LIBE Committee’s opinion fails to include a total ban on the use of spyware in the European Media Freedom Act

EU Parliament's LIBE committee voted on its position on the European Media Freedom Act (EMFA) and failed to call for a total ban on the use of spyware against journalists.

By EDRi · July 20, 2023

On 18 July, the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament voted in favour of its position on the European Media Freedom Act (EMFA), which deals with the protection of journalistic sources and material. Disappointingly, their position will permit the deployment of spyware against journalists under certain and restricted circumstances which entails serious concerns on journalists’ security and the protection of their work. It could lead to state authorities accessing confidential and sensitive information and breaches of media freedoms.

Recognising this risk, together with 35 civil society, journalists and media organisations, EDRi wrote to Members of Parliament (MEPs) in the LIBE committee, demanding a complete ban on the use of spyware against journalists.

How did we get here?

Due to recent scandals of spyware such as Pegasus and Predator being used to spy on politicians, journalists and human rights defenders, the European Commission’s EMFA proposal included specific protections for journalists and journalistic sources from surveillance.

In its text, the Commission rightly highlighted the vital ‘public watchdog’ role that journalists play in democracies but did not go far enough in the safeguards proposed. EDRi has advocated for protecting journalists not only against spyware but also other forms of surveillance technologies. We also called for the inclusion of more fundamental rights safeguards, and the absolute ban of spyware deployment against journalists.

The use of spyware must be prohibited as it gives access to all communications, photos, contacts and online behaviour data – without the victim knowing. In its preliminary remarks on modern spyware, the European Data Protection Supervisor (EDPS) said that this type of interference is liable to violate the very essence of the right to privacy. Likewise, the former U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, came forward to call for a ban, stating: “No government should have such a tool, and no private company should be able to sell such a tool to governments or others.”

Source confidentiality and protection, and consequently, access to quality journalism are deeply important to the health of our democracies, which would be jeopardised by the use of spyware against journalists. A bold response from the EU is urgently needed.

Towards the legalisation and legitimisation of Spyware?

In its mandate for negotiations, the Council of the European Union, representing Member States, reduced the scope of protection for journalists by widening the “national security exception” originally introduced by the Commission. Furthermore, the Council enlarged the list of crimes that justifies the use of spyware. They also failed to include safeguards related to the protection of journalistic sources developed in the jurisprudence of the European Court of Human Rights (ECtHR) and privacy requirements from Court of Justice of the European Union case law.

EDRi and 79 journalists and press freedom, civil society, trade unions, digital rights and publishers and broadcasters organisations have called the Council to revise its position and warned it against the risks for fundamental rights its proposal entails.

The LIBE Committee received the exclusive competence on Article 4 which regulates the different interferences with media service providers’ rights and freedoms. In its final compromise amendments, more fundamental rights safeguards are included:

  • There is an absolute prohibition to coerce “media services providers and their employees [into disclosing] any information related to the editorial processing or to disseminate this information, including on their sources”.
  • A prohibition to access journalists’ “encrypted content data” was added to the list of repressive measures in scope. This is a valuable addition as this access is nowadays enabled mainly through data extraction technologies (such as Cellebrite UFED) that exploit system vulnerabilities, grant authorities uncontrolled access to all data stored on the device and thus, resemble the level of intrusiveness of spyware.
  • The list of persons protected includes media service providers, their families, and their employees and their family members or, if applicable, any other subject belonging to their professional or private network of relationships, including occasional contacts.
  • The deployment of spyware will be only permitted as a “last resort”. The LIBE Committee restated the principle of necessity, requiring that the least intrusive measures to achieve a legitimate objective should be considered first by authorities before envisaging the deployment of more privacy-invasive tools such as spyware.
  • Any repressive measures under Article 4 (detention, sanction, search and seizure, access to encrypted data, use of surveillance technologies, spyware, etc.) cannot be used for reasons related to the professional activity of the media service provider or their employees. It means that police authorities can solely use such measures when the crime they investigate does not relate to the professional status of the targeted person. They require an ex-ante authorisation by an independent and impartial judicial authority, alongside ex-post scrutiny, and transparency on how many requests are approved and rejected for the disposal of such measures, among other safeguards.

These safeguards are important but not enough.

Firstly, the spyware cases in the EU showed that Member States can easily circumvent their own legal limitations and illegally deploy very intrusive surveillance methods without any control or oversight. However, the LIBE text relies on the assumption that law enforcement authorities and intelligence services will strictly follow these guidelines and apply the “last resort” criterion. Similarly, the text expects authorities to refrain from retrieving journalistic material while using one of the investigative or repressive methods. However, in case of hacking, this is not only technically unfeasible, but also unlikely. The PEGA Committee has extensively documented how authorities abuse their surveillance powers once they have the tools at their disposal.

The European Parliament is proposing safeguards against spyware abuses that work in theory. Sadly the practice tells us something different. In France, the intelligence oversight committee had a hard time preventing unlawful surveillance of activists and trade unionists, while Romanian judicial authorities largely trust their intelligence bodies when granting authorisation to surveillance operations. The only solution is a unequivocal ban.

Chloé Berthélémy, Senior Policy Advisor

Secondly, in some Member States, there is currently no legal basis to use spyware technologies both against the general population and journalists. Thus, EMFA may effectively create a European legal basis for the use of these technologies in those countries.

Thirdly, the European debates on EMFA must account for the political context at the national level: some Member States have extended the powers of their intelligence agencies in the past years while others are adopting worrying legislation. Take France  for example, which wants to legalise the remote activation of electronic devices – a functionality offered by Pegasus and other modern spyware. EMFA could have a ripple effect on national legislations, giving them the legitimacy of EU law to use of intrusive surveillance technologies.

Finally, the partial legalisation of spyware use could have unintended consequences on the surveillance industry, opening new market opportunities to developers and vendors. This counteracts all United Nations efforts to stop the development of this unaccountable market and to introduce a moratorium on the trade and transfer of such technologies.

LIBE Committee failed to send a strong political message by not calling for a ban on the use of spyware against journalists. In light of the recent events involving the use of Pegasus spyware, journalists deserve special protection without any loopholes and carve-outs

Sebastian Becker, Policy Advisor

What’s next?

The discussion continues in the Parliament. Now, the Culture and Education Committee (CULT), which is the lead Committee on the file, will adopt its own position at the beginning of September. Their position will intergrate that of the LIBE committee. Once the draft report is ready, there is a chance that the text will through a plenary vote in October, allowing political groups to table amendments. That would be another opportunity to push for the introduction of a ban on the deployment of spyware without exception, before the Parliament enters into negotiations with the Council in the inter-institutional negotiation. Expectations of the outcomes from the trilogues are low, given the Council’s position. Usually, the opaque deliberative process leads to the weakening of safeguarding provisions and accountability mechanisms.

EDRi will continue to call for a total ban on the use of spyware to make sure that journalists can work in a safe and secure digital environment

Chloé Berthélémy

Chloé Berthélémy

Senior Policy Advisor

@ChloBemy

Sebastian Becker Castellaro

Policy Advisor

@sebabecks