The Buivids Debate: why the CJEU decision isn’t wrong and why the GDPR is out of date

June 6, 2019

The recent decision of the CJEU in the case of Builds (C–345/17) has deservedly drawn a lot of commentary. It seems as though the CJEU has potentially made every citizen using social media a data controller, subject to the full regime of the GDPR including: fines, privacy notices, DPIAs, balancing tests, records of processing and the rest.  

In the April 2019 issue of Computers & Law, Neil Brown wrote an insightful article on the difficulties that the Buivids decision presents. I agree with many of his points but take a different view on others so in this article I will, in the spirit of good-natured academic debate, set out why I think that, unlike Neil, the outcome of the Buivids decision was logical and accurate before arguing that the GDPR is out of date:  the online world of the twenty-first century requires an entirely new way forward. 

What Happened Again?

In case you missed Neil’s article, here’s a very short summary. Mr Buivids was arrested and charged with a minor administrative offence in Latvia. He filmed his experience in the police station and later posted the video on YouTube. The video clearly depicts police officers going about their business who were not aware that they were being filmed. The Latvian national supervisory authority took action against Mr Buivids regarding the YouTube post and demanded that it be taken down. Mr Buivids argued that he did not need to take it down because the recording was caught by the personal and household use exemption, or by the journalistic works exemption. The CJEU determined that the recording could not fall within the personal and household use exemption because, when published on YouTube, the video could be seen by an unlimited audience. It did however consider that, in the unique circumstances of this case, the journalistic exemption may apply.

So is the outcome correct in law?

A central theme of Neil’s article is that, by failing to find that Mr Buivids’ activity was caught by the personal and household use exemption, the CJEU erred in law. I take a different view and think the CJEU’s decision was correct: here’s why.

The decision was legally accurate because the CJEU followed several important decisions that had already laid the ground, notably Lindqvist (2003), Rynes (2014) and Jehovan Todistajat (2018). It also followed the persuasive opinion of Advocate General Sharpston. The personal and household use exemption has always been given a narrow legal interpretation, as it should be. When Mr Buivids decided to post the video to an unrestricted audience he processed the personal data in his control in a manner which is not consistent with a purely personal activity. In 2009 the WP29 published an Opinion WP163 about online social networking which held exactly the same view. The WP29 said “…if a user takes an informed decision to extend access [to material shared on social networking sites] beyond self-selected friends, data controller responsibilities come into force.” A further statement of the WP29 from 2013 reached the same conclusion.

Correct in principle?

But was the CJEU right as a matter of principle? Neil’s article argues that the CJEU’s focus on the audience is illogical. I disagree as the decision follows the perfectly logical direction of travel set by Directive 95/46, then the GDPR, and equally the case law of the CJEU and certain national courts in member states. The outcome was, I think, highly predictable. 

Correct as a matter of ethics?

Was the CJEU’s decision ethically wrong? Neil makes a persuasive argument about the impact this decision will have on hobbyists and others. This is where the debate starts to get very interesting. I’m a millennial and surrounded by friends and colleagues who live their lives just as much in the online space as the real world. I think (and I reckon most of my friends and colleagues would agree) that there is an uncodified but present ethical dividing line about social media posts, a sort-of unspoken “right” from “wrong”. Buivids is trying, in a very clumsy way, to tackle that issue head on. The issue is what matters more: your right to film or photograph whatever you like whenever you like and share it with whomever you like, even if that post includes images of me; or my right to stop you from posting material about me and to (potentially) hold you accountable for harm arising from what you post?

What I agree with

Neil is right to state that no one should expect individuals to be lumbered with the totality of the controller regime. Such an expectation is daft and could never work. If the CJEU’s decision were to extend to its farthest reaches (which I don’t think it ever will) then it would be absurd and almost certainly not applied in a consistent manner. It would also fall short of the overriding EU principle of proportionality.  

