Source: European Parliament
The Commission is aware of the recent reports on the use of Paragon. Its position on the use of spyware is very clear: any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable, if confirmed.
The data protection and privacy acquis offers comprehensive protection to the confidentiality of communications and users’ personal data and terminal equipment. EU data protection law is applicable to the processing of personal data by private entities, even where such processing is required for national security purposes.
Under the ePrivacy Directive[1], the interception or surveillance of communications is prohibited without the consent of the user. While restrictions are permitted for important public objectives, they are subject to strict conditions and safeguards.
The Law Enforcement Directive[2] is also applicable when competent authorities process personal data for law enforcement purposes. Supervisory authorities have effective powers to examine any allegations of misuse, and data processed can be subject to judicial review.
As regards the protection of journalistic sources and confidential information, the Commission recalls that Article 4(3)(c) of the European Media Freedom Act[3] (EMFA) will become applicable as of 8 August 2025.
The application of this and other safeguards in EMFA will ensure free and independent media across the EU and protect them against interference. The Commission will use all tools at its disposal to ensure the effective application of EU law.
- [1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37.
- [2] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.
- [3] Regulation (EU) 2024/1083: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1083. The provision stipulates that ‘Member States shall ensure that journalistic sources and confidential communications are effectively protected’ and that, subject to a strictly limited derogation, ‘Member States shall not deploy intrusive surveillance software on any material, digital device, machine or tool used by media service providers, their editorial staff or any persons who, because of their regular or professional relationship with a media service provider or its editorial staff, might have information related to or capable of identifying journalistic sources or confidential communications’.