¹ Directive 95/46, art 1.

² ibid art 9.

³ ibid recital 37.

⁴ ibid recital 8.

⁵ C-131/12 Google Spain; Google v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, EU:C:2014:317.

⁶ P Keller, European and International Media Law: Liberal Democracy, Trade and the New Media (Oxford University Press 2011) 331.

⁷ Great Britain, House of Lords, Select Committee on the European Communities, 20th Report: Protection of Personal Data (HMSO 1993) 39.

⁸ Keller (n 6) 337.

⁹ See Annex 2 of European Commission Staff Working Paper Impact Assessment (SEC (2012) 72 FINAL) 13. These remarks were grounded in analysis produced in 2010 which, whilst interesting, was entirely qualitative, somewhat anecdotal and based only on an explicit examination of the laws in those States which joined the EU before 2003. See D Korff, Data Protection Laws in the EU: The Difficulties in Meeting the Challenges Posed by Global Social and Technical Developments (2010) 13–21 <http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_working_paper_2_en.pdf>.

¹⁰ Directive 95/46, art 1.2; recital 8.

¹¹ The application of the Directive here is based on the Agreement on the European Economic Area (OJ 1994 L 1). The precise relationship between the legal duties of these jurisdictions and both related legal provisions such as the EU Charter of Fundamental Rights and interpretations of the law by the Court of Justice of the European Union remains a matter of great complexity, the consideration of which is beyond the scope of this article.

¹² D Bainbridge, EC Data Protection Directive (Butterworths 1996) 15.

¹³ Directive 95/46, art 3.

¹⁴ ibid recital 15.

¹⁵ ibid art 2(a).

¹⁶ C-101/01 Criminal proceedings against Bodil Lindqvist, EU:C:2003:596; C-73/07 Tietosuojavaltuutettu v Satakunnon Markkinapörssi Oy and Satamedia Oy, EU:C:2008:727.

¹⁷ Directive 95/46, art 2(b).

¹⁸ ibid art 2(d).

¹⁹ It might be thought that the data security provisions in arts 16 and 17 of Directive 95/46 should also be included in this category. However, as the European Commission's Amended Proposal for a Council Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data Explanatory Memorandum (COM (92) 422 final) emphasized (at 37), these provisions were designed to be procedural as opposed to substantive since they are aimed only at ensuring that information is not subject to unauthorized processing, especially by third parties. This procedural understanding was confirmed by the CJEU in Satamedia (2008) at [64].

²⁰ Directive 95/46, recital 9.

²¹ ibid art 4. If the controller is not established in any EEA State but makes use of equipment on the territory of one or more Member State, then he must comply with the national laws in each country or countries where equipment is located.

²² Council of Europe, Legislation and Data Protection: Proceedings of the Rome Conference on problems relating to the development and application of legislation on data protection (Camera dei Deputati 1983) 72 (quoting Paul Sieghart).

²³ Rasaiah, S and Newell, D, ‘Data Protection and Press Freedom’ (1997/98) 3 Yearbook of Media and Entertainment Law 232Google Scholar.

²⁴ Mosley v United Kingdom (48009/08) [2012] EMLR 1.

²⁵ Rasaiah and Newell (n 23) 234–6.

²⁶ Lord Phillips of Worth Matravers in Campbell v Mirror Group Newspapers [2002] EWCA Civ 1373 [2003] QB 633 at [123].

²⁷ Directive 95/46, art 9

²⁸ Satamedia (n 16) at [56].

²⁹ Charter of Fundamental Rights of the European Union (OJ 2010 C 83, at 389) arts 7, 8 and 11.

³⁰ Whilst the European Convention on Human Rights does not mention this, some 13 EU Member States do in fact include a right to data protection in their Constitutions. See Cannataci, J and Misfud-Bonnici, J, ‘Data Protection Comes of Age: The Data Protection Clauses in the European Constitutional Treaty’ (2005) 14 Information and Communications Technology Law 8CrossRefGoogle Scholar.

