Spyware is only the tip of the iceberg: we need to protect journalists from all forms of surveillance
The EDRi network published amendments and recommendations for the European Media Freedom Act (EMFA) proposal calling for comprehensive protection for journalists, journalistic sources and human defenders against surveillance measures.
The recent Pegasus and #CatalanGate scandals have shown the huge risks for fundamental rights and democracy at stake when people’s devices and communications are compromised without a legitimate and lawful reason, especially so for journalists. In Hungary, for example, forensic analysis done by Amnesty International showed that Victor Orban’s government infected with the Pegasus spyware the phones of two journalists part of the investigative outlet Direkt36, including Szabolcs Panyi, a well-known reporter with a wide range of sources in diplomatic and national security circles.
These scandals have shown how the surveillance tech industry provides malicious actors and authoritarian regimes with tools of control on a silver plate.. That’s why it’s vital to address these points in the European Media Freedom Act (EMFA). The EDRi network has worked on a set of amendments to the European Commission’s EMFA proposal to ensure that adequate safeguards are introduced to protect journalists against surveillance.
Why should the EMFA protect journalists beyond spyware attacks?
In the context of the “new push for European Union Democracy”, the European Commission released in September 2022 its legislative proposal for a European Media Freedom Act (EMFA), which seeks to protect journalists and media services providers through the introduction of safeguards against their targeting by Member States governments with so-called spyware.
EDRi welcomes the Commission’s attempt to regulate the surveillance powers of states against journalists and journalistic sources. The abuse of power by governments, intelligence services and law enforcement agencies in the EU, illustrated by the Pegasus and Predator spyware cases and well documented in the upcoming report of the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), highlights the importance to have strong, common European measures to protect journalists, journalistic sources and human rights defenders.
The mere risk of being targeted with spyware, or any other surveillance tool such as wiretapping, geo-localisation tracking or phishing,endangers the function of the media as “public watchdogs” in a democratic society due to the chilling effect this may have on their freedom of expression and their contribution to the public debate. Surveillance has therefore an acute impact on democracy and the rule of law. In addition, its chilling effect disproportionately impacts women and gender-diverse journalists, who are exposed in several manners to online gender-based violence such as cyber-stalking, targeted harassment, and defamation, among others.
EDRi supports the need to include in the scope of the EMFA strong protections for digital rights and digital security in order to guarantee journalists’ right to privacy, the protection of their sources, their work and the confidentiality of their private communications. In order to turn the EMFA into a human rights-centered regulation, EDRi suggests introducing clear red lines to shield material protected by professional secrecy from surveillance and access as well as requirements of necessity, proportionality and other essential procedural safeguards in the text.
Why is the current EMFA proposal not good enough to ensure journalists’ protection?
In its current version, the proposal risks legalising routine deployment of spyware and other repressive measures involving or not surveillance technologies against journalists. This is due to the large broad and undefined scope of safeguarding “national security”, an area of exclusive competence of the Member States. Yet, it has been demonstrated how Member States have abused this notion of national security to impose mass surveillance or other exceptional repressive measures, not just in pursuit of fighting terrorism, but also for social and political control. It is therefore not acceptable that EU law endorses the “ground of national security” to justify the use of spyware against journalists. This exception counteracts the desired effect to protect journalists.
This Regulation should lay out the EU’s clear stance against privacy-invasive surveillance tools and their disproportionate impact on media freedoms. In our European democracies, intercepting privileged material should not be legal because of the risks to fundamental rights.
As argued by the European Data Protection Supervisor (EDPS) in its preliminary remarks on modern spyware, spyware are excessively intrusive and are likely affecting the very essence of the fundamental right to privacy. EDRi will insist on calling for an EU-wide ban on spyware in order to protect everyone, including journalists. The Commission should therefore complement the EMFA by proposing a new EU legislation prohibiting spyware development, trade-in and use by EU Member States.
Finally, it is crucial to include proactive measures to ensure meaningful protections for journalists in digital contexts. This regulation is a unique opportunity to promote anonymity, privacy-enhancing and digital security tools with the aim to ensure that journalists can work safely despite continuous threats of electronic surveillance. In light of this, we suggest a specific obligation for Member States to ensure the protection and promotion of confidentiality of communications and end-to-end encrypted services.
EDRi stays at the disposal of the Members of the European Parliament and other stakeholders to work together towards improving this important legislation based on a truly human rights-centred and democratic approach.