The need for publishers to ensure that their processing of
personal data complies with the law is more important than ever.
The General Data Protection Regulation EU/2016/679 is now
in force, hopefully bringing to an end the wave of privacy notices that have
been flooding inboxes over the last few weeks. With somewhat less attention,
Parliament has supplemented the GDPR in domestic law by enacting the Data Protection Act 2018, which received Royal Assent only
on Wednesday 23 May 2018. The statute, which clarifies and supplements the
GDPR, replaces the Data
Protection Act 1998 as the new statutory framework governing personal data
in this country.
Media lawyers and journalists might feel a degree of
trepidation at this news. The Data Protection Act 1998 has become a mainstay of
media disputes, with its importance and impact increasingly felt by publishers.
So what changes do the traditional media publishers, online platforms and
journalists face under the new 2018 Act?
In short:
- the journalism exemption in the Data Protection Act 1998, s
32(1) has been reproduced and its application expanded in the Data Protection
Act 2018 at sch 2, part 5 para 26 - the statutory stay procedure at s 32(4) has been reproduced
in similar terms at s 176 - new criminal data offences have been introduced alongside
explicit journalism public interest defences at ss 170-171 - the Information Commissioner has been granted significant
powers and responsibility to encourage media compliance with data protection
laws, including periodic review and reporting on compliance, an obligation to
issue guidance to individuals on seeking redress against media organisations
and creation of a code of practice for media organisations on data protection
compliance to be approved by Parliament - the Secretary of State must report every three years on the
effectiveness of the media dispute resolution procedures, including under the
Editors’ Code of Practice.
The Special Purposes Exemption
Unsurprisingly, given the explicit requirement in the GDPR
to provide protection for the right to freedom of expression and information,
the special purposes exemption, which protects processing for the purposes of
journalism, art and literature (and now academic purposes) has survived and in
fact has widened in scope and application under the new Act.
The journalism exemption at s 32(1) of the DPA 1998 provided
that personal data have to be processed only for one of the ‘special purposes’,
including journalism, in order for the exemption to be capable of applying,
subject to meeting the s 32(1) criteria. Consequently, a data controller
processing for two or more substantive purposes, including for journalism, was
on the face of the legislation precluded from relying on the exemption.
The exemption in the Data Protection Act 2018 is wider.
Schedule 2, part 5, para 26(3) contains the new exemption which notably
includes no provision that personal data must be processed only for the special
purposes; instead the dis-application of certain GDPR provisions for
journalists will apply ‘to the processing of personal data carried out for the
special purposes’, whether or not the data are being processed for a second or
ancillary purpose. This will avoid the scenario where the media potentially
faced losing the protection of the exemption if they assisted the police in
connection with a criminal investigation, and may also have an impact on online
platforms and search engine providers. In the recent case of NT1
and NT2 v Google LLC [2018] EWHC 799 (QB), Warby J countenanced that, if
Google were processing for the special purposes, they were not doing so ‘only’
for the special purposes – that may now be of little significance.
Otherwise, the exemption criteria are substantively the same
as they were under the DPA 1998:
- the data in question must be being processed with a view to
the publication of journalistic material, - the data controller must reasonably believe that, having
regard in particular to the special importance of the public interest in
freedom of expression, publication would be in the public interest, and - the data controller must reasonably believe that the
application of the listed GDPR provision would be incompatible with its
journalistic purpose.
Assuming these criteria are met, a data controller will be
exempt from complying with an extensive list of GDPR rights and obligations
(which itself has substantially increased). Notably, Codes of Practice have
added importance for a publisher seeking to rely on the exemption. The Act
provides explicitly at para 26(5) that, when forming a belief that publication
is in the public interest, a data controller must have regard to relevant codes
of practice, namely the BBC Editorial Guidelines, the Ofcom Broadcasting Code
and the Editors’ Code of Practice.
Statutory Stay
Section 176 of the DPA 2018 replicates the statutory stay
provision at s 32(4) of the DPA 1998, providing that, where a data controller
claims, or it appears to the court, that personal data are being processed only
for the special purposes, with a view to publication of journalistic material
and the data have not previously been published by the controller, the court
must stay any data protection proceedings brought over such data. By contrast
to the exemption itself, the requirement in this case is that data must be
being processed ‘only’ for journalism – so publishers seeking to rely on the
statutory stay must be confident the data are not being processed for another
substantive purpose.