³¹ See, as regards the European Convention on Human Rights, art 8 (right to respect for private and family life) and art 10 (freedom of expression).

³² M Siems, Comparative Law (Cambridge University Press 2014) 186.

³³ See eg Siems, M, ‘Regulatory Competition in Partnership Law’ (2009) 58(4) ICLQ 767CrossRefGoogle Scholar.

³⁴ See eg Ginsburg, T, Lansberg-Rodriguez, D and Versteeg, M, ‘When to Overthrow your Government: The Right to Resist in the World's Constitutions’ (2013) 60 UCLA Law ReviewGoogle Scholar.

³⁵ See art 355(3) of the Treaty on the Functioning of the European Union.

³⁶ Along this new scale (a) became 1, (b) became 0.83, (c) became 0.67, (d) became 0.5, (e) became 0.33, (f) became 0.17 and (g) became 0. It should be noted that this quantitative transformation was assisted by the extreme categories ((a) and (g)) respectively representing either complete substantive applicability of ordinary data protection provisions to the media or no applicability.

³⁷ Whilst neither the overall nor the element level results map precisely to the seven standardized categories defined at individual provision level, the use of a standardized scale still enables these scores to represent the extent to which substantive data protection remains applicable vis-à-vis media expression both as regards the regime as a whole and as regards particular elements of it.

³⁸ A study is in progress examining how data protection legislation has actually been applied via-à-vis the media in each EEA jurisdiction. The standardized approach adopted here should aid systematic comparison between these two datasets.

³⁹ Italy, Personal Data Protection Code, section 163.3; Italy, Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities.

⁴⁰ Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data (as amended), art 13.6.

⁴¹ Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data (as modified), section 29(3).

⁴² Bulgaria, Law for the Protection of Personal Data, art 5(7).

⁴³ United Kingdom, Data Protection Act 1998, section 32(1) (emphasis added).

⁴⁴ Directive 95/46, art 6(1)(d).

⁴⁵ Germany, Federal Data Protection Act (BDSG), section 41(3). For completeness it should be noted that it is also stated that if Deutsche Welle's journalistic processing ‘leads to the publication of counter-statements by the data subject, these counter-statements shall be added to the recorded data and retained for the same length of time as the data themselves’ (section 41(2)).

⁴⁶ Germany, Interstate Treaty on Broadcasting and Telemedia 2010, art 47(2).

⁴⁷ Netherlands, Personal Data Protection Act, art 3(1).

⁴⁸ Finland, Personal Data Act, section 2(5).

⁴⁹ Norway, Personal Data Act, section 7.

⁵⁰ Sweden, Personal Data Act, section 7.

⁵¹ Austria, Federal Act Concerning the Protection of Personal Data (DSG), section 48.

⁵² Iceland, Act on the Protection of Privacy as regards the Processing of Personal Data, art 5.

⁵³ Lithuania, Law on the Legal Protection of Personal Data, art 8.

⁵⁴ France, Law on Information Technology, Data Files and Civil Liberties, art 67.

⁵⁵ Poland, Act on the Protection of Personal Data 1997 (as amended), art 3(a)(2).

⁵⁶ Gibraltar, Data Protection Act 2004, section 13; Ireland Data Protection Act, section 22A; UK, Data Protection Act 1998, section 32. The parts added in square brackets reflect elements found in the Gibraltarian and Irish legislation only.

⁵⁷ Latvia, Data Protection Act, art 5. This article further states that those processing for journalistic purposes must act in accordance with the Law on Press and Other Mass Media. However, analysis of this non-data protection specific media regulation is outside the scope of this article.

⁵⁸ Bulgaria, Law for the Protection of Personal Data, art 4(2); art 5(7); art 36(a)(7).

⁵⁹ Estonia, Personal Data Protection Act, section 12(4).

⁶⁰ ibid section 12(3).

⁶¹ ibid section 14(1).

