This document discusses the interface between data protection law and journalism. It notes that while EU law provides some exemptions for journalism, most countries still subject it to qualified data protection standards. It argues that data protection authorities (DPAs) should take a co-regulatory approach when setting standards and enforcing data protection in journalism. Specifically, DPAs should engage with self-regulatory bodies to help ensure protections for vulnerable groups while respecting press freedom. Enforcement should show deference to self-regulation but DPAs must ultimately make independent assessments.