Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation establishing a common framework for media services in the internal market (European Media Freedom Act) and amending Directive 2010/13/EU

(2022/C 487/07)

(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)

On 16 September 2022, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council establishing a common framework for media services in the internal market (European Media Freedom Act) and amending Directive 2010/13/EU.

The Proposal aims to improve the functioning of the internal media market, particularly by fostering cross-border activity and investment in media services, increasing regulatory cooperation and convergence, facilitating the provision of quality media services and ensuring a transparent and fair allocation of economic resources in the internal media market.

The EDPS welcomes the aim of the Proposal to protect media freedom and pluralism, as a precondition for the functioning of the EU internal market for media services and, equally important, a key enabler for the rule of law and democratic accountability in the Union.

However, the EDPS recommends to first clarify the scope of the future Regulation, both personal and material. In particular, he notes that, despite the intention of the Commission, clearly expressed in the Proposal, to lay down rules ensuring the protection at EU level of the sources of journalists including freelancers, the scope of the Proposal as currently defined only includes media service providers and does not encompass all journalists. The EDPS recommends adding an explicit reference to journalists to the relevant provisions of the future Regulation, so as to clarify that any journalist, including free-lance or self-employed, would fall within the scope of the future Regulation and thus could also be able to rely on a robust protection of journalistic sources and communication. In addition he recommends clarifying the criteria for determining when a journalist falls within the jurisdiction of a Member State. The EDPS also recommends to horizontally clarify that the future Regulation is without prejudice to and does not affect the EU legislation on personal data protection and privacy, in particular the General Data Protection Regulation (GDRP) (1), the ePrivacy Directive (2) and the Law Enforcement Directive (LED) (3).

Secondly, while the EDPS fully supports the objective of the Proposal to provide specific guarantees for media freedom and pluralism, he has doubts about how effective the proposed measures would be in practice to achieve the objective pursued. In particular, the EDPS considers that, as it stands, Article 4(2)(b) and (c) of the Proposal, in particular regarding the exceptions to the prohibition of intercepting, subject to surveillance media service providers, including by deploying spyware on their devices, do not provide enough safeguards and lack legal clarity. The EDPS invites the co-legislators to further define and restrict the possibility to waive the protection of journalistic sources and communications, in line with the principles of strict necessity and proportionality as interpreted in the case law of the CJEU and the ECtHR. In particular, he remains convinced that the only viable and effective option to protect the fundamental rights and freedoms in the Union, including media freedom, against highly advanced military-grade spyware is a general ban on its development and deployment with very limited and exhaustively defined exceptions, complemented by robust safeguards, such as those suggested in the EDPS Preliminary remarks on modern spyware.

Thirdly, with regard to the national independent authority or body in charge of handling complaints in relation to breaches of Article 4(2)(b) and (c) of the Proposal, the EDPS recommends ensuring that the future Regulation explicitly set out specific guarantees of independence and provide for an explicit legal basis for cooperation between the relevant supervisory authorities, each acting within their respective areas of competence. In addition, the EDPS recommends that the future Regulation require a structured cooperation between the competent supervisory authorities, including data protection authorities and make explicit reference to the national competent supervisory authorities involved in the cooperation and identify the circumstances in which cooperation should take place. In particular, the EDPS recommends ensuring that the independent competent authorities designated under the future Regulation have the power and duty to consult with the relevant other national competent supervisory authorities, including data protection authorities, in the context of their investigations and compliance assessments. With regard to national data protection authorities, the EDPS specifically recommends clarifying that competent independent authorities under the future Regulation should be able to provide to the competent supervisory authorities under the GDPR and the LED, upon request or on their own initiative, any information obtained in the context of any audits and investigations that relate to the processing of personal data and to include an explicit legal basis to that effect.

Moreover, regarding the publication of information concerning the media service providers and in particular their owners and beneficial owners, the EDPS recommends explicitly specifying in the Proposal the objective(s) of public interest pursued and ensuring that the list of categories of information to be made available under Article 6(1) of the Proposal be clearly defined and explicitly listed in the future Regulation.

Lastly, the EDPS recommends clarifying whether any personal data would be processed throughout the cooperation or mutual assistance between national regulatory authorities or bodies set out in the Proposal and, if so, to explicitly lay down the purposes of the processing, the specific categories of personal data to be processed, the data retention period and the identification of the roles and responsibilities of the national regulatory authorities and bodies within the meaning of data protection law.

1.   INTRODUCTION

4.   CONCLUSIONS

(1)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(2)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

(3)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

(4)  COM(2022) 457 final.

(5)  COM(2022) 457 final, p.3.

(6)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(7)  EDPS Preliminary remarks on modern spyware, issued on 15 February 2022.