Tue. Dec 6th, 2022
hacker, cybercrime, security
EDPS puts spyware under scrutiny. Photo by TheDigitalArtist on Pixabay

14 November 2022

In its Opinion published today, the EDPS welcomes the objectives pursued in the proposed EU Media Freedom Act to protect media freedom, independence and pluralism across the EU. Media freedom is a precondition for the functioning of media services in the EU’s internal market and, more importantly, a key enabler for the rule of law and democratic accountability in the EU.

Nevertheless, the EDPS is concerned that the measures envisaged to protect journalists, their sources, and media service providers included in the proposed EU Media Freedom Act may not be effective in practice. In this respect, the EDPS’ recommendations are twofold. Firstly, to clarify that any journalist would benefit from the protection offered by the proposed Media Freedom Act. Secondly, to further define and restrict the possibility to waive the protection of journalistic sources and communications, particularly the exceptions related to the prohibition of intercepting communications using spyware or other forms of surveillance of media service providers.

Wojciech Wiewiórowski, EDPS, said:

“While I fully support the objective of the Proposal, which aims to guarantee media freedom and pluralism, I am concerned that the proposed measures envisaged to prevent the deployment of highly advanced military-grade spyware, such as “Pegasus”, “Predator” or similar, are not sufficient to effectively protect the EU’s fundamental rights and freedoms, including media freedom. Exceptions to develop or deploy this type of spyware should be extremely limited and defined with great precision, as well as being complemented by robust data protection safeguards, such as those suggested in the EDPS Preliminary remarks on modern spyware.”

The EDPS also recommends that the proposed Media Freedom Act includes measures guaranteeing the independence of EU Member States’ authorities and bodies tasked with reviewing breaches of the protection of journalistic sources and communications. In addition, an explicit legal basis for cooperation between the relevant EU supervisory authorities, including EU data protection authorities, according to their respective competences, should be included in the proposed Regulation.

While understanding and supporting the obligation included in the proposed Regulation to make some media service providers’ personal data publicly available to achieve transparency and for matters of public interest, the EDPS points out the potential interference with the fundamental rights to privacy and data protection that publishing this information may entail. Therefore, the EDPS recommends listing explicitly in the proposed Regulation the public interest purposes for which certain information will be made public, as well as the categories of personal data to be made public in light of these purposes.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.

The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.

GDPR Cookie Consent with Real Cookie Banner