Skip to main content Accessibility help
×
Home
Hostname: page-component-cf9d5c678-5tm97 Total loading time: 0.266 Render date: 2021-07-28T02:31:14.919Z Has data issue: true Feature Flags: { "shouldUseShareProductTool": true, "shouldUseHypothesis": true, "isUnsiloEnabled": true, "metricsAbstractViews": false, "figures": true, "newCiteModal": false, "newCitedByModal": true, "newEcommerce": true, "newUsageEvents": true }

Can the GDPR and Freedom of Expression Coexist?

Published online by Cambridge University Press:  06 January 2020

Nani Jansen Reventlow
Affiliation:
Director of the Digital Freedom Fund; Lecturer in Law at Columbia Law School; and Associate Tenant at Doughty Street Chambers.
Rights & Permissions[Opens in a new window]

Extract

The General Data Protection Regulation (GDPR) imposes important transparency and accountability requirements on different actors who process personal data. This is great news for the protection of individual data privacy. However, given that “personal information and human stories are the raw material of journalism,” what does the GDPR mean for freedom of expression and especially for journalistic activity? This essay argues that, although EU states seem to have taken their data protection obligations under the GDPR seriously, efforts to balance this against the right to freedom of expression have been more uneven. The essay concludes that it is of key importance to ensure that the GDPR's safeguards for data privacy do not compromise a free press.

Type
Essay
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
Copyright © 2020 Nani Jansen Reventlow

The General Data Protection Regulation (GDPR)Footnote 1 imposes important transparency and accountability requirements on different actors who process personal data. This is great news for the protection of individual data privacy. However, given that “personal information and human stories are the raw material of journalism,”Footnote 2 what does the GDPR mean for freedom of expression and especially for journalistic activity? This essay argues that, although EU states seem to have taken their data protection obligations under the GDPR seriously, efforts to balance this against the right to freedom of expression have been more uneven. The essay concludes that it is of key importance to ensure that the GDPR's safeguards for data privacy do not compromise a free press.

Data Protection and Journalism

Data journalism, which is based on the analyzing and filtering of large data sets with the help of technology for the creation of news stories, continues to be on the rise on both sides of the Atlantic,Footnote 3 and revelations such as the Panama Papers have shown what impact this can have in bringing corruption and other wrongdoing to light.Footnote 4 At the same time, events such as the Facebook-Cambridge Analytica scandal are a stark reminder of how easily data can be misused. The tension between privacy and freedom of expression is nothing new, but while there are well-developed standards under international law to balance these fundamental rights, it is not at all clear that the GDPR will protect both rights equally in practice. This leaves it open for private individuals to weaponize data protection laws to threaten, silence, or hinder journalistic stories that rely on or include personal data. Data protection claims may replace the libel suit in this respect, particularly as the former does not require damage to reputation or falsity for legal action to be viable.

The GDPR and the Right to Freedom of Expression

The GDPR replaces the 1995 Data Protection Directive, which provided for many of the requirements currently imposed by the GDPR, and, like the GDPR, contained a so-called “journalistic exemption.”Footnote 5 This exemption makes some of the requirements for data processing inapplicable when this processing takes place for journalistic purposes.Footnote 6 The exemption under the Directive was narrower, as it provided exemptions for processing “solely” for “journalistic purposes or the purpose of artistic or literary expression,” if they were necessary from a free speech perspective.Footnote 7 Article 85 of the GDPR omits the “solely” requirement and provides exemptions for the purpose of reconciling free speech with data protection. Article 85 refers to journalism, academia, art, and literature as examples of circumstances in which such exemptions would be necessary,Footnote 8 resulting in a broader scope for exemption from GDPR rules. This broader scope allows for exemptions to apply to free speech contexts other than journalism, but also gives EU member states such flexibility that free speech protections can differ significantly between jurisdictions, as discussed below.

The GDPR attempts to harmonize data privacy protection across the European Union. The landscape for safeguarding the right to freedom of expression, however, is more fractured. The European Court of Human Rights (ECtHR) has interpreted the right quite broadly, but the member states themselves retain substantive flexibility in their domestic law in how to reconcile the right to freedom of expression with GDPR obligations.

