phone
Image: Samuel Angor / Unsplash

EU law to protect journalists from spyware takes effect

A landmark law meant to protect journalists in the European Union from spyware and other forms of surveillance came into effect Friday, but critics at press freedoms groups say the measure could ultimately prove toothless.

EU countries have done little to “align domestic legislation with the rules outlined by the EMFA (the European Media Freedoms Act), despite having had more than one year to do so,” a coalition of press freedom groups said in a joint statement, referring to EMFA’s adoption in March 2024. 

“Regrettably, we are deeply concerned that many national governments are neither prepared nor politically willing to make the required legislative changes,” the statement said. “This lack of commitment poses a serious risk to the EMFA’s effectiveness.”

Even if member states were ready to enforce EMFA, critics have long warned that changes made after it was first proposed to much fanfare in 2022 have considerably weakened its surveillance protections. 

EMFA, which also includes provisions covering editorial independence and transparency in media ownership, originally prohibited EU countries from deploying spyware against members of the media or their families other than in cases where the snooping could be determined necessary as a matter of national security.

In June 2023, however, the European Council watered down EMFA’s spyware provisions by allowing EU countries more leeway to deploy commercial surveillance tools against journalists. 

The amendments introduced included language which emphasized that the law does not take away member states' “power to safeguard other essential state functions, including ensuring the territorial integrity of the state and maintaining law and order.”

At the time, civil society groups said the changes would effectively neuter the European Court of Justice by making it impossible for it to rule against member states accused of targeting journalists with spyware.

The weakened surveillance provisions come into force at a moment when Europe has been rocked by a series of spyware cases.

In addition to prior incidents of phone hacking against journalists in Spain, Greece and Hungary, the Italian government is now under scrutiny for its use of Paragon spyware. 

Phones belonging to several Italian journalists — including Francesco Cancellato, who edits a publication which exposed ties between Prime Minister Girorgia Meloni and young fascists — have been found to have been targeted with spyware in recent months.

Cancellato was among some 90 people whom WhatsApp warned about the targeting in January. 

Meloni’s government has since admitted to deploying Paragon against activists working on behalf of migrants, but has steadfastly denied involvement in the journalists’ cases.

Paragon subsequently revealed that the Italian government refused to allow it to independently verify that it had not spied on Cancellato, leading the spyware manufacturer to cut ties with Italy.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.