MIL-OSI Europe: Answer to a written question – Paragon spyware scandal and the surveillance of European journalists and civil society organisations – P-000589/2025(ASW)

The Commission is aware of the recent reports on the use of Paragon. Its position on the use of spyware is clear: any attempts to illegally access citizens data, including journalists and political opponents, is unacceptable, if confirmed.

The Commission closely followed the Committee of Inquiry to investigate the use of the Pegasus and equivalent surveillance spyware (PEGA).

Based on the PEGA report and recommendations, as well as its own fact-gathering exercise, the Commission will decide on the most appropriate way forward.

The data protection and privacy acquis offers comprehensive protection to the confidentiality of communications and users’ personal data.

EU data protection law is applicable to the processing of personal data by private entities, even where such processing is required for national security purposes.

Under the ePrivacy Directive[1], the interception or surveillance of communications is prohibited without the consent of the user. While restrictions are permitted for important public objectives, they are subject to conditions and safeguards.

The Law Enforcement Directive[2] is also applicable when competent authorities process personal data for law enforcement purposes. Supervisory authorities also have effective powers to examine any allegations of misuse, and data processed can also be subject to judicial review.

On 8 August 2025, Article 4(3)(c) of the European Media Freedom Act (EMFA)[3] will become applicable. This and other safeguards in EMFA should ensure free and independent media across the EU and protect them against interference. The Commission will use all the tools at its disposal to ensure effective compliance with this provision.

• [1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37.
• [2] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
  OJ L 119, 4.
• [3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1083