The right to freedom of expression is codified in a variety of international law instruments applicable to European states, including the Charter of Fundamental Rights of the European Union,Footnote 9 the European Convention on Human Rights (ECHR),Footnote 10 and the International Covenant on Civil and Political Rights.Footnote 11 The scope of the right to freedom of expression protected by Article 11 of the Charter of Fundamental Rights mirrors the right protected by Article 10 of the ECHR, as interpreted by the ECtHR.Footnote 12 The Court's caselaw on freedom of expression is extensive, but a few points merit highlighting. First, the ECtHR repeatedly has emphasized the special role of the press in enabling the proper functioning of a democratic society by both serving as a “public watchdog”Footnote 13 and a crucial means for producing and circulating information in the public interest. “Freedom of the press,” the Court has stated,

affords the public one of the best means of discovering and forming an opinion of the ideas and attitudes of their political leaders. In particular, it gives politicians the opportunity to reflect and comment on the preoccupations of public opinion; it thus enables everyone to participate in the free political debate which is at the very core of the concept of a democratic society.Footnote 14

Second, the Court has consistently made clear that the right to privacy protected by Article 8 of the Convention and the right to freedom of expression are equal rights that states must balance, based on the criteria the Court has identified in its caselaw.Footnote 15

The Journalistic Exemption

Article 85 of the GDPR states that member states “shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression,” including by providing for exemptions or derogations from the GDPR. However, the exact nature of the journalistic exemption is left to the individual member states to define. This poses two risks: first, that certain states will adopt national legislation that does not offer the same level of protection to the right to freedom of expression and freedom of the press that international law does; and second, that certain states will fail or be slow to adopt any legislation at the national level providing for a journalistic exemption to the data protection obligations under the GDPR.

A review conducted in late 2018 shows that, while most states had implemented the GDPR by adopting national laws,Footnote 16 the formulation of journalistic exemptions with true potential for protecting free speech was lagging. At the time of the review, only sixteen of twenty-eight member states had legislated for a journalistic exemption and the quality of those provisions varies greatly, resulting in an inconsistent legal landscape for the protection of freedom of expression under the GDPR.Footnote 17

For the countries that have adopted national legislation containing a journalistic exemption, the ability to protect freedom of expression will depend on the quality of those data protection laws and whether national authorities apply them in accordance with the applicable standards of international law. For example, the Slovak Republic's Data Protection Act could be problematic, as it carves out an “exception to the exception”: personal data may be processed for journalistic purposes without a data subject's consent, except where this would violate her personality protection or privacy.Footnote 18 It is difficult to imagine how a reporter would be able to escape this circular reasoning when investigating a potential case of corruption. The Spanish Data Protection Act, on the other hand, gives no indication at all of how GDPR requirements should be reconciled with journalism or freedom of expression. Other than a general mention of freedom of expression in the preamble and a provision in its operative section stating that everyone has the right to freedom of expression on the internet, the Act is silent about the GDPR, leaving great uncertainty on the protection offered to journalistic processing.Footnote 19

A Threat to Journalism?

This patchy trans-European landscape of sometimes adequate, sometimes inadequate, and at times fully absent legislation potentially will have a chilling effect on freedom of expression and journalism, especially for those journalists and outlets that publish in multiple jurisdictions and online. First, this setup makes it appealing for individuals seeking to bring data protection claims to engage in forum-shopping: the litigant can cherry-pick a jurisdiction that offers the least protection for journalism to attempt to suppress critical reporting. Data protection claims can be a convenient tool for reputation management: unlike libel claims, there is “no time limitation on claims, no defence for truth or honest opinion, and no requirement to demonstrate serious harm.”Footnote 20

One example of “weaponizing” the GDPR against journalists has already occurred in Romania, where the local Data Protection Authority tried to force the Rise Project, an award-winning investigation portal, to reveal its sources following its publication of an investigation into a corruption scandal involving a high-level politician. While this has led to warnings from the European Commission,Footnote 21 the case is currently ongoing.

Second, the consequences for falling foul of the GDPR can be grave. While national supervising authorities have the possibility of taking “lighter” measures such as giving warnings or reprimands and ordering the rectification or erasure of data (which could be disastrous for an investigative journalism project in and of itself), discretionary fines imposed could run up to EUR 20 million or 4 percent of annual global turnover––whichever is greater.