⁶² ibid section 20(1)(1); section 15(2)(5).

⁶³ Section 46 of the Maltese Press Act does place certain limits on the disclosure of journalistic sources as a result of legal processes. This could be seen to be in direct tension with the requirement to disclose information to data subjects on request. This is an aspect of the transparency provisions dealt within the next section.

⁶⁴ Malta, Data Protection Commissioner, ‘Data Protection and Street Photography’ [2013] <http://idpc.gov.mt/dbfile.aspx/Data_Prot_and_Street_Photography.pdf>.

⁶⁵ Malta, Data Protection Commissioner, Annual Report 2005, 7 <http://idpc.gov.mt/dbfile.aspx/Annual%20Report%202005.pdf>.

⁶⁶ Section 136.3 of the Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities (Data Protection Journalism Code) provides that when data are communicated or disseminated in the exercise, and for the sole purpose, of the journalistic profession ‘the limitations imposed on freedom of the press to protect the rights [instantiated in the data protection regime] … in particular, concerning the materiality of the information with regard to facts of public interest, shall be left unprejudiced. It shall be allowed to process the data concerning circumstances or events that have been made known either directly by the data subject or on account of the latter's public conduct.’ This specialist Code was issued by the Italian Data Protection Authority in 1998 following discussion with the media. Its legally binding status is governed by section 139 and section 12 of the overarching Italian Personal Data Protection Code.

⁶⁷ In Austria, whilst media expression is presumptively subject to compliance with the data quality principles the Act also then states that media use of data for journalistic purposes ‘shall be legal insofar as this is required to fulfil the information requirements of the media companies, media services and their operatives in the exercise of their right to free speech pursuant to art. 10 para. 1 of the European Convention on Human Rights' (Austria, Federal Act Concerning the Protection of Personal Data (DSG), section 48(1)). Given the lack of direct mention of permissible interferences with freedom of expression under art 10(2) of the Convention, this wording effectively grants the media considerable leeway before the law imposes substantive data protection requirements on them through recourse to the data quality principles.

⁶⁸ Danish, Act on the Processing of Personal Data 2000 (as amended) section 2.

⁶⁹ Denmark, Lov om massemediers informationsdatabaser 1994, section 3(8) (translated from Danish).

⁷⁰ ibid section 3(9) (this section also states that such a requirement applies when a previously mentioned judgment has been modified, the prosecution in a previously mentioned case has been abandoned or when a prosecution results in acquittal. These additions appear to be further specifications of when continued information dissemination would be ‘misleading’ (vildledende).

⁷¹ ibid section 3(8) (translation from Danish).

⁷² Council of Europe (n 22). See also Danish Press Council, Sound Press Ethics (n.d.) <http://www.pressenaevnet.dk/Information-in-English/The-Press-Ethical-Rules.aspx>.

⁷³ ibid section 1(2) (translated from Danish).

⁷⁴ ibid section 1(1). It should be noted that, whilst not mandating the various other stipulations mentioned above, this Media Liability Act 1998 does also require that such content must be conformity with sound journalistic ethics. See Denmark, Media Liability Act 1998 (as amended), section 34 <http://www.pressenaevnet.dk/Information-in-English/The-Media-Liability-Act.aspx>.

⁷⁵ The only relevant stipulations placed on such databases is that if they are electronic in nature then they can only be ‘made available to anyone other than mass media journalists and editorial staff’ who further ‘should not access or use the information database for anything other than journalistic or editorial work’ (section 2(4)). These provisions can be seen as a very partial instantiation of the second data quality principle.

⁷⁶ France, Law on Information Technology, Data Files and Civil Liberties, art 67.

⁷⁷ Iceland, Act on the Protection of Privacy as Regards the Processing of Personal Data, art 5.

⁷⁸ ibid.

