes, and instrumentalised disciplinary procedures.[17] But this body of case-law was fashioned to address what is visible. It presupposes the existence of a contestable act: a law, a decision, a norm susceptible to challenge. Clandestine surveillance produces none of these traces. What remains is an effect that dissipates before the law can capture it.
Regulation (EU) 2016/679 (GDPR), Article 2(2)(a) and (b) expressly excludes from its scope the processing of data carried out in the exercise of activities falling outside the scope of Union law; recital 16 confirms that the Regulation does not apply to activities concerning national security.[18] Nonetheless, La Quadrature du Net and Others (joined cases C-511/18, C-512/18, and C-520/18) confirmed that this exclusion is not unlimited: a Member State invoking national security cannot thereby exempt itself wholesale from the obligations of Union law, and that the CFREU continues to impose inviolable conditions on derogations.[19] The interaction of data protection, judicial independence, and the national security reservation of Article 4(2) TEU, produces an intersection of exclusions within which clandestine surveillance of the judicial function is installed. None of the three regimes was designed to address this specific type of problem, and their overlapping reproduces the gap across each of its layers.
Imposing the result
Commission v. Hungary (C-769/22) constitutes an inflection point. The CJEU held that only violations that are manifest and particularly serious are capable of giving rise to a finding of autonomous non-compliance under Article 2 TEU, but held equally that such a finding is possible, and that the threshold was crossed in the Hungarian case.[20] This benchmark, together with Commission v. Poland (C-448/23) – which confirmed that Article 2 TEU generates legally binding duties for the Member States –, enables the conclusion that Article 2 TEU is today an operative provision with dense normative content, capable of grounding positive obligations of protection.[21]
The argument put forward is both more modest and more robust than a call for Union supervision of national intelligence services. Article 2 TEU, read in conjunction with Articles 7, 8, and 47 CFREU and the second subparagraph of Article 19(1) TEU, imposes results-based obligations: Member States must ensure that their surveillance operations do not compromise the structural conditions for the exercise of the jurisdictional function. These obligations are expressed in two minimum requirements.
The first is prior review by an authority that is genuinely independent both from the executive branch and from the judicial order under scrutiny. The CJEU set out the structural content of this requirement in Prokuratuur (C-746/18), in the context of access to retained traffic data: prior review must be entrusted to a body that is a genuine third party in relation to the authority requesting access. Where the surveillance target is a member of the judiciary, the requirement is yet more stringent: proximity to either the intelligence services or the judicial order under scrutiny would reproduce, rather than resolve, the constitutional problem that the review is designed to prevent.[22]
The second is the existence of effective means of challenge and repair when surveillance is discovered, with a corresponding positive procedural obligation on the State to actively seek out corroborative evidence once the person concerned presents strong prima facie elements. This procedural obligation flows directly from Article 47 CFREU: effective judicial protection, as the Court held in A.K. and Others, is not satisfied by the formal availability of a remedy where the structural conditions for its exercise have been compromised by the very act that the remedy is meant to address.[23]
A serious objection is well known: Article 4(2) TEU reserves national security to the exclusive competence of the Member States. Taken seriously, however, this objection becomes the strongest argument in favour of the positive obligation. The reservation protects the competence of the Member States, not the arbitrary exercise of that competence. The surveillance of members of the judiciary produces direct effects in the domain of judicial independence, governed by the second subparagraph of Article 19(1) TEU. The positive obligation does not penetrate the Member States’ competence in matters of national security: it governs the exercise of that competence in a constitutionally coherent manner, imposing the result without determining the means. The Union does not appoint judges or manage national courts; yet it imposes, in a binding manner, that Member States guarantee effective judicial independence. The same reasoning applies here.
What the law already permits
Over decades, the EU has constructed a normative architecture designed to guarantee that its Member States share a genuine commitment to the rule of law. That commitment rests, ultimately, on the existence of judges who decide without fear. What the present article has sought to demonstrate is that this fundamental presupposition is today threatened by a mechanism that Union law has yet to name with precision: the clandestine surveillance of the judicial function by the very States that constitute the Union’s legal order.
The threat is all the more disturbing because it is silent. It does not manifest itself through a law, or a decree, or any act susceptible to challenge. It installs itself in uncertainty. The mere possibility – demonstrated, documented, statistically present – suffices to produce the inhibitory effect. And once the effect is produced judicial independence is no longer what it appears to be: it becomes a form of complicity with the very fragility it is meant to resist.
Union law possesses today the doctrinal instruments to respond to this threat. Article 2 TEU is operative. Article 47 CFREU is demanding. The positive obligation is constructible. What is lacking is not a legal foundation: it is the institutional will to recognise it. It is in this gap between what the law already permits and what the institutions have yet to do that the real risk lies: that judicial independence in the EU will, without anyone formally declaring it, turn into a system of feardom.
[1] Judgment CJEU Commission v. Hungary, 21 April 2026, case C-769/22, ECLI:EU:C:2026:326, para. 556.
