Whether you like it or not, artificial intelligence is reshaping society. #CatalanGate stands as a stark reminder of what happens when that power runs unchecked.
In April 2022, researchers from the University of Toronto’s Citizen Lab uncovered Europe’s largest documented mercenary spyware operation: Pegasus (from Israel’s NSO Group) and Candiru tools secretly infected devices of at least 65 Catalan independence advocates between 2017 and 2020. Targets included politicians, journalists, lawyers, activists, and their families.
Ron Deibert, Citizen Lab’s director, labeled it a flat-out “crisis of democracy“. He highlighted that these tools, marketed for fighting crime, were instead weaponized against ordinary democratic voices in an EU member state.
The fallout persists in 2026: lingering fear, self-censorship, and eroded trust. Spyware has grown stealthier, often leveraging AI for zero-click exploits and relational targeting.
The EU AI Act promises Europe’s citizens protection from abusive surveillance tech. But after years of loopholes and weak enforcement, the real question burns: will Europe finally bite back, or are we sleepwalking into the next, even darker #CatalanGate?
The Devastating Human and Democratic Cost of the #CatalanGate Spyware Scandal
The operation, dubbed #CatalanGate, relied on zero-click exploits (attacks requiring no user action, such as fake iMessage alerts) to access texts, calls, photos, and locations. Spanish authorities have admitted to court-authorized surveillance of 18 targets for national security, but denied wider unauthorized use. Circumstantial evidence points to state involvement, though Madrid maintains it acted lawfully.
Victims report lasting effects: self-censorship among journalists, eroded client trust for lawyers, and paranoia from “relational targeting,” where associates’ devices were compromised via behavioral analysis. AI advancements have made such tools stealthier, enabling automated network mapping without human intervention.
Key confirmed targets include:
- Political Figures: Former Catalan Presidents Carles Puigdemont, Pere Aragonès, Quim Torra, Artur Mas.
- MEPs and Legislators: Jordi Solé and others from pro-independence parties.
- Civil Society: Activists from ANC and Òmnium Cultural; journalists, lawyers, tech entrepreneurs.
- Families & Networks: Spouses (e.g., Marcela Topor, Puigdemont’s wife) and aides targeted multiple times.
These intrusions have chilled civic participation, with some victims citing long-term psychological impacts.
Wider Implications: Why Catalonia Is Not an Isolated Case in Europe’s Spyware Abuses
Investigations into #CatalanGate continue to unfold slowly, revealing a pattern of delayed justice and international obstructions. Here’s a clearer breakdown of key developments:
- 2023: UN experts demanded that “Spanish authorities must conduct a full, fair, and effective investigation into these allegations, publish the findings and stop any unlawful interference into the fundamental rights of the Catalan minority activists in Spain.”
- March 2025: A Barcelona court indicted three former NSO Group executives in connection with the spyware’s misuse, marking a step toward personal accountability.
- May 2025: Former Catalan President Artur Mas filed a criminal complaint linking #CatalanGate to “Operació Catalunya,” an alleged state-orchestrated smear campaign against pro-independence figures.
- September 2025: Building on these efforts, a Barcelona court launched a broader probe into Pegasus developers, former Spanish intelligence officials from the CNI, and Civil Guard members, triggered by a complaint from Catalan businesspeople.
- January 2026: Spain’s High Court shelved its inquiry into Pegasus infections on Prime Minister Pedro Sánchez’s phone, citing Israel’s repeated lack of cooperation. This reflects a frustrating, recurring obstacle in global spyware cases.
The UN has repeatedly criticized Spain for human rights shortcomings in handling these matters, while groups like the European Digital Rights (EDRi) network and the EU’s PEGA Committee push for a comprehensive EU-wide ban on such spyware.
Similar scandals have emerged in Poland, Greece, and Hungary, where spyware targeted opposition leaders and journalists, fueling concerns over the erosion of democratic norms across the EU. In Spain, #CatalanGate has deepened tensions between Madrid and Barcelona, reigniting debates on Catalan independence.
NSO Group, for its part, insists its tools are sold only to vetted governments for legitimate purposes, though critics argue weak export controls enable misuse.
AI Regulation: A Test for Europe
#CatalanGate underscores the urgent need for robust spyware oversight, as victims navigate courts riddled with loopholes that allow abuses to persist. Artur Mas’s May 2025 complaint exemplifies this ongoing fight for accountability, connecting directly to broader EU reforms and highlighting the AI Act’s full rollout on 2 August 2026.
This Act bans high-risk spyware tactics, such as biometric categorization and emotion recognition, while mandating rigorous assessments, audits, and redress mechanisms to prevent misuse. However, enforcement hurdles remain. Critics highlight export rule gaps that permit EU-prohibited tools to fuel repression abroad.
As of early February 2026, the European Commission is set to release guidelines on high-risk classifications, though delays in certain provisions (extending to 2027 for some systems) have sparked pushback from industry.
From #CatalanGate to AI Sovereignty
Four years on, #CatalanGate serves as a cautionary tale for unchecked surveillance. Strong AI Act implementation could deter future breaches, but without cross-border cooperation and stricter enforcement, risks remain. As one UN expert noted in 2023, thorough probes are essential to rebuild trust.
For now, the victims of #CatalanGate continue legal battles, signaling that accountability efforts are far from over.
For Europe to achieve AI sovereignty, leading innovation free from foreign dependencies, it must robustly regulate threats like Pegasus, enforce the AI Act, and foster ethical alternatives. The Act begins this, but only strong implementation turns warnings into safeguards.
Author: Grace Sharp
See Also:
The EU’s Sovereign AI Push: Claiming Tech Independence
Will the EU’s AI Act Cripple Europe’s Innovation Edge?
Biggest AI Surveillance Scandals Threatening Europe’s Privacy in 2026
