The unregulated and growing market for spyware poses an increasing risk to privacy, an EU regulator warns.

Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), argues that the trade in covert monitoring technology is not covered by existing European legislation and now he's calling for new policies to be formulated.

Left unregulated, the trade in commercial spyware threatens both privacy and data protection rights, he says.

Surveillance tools can be instruments for legitimate use by law enforcement, according to Buttarelli. However, they can also be used to circumvent security measures in communications and data processing for both businesses and consumers. Privacy concerns in the area are only going to grow as more and more devices are plugged into the Internet of Things.

The EDPS is calling (pdf) for a coordinated approach to tackle these risks. In many non-EU countries, the standards of data protection may be lower than those in Europe. This leaves EU citizens – for example journalists – vulnerable to potentially being monitored in non-EU countries.

The trade and use of surveillance software in the private sector must be regulated more closely since there is a lack of legal safeguards in many countries. The EU regulator defines dual-use spyware as technologies that can be used for both military and civilian (often commercial) purposes.

The EDPS says the complex challenges this poses for law enforcement agencies must not be an excuse for the disproportionate processing of personal data that these surveillance tools allow. Buttarelli asks that law enforcement agencies be more transparent and accountable in their use of such software so that the individual's right to self-determination is not infringed.

Complying with data protection laws is as much an obligation as compliance with other relevant regulations such as export, according to Buttarelli. He adds that the legality of surveillance technologies is too frequently a grey area.

The fall of government in Egypt and Libya during the Arab Spring from 2010 onwards lifted the lid on the previously cloaked trade in commercial spyware to governments with poor human rights records.

This threw firms such as Gamma International into the spotlight. The later dump of data following a deep penetrating hack against Hacking Team only increased the level of scrutiny.

In response, the US government put forward amendments to the Wassenaar Arrangement, an export control treaty, to cover hacking tools. The proposed changes produced a swift backlash from security researchers warning that the rules were overly broad and would threaten to derail security research. The US has since promised a re-think.

Buttarelli wants to tighten up the regulation in this market and to clarify the criteria for legal trading, export and usage, for instance by security researchers.

The office of the EDPS describes itself as an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, or more poetically, the European guardian of data protection. ®