Article 85 GDPR requires EU member states to balance data protection with freedom of expression and information, including journalism and similar public-interest publishing. It is not a blanket exemption. Instead, national laws may adjust certain GDPR rules when personal data is processed for news reporting, commentary, or other protected expression.
In cyber security, this matters when incident reports, OSINT posts, screenshots, or reposted articles contain names, handles, faces, or other identifiers. A publisher may need to minimize personal data, document why publication is necessary, and check local journalistic exemptions before sharing leak material or analysis. Attackers sometimes misuse “news” framing to spread doxxing content or stolen data, but Article 85 does not legitimize unlawful disclosure. For defenders, it is a reminder that privacy controls, editorial review, and jurisdiction-aware handling all matter.