⁷⁹ Germany, Federal Data Protection Act, section 41(1); Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

⁸⁰ Under the German Federal Data Protection Act, if reporting by Deutsche Welle ‘infringes the privacy of an individual’ this person ‘may request that inaccurate data be corrected’ (Germany, Federal Data Protection Act, section 41(3)). Section 41(2) of this Act also states that if Deutsche Welle's journalistic processing ‘leads to the publication of counter-statements by the data subject, these counter-statements shall be added to the recorded data and retained for the same length of time as the data themselves’.

⁸¹ Art 47(2) of the German Interstate Treaty on Broadcasting and Telemedia 2010 states that when in relation to inaccurate journalistic processing by such broadcasters a person is ‘negatively affected in his interests meriting protection’, he may demand either its ‘correction’ or the addition of his ‘own statement of appropriate length’.

⁸² Directive 95/46, recital 38.

⁸³ Directive 95/46, arts 10 and 11. Many countries have transposed this language in the Directive directly in to their law. Others, however, have specified certain sometimes wide-ranging categories of information which they consider must be provided to data subjects either in all or only certain circumstances. Whilst clearly interesting, an analysis of this diversity is beyond the scope of this article.

⁸⁴ Directive 95/46, art 10.

⁸⁵ It might be thought that this rule only stipulates that the media must provide this information at the time of publication. However, the Directive defines ‘third party’ broadly as any natural or legal person other than the data subject, the controller or somebody processing on behalf or operating under the direct authority of controller (arts 2(e) and (f)). According to Rasaiah and Newell (n 23) this means that ‘“publication” to the public is unlikely to be “first disclosure”. Aside from sources checked in the course of compiling the report, this might have been from freelance journalists to news editor of the newspaper; staff journalists to freelance sub-editor; photographer to news agency; reporter to independent programme producer’ (232).

⁸⁶ ibid art 11.2. The Directive also adds that this exemption is also applicable where such information provision is impossible. Since a number of Member States, perhaps incorrectly, treat this situation as a mere example of a disproportionate effort circumstance arising, it will generally not be analysed separately.

⁸⁷ Hungary, act CXII of 2011 on Informational Self-Determination and Freedom of Information, section 20(4). Whilst traditional media activities are not explicitly excluded from this provision, its wording appears only to fit the (albeit probably only indirect) collection of personal data resulting from activities such as CCTV and perhaps street mapping services.

⁸⁸ Greece, Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended), art 11.5.

⁸⁹ Italy, Data Protection Journalism Code, art 2.1. The complete prohibition on subterfuge (artifici) is particularly far-reaching.

⁹⁰ Liechtenstein, Data Protection Act, art 5(4). It is unclear whether ‘impossibility’ is confined to technical impossibility or extends to a wider notion which would allow the purpose of processing, such as a need to collect data covertly, being taken into account. Moreover, given that the data subject will necessarily be present in cases of direct collection, it is questionable whether the provision of information to them can itself be considered to constitute a disproportionate effort.

⁹¹ Art 9 of the Luxembourg Coordinated Text of Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data provides that the rule does not apply ‘if its application would compromise the collection of data from the data subject’ but adds a general rider that the exemption only applies ‘in as far as … necessary to reconcile the right to privacy to the rules governing freedom of expression’. The article further states that the provisions are ‘[w]ithout prejudice to provisions laid down in the Law of 8 June 2004 on freedom of expression in the media’. Analysis of the stipulations of this general media statute are outside the scope of this work.

⁹² Belgium, Data Protection Act, section 3(3)(b).

⁹³ Cyprus, Processing of Personal Data (Protection of Individuals) Law, section 11(5).

⁹⁴ Denmark, Compiled Version of the Act on Processing of Personal Data, section 2.

⁹⁵ Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

⁹⁶ Lithuania, Law on the Legal Protection of Personal Data, art 8.

⁹⁷ Netherlands, Personal Data Protection Act, art 3(1).

⁹⁸ Portugal, Art on the Protection of Personal Data, art 10(6).

⁹⁹ Slovenia, Personal Data Protection Act, art 19(3).

