Data Rights' intervention, 17/11/2025
Data Rights is a young non-profit organisation focussed on the European Union. We are a team of people passionate about how traditional human rights translate into the digital world.
Our work focuses in particular on two key areas. One of our work streams revolves around turning into reality the right of individuals not to be locked into large digital platforms when they use digital tools. Our second priority is to address violations of human rights caused by the use of military-grade technologies such as spyware, biometric systems, and artificial intelligence. This second priority is the one relevant for today’s session. It may be relevant for the audience to know that several members of Data Rights were directly involved in the landmark La Quadrature du Net ruling of 2020 (DR's press release). This decision clarified that when states invoke national security, they cannot override the requirements and fundamental rights stemming from EU law, thereby significantly narrowing the freedom granted to states under the banner of national security.
The PEGA Coalition was founded by leading digital rights non-profit organisations from countries investigated by the European Parliament’s PEGA Committee, namely Greece, Hungary, Poland, and Spain. The founding members of the coalition are Iridia (Spain), the Hungarian Civil Liberties Union – HCLU (Hungary), Data Rights (Europe-wide), Panoptykon (Poland), and Homo Digitalis (Greece). The coalition was later joined by Gesellschaft für Freiheitsrechte – GFF (Germany) and the Share Foundation (Serbia).
The primary aims of the coalition are strategic litigation and advocacy. Through the work of its members, the coalition supports legal cases involving individuals who have been targeted with spyware, including many journalists.
From a litigation perspective,
I) What Is Improved by the EMFA?
From a litigation standpoint, the European Media Freedom Act (EMFA) introduces several improvements on paper. First, it includes a clear requirement that spyware may only be used when no other investigative means are available. However, based on the cases we observe through the PEGA Coalition, states that use military-grade spyware against journalists tend to be highly corrupt, showing little regard for human rights rules or accountability. In practice, this significantly weakens the value of such safeguards.
The EMFA also adds new procedural steps, which should in theory strengthen the accountability trail and make litigation easier. Yet again, when journalists are targeted, power is often concentrated in the hands of individuals who do not respect EU fundamental rights. Whether these procedural safeguards will function effectively in real life therefore remains uncertain. Overall, states that currently deploy powerful spyware against journalists already do not comply with the law. In this context, the possibility for the EU to restrict or suspend EU funds would likely serve as a much stronger deterrent.
The EMFA further introduces the concept of an overriding public interest, requiring balancing tests that could, in theory, lead to a decision not to conduct surveillance even when national security or law enforcement grounds are invoked. But once again, when states rely on military-grade spyware, they are often operating in systems marked by corruption. Whether such states will genuinely apply these balancing tests is highly questionable.
The regulation also requires either prior judicial authorisation or oversight by a new independent authority. However, as highlighted by Anna Buchta, Head of the Policy Unit at the European Data Protection Supervisor (EDPS), during a CPDP conference on spyware, Polish judges have expressed that they felt “instrumentalised” because they were unaware of just how intrusive the surveillance tools they authorised actually were. Similarly, French press-law attorney Bigot has stated that prior judicial authorisation represents merely a “change on paper,” since in France, during preliminary investigations, searches of journalists’ or editorial offices are almost always approved by judges. Reliance on a truly independent authority—such as a journalist association, a private oversight body, or privacy advocacy groups—could therefore be a more meaningful safeguard.
Another important development is that the EMFA explicitly links journalistic activity with economic rights. This could make EU courts more inclined to intervene and to strictly scrutinise the use of exemptions by states, particularly those based on national security or the fight against crime. However, this potential protection is conditional on cases actually reaching EU courts—something that is currently almost impossible due to the lack of notification to targeted individuals.
Overall, from a litigation angle, the potential impact of the EMFA remains very limited.
II) What Is Worse With the EMFA
Aside from the concerns already mentioned, one of the most problematic elements of the EMFA lies in Article 4(5)(b), which provides explicit legal bases for the use of surveillance and grants very broad discretion to states.
First, the provision links the use of spyware to a list of types of crimes that can justify its deployment. These legal bases are defined extremely broadly. For instance, they include areas such as intellectual property rights, meaning that even product piracy could, in theory, justify the use of spyware. This significantly lowers the threshold for such an intrusive measure.