Neil is also right to point out that Buivids shows that the law seems inconsistent with modern day life. The WP29 made similar observations in its 2013 Statement on discussions about data protection reform, stating that the GDPR was an opportunity for the legislature to deal with the growing irreconcilability of data protection law and the modern use of social media and online communities. In that sense, I think the GDPR failed to grasp the nettle because it does not adequately deal with the issue of third party data displayed to large audiences when uploaded by individuals for recreational purposes (that is, not for artistic, journalistic or other exempt purposes).

Where we differ is in how to deal with the proliferation of online data sharing by individuals.

This affects most of us including every social media user who uploads images or videos where other people are in those images or videos, even incidentally. The debate reaches into the heart of data protection ethics, compliance and law. In the spirit of this debate we should not forget the grand power that social media has in our culture, both for good and bad. In the terror attacks in London and Manchester, social media was used effectively to communicate that many caught up in those events were unharmed, even allowing strangers a chance to offer overnight accommodation to those affected. Equally, the tragic cases of Molly Tuttle’s suicide and the suicide of a teenager in Malaysia just last month in response to an Instagram poll involving her “friends” (the teenager asked her friends in a poll if she should kill herself, the majority responded to the poll with “yes”) are painful reminders that social media is the harbour of the very best and worst of human traits.

This is why Buivids was ultimately right. It says that those who post online have a duty to those who are affected by what they post. The CJEU is trying to say, albeit through the tired title of controller, that individuals deserve the protection of data protection law when others post things that can result in them being identified.

A whole new class is required?

I think the binary regime of controller or processor is out of date and, to that extent, the GDPR is out of date too. If your processing of personal data is within the material scope of GDPR, you must fit into one of these two categories. That dual categorisation is wrong and is a product of a bygone technological era. 

We need data classifications that work in the twenty-first century. I suggest a new third category of classification: recreational controller. A recreational controller is anyone who shares information, images or videos with an unrestricted audience. Recreational users of social media should be within scope of data protection law because (just like controllers) they owe a duty of care to those data subjects whose personal data they share. However, recreational users of social media should not be corralled into the world of controller corporate governance. Registration with a NSA, preparing privacy policies or documenting consent simply could not work in this online world, even assuming recreational social media users understand what it asked of them and the consequences of failing to do so, something Neil and I both agree is unlikely. A new category of recreational controller would be a way of removing this compliance burden whilst still retaining the implicit duty (and ethical responsibility) for actions taken online. It would also mean that a recreational controller could be penalised where it can be shown that they have knowingly or recklessly shared data which could have a material impact on the data subjects causing them harm. Those third parties should also have the right to demand those images are taken down and/or permanently erased (vis Art 17 GDPR) without needing to resort to the social media provider. This concept of a “lite” form of regulation is corroborated by some of the arguments made in the WP29 2013 Statement, many of which were unfortunately never converted into law. 

I get that this third category of controller is controversial. Immediate problems that I can identify are that it would be practically difficult to enforce, but then this, too, is true of  the outcome in Buivids. It would almost certainly require the involvement of the social media platforms to help police it, unless a technological solution is developed that allows data subjects to protest to (and to automate the removal of) a post which clearly identifies them. But this in turn creates issues regarding editing of social media and potential abuse. From a legal perspective, it also raises a challenge about what is the lawful basis of processing if not consent as recognised by the GDPR. To that I would say that perhaps it ought to be consent but not as we currently know it.

I am not offering a panacea. I am instead initiating a debate. In my view, there is no effective law which deals with the issue of sharing of personal data online to an unrestricted audience. I agree with Neil that Buivids fails to adequately deal with this. Where I disagree with Neil is the proposed answer. Neil has argued that the domestic purpose exemption should be interpreted as applying to this sort of activity. I disagree, because to do so would take all such activity outside of the scope of the GDPR. Instead, I think the activity should be within the scope of the law but in a whole new class of controller, with adapted rules and hybrid status. 

This is not the end of the discussion. I am not sure it is even the beginning of the end. But perhaps it points the way to resolving the tension between the online world of unrestricted data sharing and the ambit of data protection law and ethics. 

Matthew Holman is Head of Technology and Data Protection at EMW, a UK law firm with offices in London, Milton Keynes and Gatwick