¹⁰⁰ In the Czech Republic information may generally not be provided only if ‘such data are necessary to exercise the rights and obligations ensuring from special Acts’ or the controller ‘is processing exclusively lawfully published personal data’ (Czech, Consolidated Version of the Personal Data Protection Act, art 11(3)). It is unclear whether the media could point to a ‘special Act’ regulating their processing. In any case, information must still always be provided in cases where the legitimating ground condition (provision (xvii)) relied upon is that the processing is ‘essential for the protection of the rights and legitimate interests’ either of himself or another person (ibid, art 5(2(e)). As explored below, this would appear to be the only legitimating ground in Czech law relevant to such media expression.

¹⁰¹ In Hungary, the limitation on the proactive provision of information is identical to that applicable as regards the proactive direct transparency (Hungary, act CXII of 2011 on Informational Self-Determination and Freedom of Information, section 20(4)).

¹⁰² In Spain, suspension requires either that such informing to be impossible or for it to be the view of the national Data Protection Authority (DPA) or a corresponding regional DPA that compliance with the rule would be disproportionate (Spain, Organic Law 15/10000 of 13 December on the Protection of Personal Data, section 5(5)). Interestingly, no such stipulation applies if the processing is deemed to be for ‘for historical, statistical or scientific purposes’. It should also be noted that according to section 5(4) of the Spanish law the actual provision of information to data subject need only take place within three months of its initial recording.

¹⁰³ Croatia, Personal Data Protection Act, art 7(4).

¹⁰⁴ Liechtenstein, Data Protection Act, art 5(4).

¹⁰⁵ Greece, Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended), art 11.5. Interestingly, the general rules governing transparency in the case of indirect collection of data exclude any mention of an exemption on the grounds of disproportionate effort being possible.

¹⁰⁶ Italy, Data Protection Journalism Code, art 2.

¹⁰⁷ Given that the general Italian Data Protection Act does not grant the media an exemption from the general transparency provisions (Italy, Personal Data Protection Code, section 13), a strict interpretation would imply the former.

¹⁰⁸ Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, art 12.3.

¹⁰⁹ Slovakia, Act on the Protection of Personal Data, section 10(3)(a). It is additionally stated that the exemption is not available ‘if such processing of personal data without consent of the data subject is prohibited by a special Act or an international treaty binding for the Slovak Republic’.

¹¹⁰ Luxembourg law states that ‘in so far as it is necessary to reconcile the right to privacy with the rules governing freedom of expression’ the media can avoid providing information in such cases not only when this would ‘compromise the collection of data’ but also when this would compromise ‘a planned publication, or public disclosure in any form whatsoever of the said data, or would provide information that would make it possible to identify the sources of information’ (Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 9).

¹¹¹ Belgium, Data Protection Act, art 3(3)(b).

¹¹² Directive 95/46, art 12(a).

¹¹³ ibid art 12. The definition of automated individual decisions is given in art 15.

¹¹⁴ Bulgaria, Law for the Protection of Personal Data, art 26(2). This provision is not restricted to journalistic or other free speech cases and only protects sources who are natural as opposed to legal persons. Although these two factors initially led to a coding of a/1, it was ultimate deemed more appropriate to recognize this as a derogation, albeit of an extremely limited nature.

¹¹⁵ Hungary, act CXII of 2011 On Informational Self-Determination and Freedom of Information, section 19 read with act CIV of 2010 on Freedom of the Press and the Fundamental Rights of Media Content, art 6(1).

¹¹⁶ Italy, Personal Data Protection Code, section 138.

¹¹⁷ Romania, Law No 677/2001 on the Protection of Individual with Regard to art 13.6.