In France, for example, authorities often rely on the very broad notion of organised crime, particularly the offence of “association de malfaiteurs” (criminal conspiracy). This charge has already been used in cases involving journalists. The practical effect of these broad legal bases is that the EMFA risks actively legalising the use of spyware against journalists, rather than restricting it.
Second, Article 4(5)(b) introduces discretion based on the level of criminal sanctions, by allowing spyware to be used for offences punishable by at least five years of imprisonment. This creates further room for abuse, as it gives states wide freedom to define which situations qualify for surveillance. A striking example is abortion criminalisation in Poland, where related offences can be punished by up to eight years in prison. Under the EMFA logic, a journalist documenting the experiences of women seeking abortions in Poland could therefore fall within the scope of spyware surveillance—whereas this might not have been legally possible in the past.
This does not only endanger journalists. It also places their sources at direct risk, since women who speak openly to journalists could become indirect targets of surveillance. The resulting chilling effect on both journalism and source protection would be severe.
III) What Does Not Change With the EMFA
The requirement for proportionality formally remains in place. While this is positive, it merely repeats what is already guaranteed under the EU Charter of Fundamental Rights. In other words, the EMFA does not add any new, concrete protection on this point.
A major issue that also remains unresolved concerns notifications, a right that was clearly established through the 2020 La Quadrature du Net (LQDN) ruling. According to that judgment (paras. 190–191), individuals must be informed that they were subject to surveillance once they are no longer considered a threat. Yet, in the spyware cases supported by the PEGA Coalition, authorities systematically failed to notify journalists, even though they were legally required to do so. As a result, journalists are unable to verify the legality of the surveillance they were subjected to.
This places the EMFA in a kind of legal vacuum: a fundamental condition for exercising the right to a defence—the right to be informed—is consistently violated in practice. This makes the protection of rights extremely fragile, as it depends on foreign third parties to inform journalists. Moreover, courts generally do not consider notifications by private actors as strong legal evidence. The current situation, in which journalists (as well as lawyers, activists, and researchers) cannot rely on states to respect their obligation to inform individuals, is therefore unsustainable from a human rights perspective. It is also deeply unacceptable that targets currently depend on US companies and the technical capacity of a university lab in Canada to discover their surveillance—while EU law formally requires that they be informed by the state.
This failure to notify is not theoretical. It has occurred, for example, in Hungary and Spain, where individuals were never informed, despite clear legal obligations to do so. This raises a fundamental question:
If journalists never have the opportunity to challenge how they were treated, how can their rights meaningfully exist at all?
The situation could worsen even further. There is already discussion in Italy about passing laws that would prevent companies from notifying individuals of surveillance. Such developments would entirely neuter any possibility of legal challenge.
Finally, the EMFA reiterates rights of access to data, but these rights are already very poorly protected in practice. A clear example is the case of Van der Linde, involving the Dutch police and Europol. In all instances, law enforcement either denied full access to the data or deleted the data before replying, emitting that data had been deleted before answers were provided. Courts later found systemic failures in how access rights were handled by national police, and for Europol, the EDPS concluded that it had violated the activist’s rights by deleting his data without more explanation.
This leads to a fundamental conclusion: we must fix the basic enforcement of human rights first, before introducing new protections that depend entirely on those same, currently failing, fundamentals.
Closing remarks
The EMFA may make it slightly harder for states to rely purely on national security as a justification for using spyware, but at the same time it makes it easier to rely on a wide range of other criminal grounds. While the regulation attempts to introduce what appear to be safeguards for journalists, these remain largely theoretical in practice. By explicitly defining the situations in which spyware may be used against journalists, and by leaving broad discretion to states over which crimes justify such use, the EMFA in reality exposes journalists to legally sanctioned spyware deployment.
Because of the complex web of conditions and exemptions created by the EMFA, a journalist who is targeted may now face an even greater burden in financing a case and succeeding in court than before.
Finally, as long as there is still no effective notification and no real access to files, and as long as these core failures remain unaddressed, the EMFA does not fundamentally change the reality on the ground for journalists who are subjected to surveillance.