The risk of being on the receiving end of data protection claims that could have dire financial consequences for the journalist or media outlet can lead to self-censorship. Members of the European Parliament have called for an end to vexatious lawsuits against the media, also referred to as SLAPP—Strategic Lawsuit Against Public Participation—lawsuits.Footnote 22 Some members have proposed an anti-SLAPP Directive, which would give journalists the possibility of requesting rapid dismissal of such claims. Even when a case is without merit and the court dismisses it or finds for the media outlet, the time, effort, and cost that go into defending a meritless claim and the intimidation it represents can be harmful in and of itself. At the moment, the main avenue to protect freedom of expression rights in the EU remains pursuing a claim before the ECtHR. This road is long,Footnote 23 and the penalties imposed for infringement of the right are nowhere near as robust as the consequences of a GDPR violation.Footnote 24

Conclusion

Although EU states seem to have taken their data protection obligations under the GDPR seriously, their efforts to balance data privacy and freedom of expression have been more uneven and, based on the current landscape, it is not clear that the member states have adequately taken into account their legal obligation to protect freedom of expression and information under the GDPR when protecting data privacy. It is important that the GDPR's much-needed safeguards to protect the right to data privacy do not compromise freedom of expression. As the practice of enforcing the GDPR further unfolds, we will need to carefully watch if the current landscape offers sufficient possibilities to balance these two fundamental rights not only on paper, but also in practice.

References

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter GDPR].

2 Jo Glanville, The Journalistic Exemption, 40 London Rev. Books 9-10 (July 5, 2018).

3 See Lindsey Rogers Cook, How We Helped Our Reporters Learn to Love Spreadsheets, N.Y. Times (June 12, 2019); Data Journalism, Guardian (Mar. 2019).

4 The International Consortium of Investigative Journalists, a global network of more than 190 investigative journalists in more than 65 countries, combined data from the Panama Papers, the Offshore Leaks, the Bahamas Leaks, and the Paradise Papers investigations in a single database.

5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31.

6 GDPR, supra note 1, art. 85.

7 See also Case C-73/07, Satakunnan Markkinapörssi Oy & Satamedia Oy, ECLI:EU:C:2008:727, (Eur. Ct. Justice, Dec. 16, 2008).

8 See supra note 5.

9 Charter of Fundamental Rights of the European Union art. 11, 2000 O.J. (C 364) 1 (Oct. 26, 2012) [hereinafter European Charter].

10 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14 art. 10, Nov. 4, 1950, E.T.S. No. 5, art. 10.

11 International Covenant on Civil and Political Rights art. 19, Dec. 16, 1966, 999 UNTS 171.

12 European Charter, supra note 9, art. 52.3 states, “In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.”

13 Axel Springer AG v. Germany (no. 2), App. No. 48311/10 (Eur. Ct. Hum. Rts., July 10, 2014) (in French). There is only an English summary.

14 Castells v. Spain, App. No. 11798/85 (Eur. Ct. Hum. Rts., Apr. 23, 1992).

15 Von Hannover v. Germany (2), App. Nos. 40660/08 and 60641/08 (Eur. Ct. Hum. Rts., Feb. 7, 2012).

16 As of early 2019, all but three states had legislated to implement the GDPR as such; two countries (Portugal and Greece) had legislation pending; and one was in the process of redrafting a previously withdrawn bill. See the GDPR Tracker prepared by the law firm Bird & Bird.

17 Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Hungary, Ireland, Italy, the Netherlands, Poland, Slovakia, Spain, Sweden, and the United Kingdom have all enacted these laws. See Bird & Bird GDPR Tracker.

18 Data Protection Act of Slovakia, sec. 78. See Bird & Bird GDPR Tracker.

19 Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales art. 85 (in Spanish).

20 See supra note 2.

21 Nikolaj Nielsen, EU Warns Romania Not to Abuse GDPR Against Press, EU Observer (Nov. 12, 2018).

22 Stephanie Kirchgaessner, MEPs Call for Power to Tackle “Vexatious Lawsuits” Targeting Journalists, Guardian (Feb. 22, 2018).

23 See the case statistics page of the European Court of Human Rights.

24 Veronika Fikfak, Changing State Behaviour: Damages Before the European Court of Human Rights, 29 EJIL 1091 (2018).

You have Access
Open access

Send article to Kindle

To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Can the GDPR and Freedom of Expression Coexist?
Available formats
×

Send article to Dropbox

To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

Can the GDPR and Freedom of Expression Coexist?
Available formats
×

Send article to Google Drive

To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

Can the GDPR and Freedom of Expression Coexist?
Available formats
×
×

Reply to: Submit a response

Please enter your response.

Your details

Please enter a valid email address.

Conflicting interests

Do you have any conflicting interests? *