As in the DPA 1998, the Information Commissioner again may
make a written negative determination, in effect as to whether such a stay is
appropriate. Section 174(3)(b) of the Act provides that the Commissioner may
determine whether personal data are either not being processed only for the special
purposes (including journalism) or whether the data are being processed without
a view to the publication of journalistic material that has not previously been
published. The ICO’s efforts to secure the right to determine whether
compliance with a relevant provision of the DPA 2018 was incompatible with the
special purposes was unsuccessful.
Nonetheless, it remains open to a claimant facing the
prospect or reality of a stay under s 176 to turn to the ICO and make a
complaint to the Commissioner pursuant to s 165, although the ICO’s powers to
require the provision of information and co-operation and to enforce are
limited where no determination under s 174 has been made. In any event, any
outcome would not necessarily be final as a right of appeal exists under s 162.
New Offences and New Defences
Sections 170 and 171 of the DPA 2018 add to the existing
offence of unlawfully obtaining personal data a new offence of
re-identification of de-identified personal data. Given the risk of impinging
on investigative journalism, each offence provides expressly for new defences
that mirror the special purposes exemption.
An offence will not be committed in either case if the data
controller (1) acted for the special purposes, (2) with a view to publication
of journalistic material, and (3) with a reasonable belief that the controller’s
conduct was justified as in the public interest. These defences will be
welcomed by the media, and will add to the protection afforded by the CPS
Guidance for prosecutors on assessing the public interest in cases affecting
the media.
Assistance in Special Purposes Proceedings
Section 175 of the DPA 2018 replicates the provision that a
party who is subject to special purposes proceedings can apply to the
Information Commissioner for assistance in those proceedings. However, before
providing any such assistance, the Commissioner must be of the opinion that a
matter carries substantial public importance.
On the face of the Act, it is therefore open for either a
prospective claimant or a defendant, most likely one with limited resource but
involved in a data dispute of significance, to apply to the ICO for assistance
in their claim. With the threshold of ‘substantial public importance’ markedly
high and with the ICO able simply to apply to intervene in litigation instead
of taking on the burden of assisting a party to a dispute, it remains to be
seen whether this will be used by parties and how interventionist the
Commissioner will be in future cases.
Guidance, Review and Reporting Obligations
Following legislative wrangling between the House of Commons
and the House of Lords just days before the Bill received Royal Assent, and
against the backdrop of arguments calling for ‘Leveson 2’, both the Secretary
of State for Digital, Culture, Media and Sport and the Information Commissioner
have had their responsibilities as watchdogs over the media increased. Notably:
- the media has been singled out as an industry, with an
obligation on the Information Commissioner to produce guidance in the next year
on how to seek redress against media organisations where an individual
considers that a media organisation has failed to comply with data protection
legislation (s 177); this will not necessarily apply to online platforms; - the Information Commissioner must consult on and prepare and
submit to the Secretary of State within 18 months a code of practice (to be
approved by Parliament), containing practical guidance on compliant processing
of personal data for the purposes of journalism and practice which is desirable
having regard to the interests of data subjects and the special importance of
the public interest in freedom of expression and information (s 124); - the Information Commissioner is now also obliged to carry
out periodic reviews of whether the data protection legislation is being
complied with by the media and report her findings to the Secretary of State –
the first review must be commenced within four and a half years and completed
within six years, and then repeated every five years (s 178 and sch 17); - separately the Secretary of State must report every three
years to Parliament on the use and effectiveness of the media’s dispute
resolution procedures in cases involving allegations of breaches of data
protection legislation, specifically on any dispute resolution procedures
provided by those who enforce codes of practice for relevant media
organisations (s 179) – this will include IPSO, IMPRESS and, perhaps
unintentionally (since what constitutes an alternative dispute resolution
procedure is not defined), potentially also OFCOM insofar as its code relates
to on-demand publishers.
Summary
While the GDPR and DPA 2018 do not, on their face, require
alterations to journalistic practice, there is cause for both optimism and a degree
of caution for media organisations. The journalism exemption is marginally
wider, and new data offences are counterbalanced by explicit public interest
journalism defences, which provide welcome clarity. Perhaps most notable
however are the provisions for continuing regulation and oversight of the media
and its compliance with data protection legislation. With the Commissioner’s
obligations to produce a code of conduct for journalism, guidance to the public
on seeking redress against media organisations, and to carry out periodic
reviews of sector compliance, the need for publishers to ensure that their
processing of personal data complies with the law is more important than ever.
Nicola Cain is a Partner at RPC LLP. She is a specialist in
media and information rights compliance, regulation, enforcement and disputes.
Rupert Cowper-Coles is a Senior Associate at RPC LLP and an
experienced litigator in the field of media and information law.
