EU’s privacy watchdog, EDPS, wants more protection for journalists and media, especially against “military-grade spyware”. It welcomes the proposed EU Media Freedom Act but says measures to protect journalists, their sources, and media service providers may not be effective in practice.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies/
The EDPS says the Act should “further define and restrict the possibility to waive the protection of journalistic sources and communications, particularly the exceptions related to the prohibition of intercepting communications using spyware or other forms of surveillance of media service providers.”
“I am concerned that the proposed measures envisaged to prevent the deployment of highly advanced military-grade spyware, such as “Pegasus”, “Predator” or similar, are not sufficient to effectively protect the EU’s fundamental rights and freedoms, including media freedom”, says EDPS head Wojciech Wiewiórowsk.
“Exceptions to develop or deploy this type of spyware should be extremely limited and defined with great precision, as well as being complemented by robust data protection safeguards, such as those suggested in the EDPS Preliminary remarks on modern spyware.”
The EDPS also recommends that the proposed Media Freedom Act includes measures guaranteeing the independence of EU Member States’ authorities and bodies tasked with reviewing breaches of the protection of journalistic sources and communications.
“In addition, an explicit legal basis for cooperation between the relevant EU supervisory authorities, including EU data protection authorities, according to their respective competences, should be included in the proposed Regulation.”
“While understanding and supporting the obligation included in the proposed Regulation to make some media service providers’ personal data publicly available to achieve transparency and for matters of public interest, the EDPS points out the potential interference with the fundamental rights to privacy and data protection that publishing this information may entail.”
“Therefore, the EDPS recommends listing explicitly in the proposed Regulation the public interest purposes for which certain information will be made public, as well as the categories of personal data to be made public in light of these purposes.”