[2] Commission v. Hungary, paras. 547, 551, 553.
[3] European Parliament, Resolution of 29 April 2026 on the Commission’s 2025 Rule of Law Report (2025/2239(INI)), P10_TA(2026)0147, recitals O, AB and paras. 60-64, 161, available at: https://www.europarl.europa.eu/doceo/document/TA-10-2026-0147_EN.html.
[4] European Parliament, Report on the use of Pegasus and equivalent surveillance and spyware, A9-0189/2023, 25 May 2023, paras. 1, 59, 72, available at: https://www.europarl.europa.eu/doceo/document/A-9-2023-0189_EN.html. See also: European Parliament, Recommendation of 15 June 2023 to the Council and the Commission following the investigation of alleged contraventions and maladministration in the application of Union law in relation to the use of Pegasus and equivalent surveillance spyware (2023/2500(RSP)), P9_TA(2023)0244, Preamble, recitals O, P, Q, R, Y, AD, para. 3, available at: https://www.europarl.europa.eu/doceo/document/TA-9-2023-0244_EN.html.
[5] European Parliament, Report on the use of Pegasus and equivalent surveillance and spyware, paras. 1, 10
[6] Poland, Sejm, Wypowiedzi na posiedzeniach Sejmu [Statements during Sejm Sessions], 10th Session, 1st day of debates, 24 April 2024, Statement No. 080, available at: https://www.sejm.gov.pl/sejm10.nsf/wypowiedz.xsp?posiedzenie=10&dzien=1&wyp=080. See also: European Parliament, Report on the use of Pegasus and equivalent surveillance and spyware, paras. 61, 72.
[7] European Parliament, resolution on the Commission’s 2025 Rule of Law Report, recitals N, O and paras. 9, 13, 59-64.
[8] John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Masashi Crete-Nishihata and Ron Deibert, “Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware,” Citizen Lab Research Report No. 93, University of Toronto, June 2017, pp. 7-10, available at https://citizenlab.ca/research/reckless-exploit-mexico-nso. See also: European Parliament, Report on the use of Pegasus and equivalent surveillance and spyware, paras. 5-6.
[9] Zygmunt Bauman and David Lyon, Liquid surveillance: a conversation (Cambridge: Polity Press, 2013), Introduction and Chapter 2, pp. 7-11, 75.
[10] Frederick Schauer, “Fear, risk and the first amendment: unravelling the chilling effect,” Boston University Law Review 58 (1978): 689, 693-695, available at: https://scholarship.law.wm.edu/facpubs/879.
[11] Judgment ECtHR Klass and Others v. Germany, Application no. 5029/71, 6 September 1978, paras. 34, 37, 41.
[12] Judgment ECtHR Szabó and Vissy v. Hungary, Application no. 37138/14, 12 January 2016, paras. 33, 38, 53-54, 73.
[13] Judgment CJEU Digital Rights Ireland, joined cases C-293/12 and C-594/12, 8 April 2014, ECLI:EU:C:2014:238, paras. 27, 33-34, 37.
[14] Mohor Fajdiga and Saša Zagorc, “Freedom or feardom of expression of judges? Exploring the chilling effect on judicial speech,” European Constitutional Law Review 19 (2023): 267-269, available at: https://doi.org/10.1017/S1574019623000093.
[15] Petra Bárd, “In courts we trust, or should we? Judicial independence as the precondition for the effectiveness of EU Law,” European Law Journal 27 (2022): 194-197, 206, available at: https://doi.org/10.1111/eulj.12425.
[16] Judgment CJEU A.K. and Others, joined cases C-585/18, C-624/18 and C-625/18, 19 November 2019, ECLI:EU:C:2019:982, paras. 123, 127-128, 153.
[17] Judgments CJEU, Associação Sindical dos Juízes Portugueses, case C-64/16, 27 February 2018, ECLI:EU:C:2018:117, paras. 31, 41-42, 44-45; Repubblika, case C-896/19, 20 April 2021, ECLI: EU:C:2021:311, para 26; Commission v. Poland, case C-619/18, 24 June 2019, ECLI:EU:C:2019:531, paras. 53-57, 63-65.
[18] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), OJ L 119, 4 May 2016, p. 1, recital. 16, Article 2(2)(a)-(b).
[19] Judgment CJEU La Quadrature du Net and Others, joined cases C-511/18, C-512/18 and C-520/18, 6 October 2020, ECLI:EU:C:2020:791, paras 99-100.
[20] CJEU Commission v. Hungary, C-769/22, para. 551.
[21] Judgment CJEU Commission v. Poland, case C-448/23, 18 December 2025, ECLI:EU:C:2025:975, paras. 102, 103, 105, 108.
[22] Judgement CJEU Prokuratuur, case C-746/18, 2 March 2021, ECLI:EU:C:2021:152, paras. 51-55.
[23] CJEU A.K. and Others, paras. 123, 127–128, 153, 167.
Picture credit: by KATRIN BOLOVTSOVA on pexels.com.
Official Blog of UNIO 