¹¹⁸ Thus, section 29(3) of the Luxembourg Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data not only provides a full exemption from disclosure of sources but also states that other data ‘must be accessed through the intermediary of the Commissioner Nationale pour la Protection des Données in the presence of the Conseil de Presse or his representative, or the Chairman of the Conseil de Presse duly called upon.’ Art 11.3 of the Portuguese Act on the Protection of Personal Data establishes a similar rule, with art 11.4 adding that if this might prejudice freedom of expression and information or the freedom of the press, the Authority will only inform the data subject of any measures taken as a result.

¹¹⁹ In Liechtenstein, the law allows for a refusal, restriction or deferral of information provision if ‘the personal data provides information as to its source’, ‘access to drafts of publications would have to be granted’, ‘the public's freedom to form an opinion would be compromised’ or if the file ‘is being used exclusively as a personal work aid’ by an individual journalist as opposed to a wider group within a media organization (Liechtenstein, Data Protection Act, art 13). Interestingly, all but the last of these exemptions is limited to ‘periodically published’ media organs. However, as this article is exploring the strength as opposed to the scope of the free speech derogation from data protection, this issue will not be further pursued.

¹²⁰ Belgium, Data Protection Act, section 3.

¹²¹ Denmark, Lov om massemediers informationsdatabaser, section 11(1).

¹²² As regards Deutsche Welle, section 41 of the Federal Data Protection Act establishes that if reporting ‘infringes the privacy of the individual, this person may request information about the recorded data relating to him/her on which the reporting was based’. However, such a request may be refused if ‘the data allow the identification of persons who are or were professionally involved as journalists in preparing, producing or disseminating broadcasts’, ‘the data allow the identification of the supplier or source of contributions, documents and communications for the editorial part’ or if ‘disclosure of the data obtained by research or other means would compromise Deutsche Welle's journalistic duty by divulging its information resources’.

¹²³ Art 57(2) of the German Interstate Treaty on Broadcasting and Telemedia Interstate Treaty on Broadcasting and Telemedia states that a person who is ‘negatively affected in his interests meriting protection’ may ‘demand information on the underlying data storage about his person’. However, such information may be denied not only if the data would allow conclusions on either ‘persons who were involved in the preparation of production or transmission’ or ‘the person of the sender or of the guarantor of contributions, documents and communications for the editorial section’ but also ‘if its provision would prejudice the journalistic task of the broadcaster by exploring the information gathered’.

¹²⁴ Netherlands, Personal Data Protection Act, art 3(1).

¹²⁵ Directive 95/46, recital 33.

¹²⁶ Art 8.6, Directive 95/46 does state, without further elaboration, that Member States ‘shall determine the conditions under which a national identification number or any other identifier of general application may be processed’. This very specific issue is outside the broad scope of interest of this article. Art 8.5 of the Directive also empowers Member States to specially protect data relating to administrative sanctions and judgments in civil cases on the same basis as data relating to offences, criminal conditions and security measures. Many of these additional classes of data could in any case be considered to fall within a very broad interpretation of provision (xv) and so will not be separately analysed.

¹²⁷ Directive 95/46, art 8.3.

¹²⁸ ibid art 8.1.

¹²⁹ ibid art 8.2.

¹³⁰ ibid art 8.2(a).

¹³¹ ibid art 20.

¹³² Liechtenstein, Data Protection Act, art 18(c).

¹³³ Czech Republic, Consolidated version of the Personal Data Protection Act, art 9. Even Czech law, however, adds the caveat that, if consent is relied upon, it must be possible for the controller to prove its existence ‘during the whole period of processing’.

¹³⁴ Croatian law sets out a full explicit consent and public domain exception for data within groups (ix)–(xiv) but as regards group (xv) data it simply states that such data must be ‘solely controlled by the competent authorities’ (Croatia, Personal Data Protection Act, art 8(2)).

¹³⁵ In Slovakia, any consent must always be in writing (Slovakia, Act on the Protection of Personal Data, art 9(1)) and, in addition, no exemption at all is provided from the requirement that group (xv) data may only be processed ‘by a person entitled to it by a special Act’ (ibid art 8(3)).

¹³⁶ In Slovenia, the public domain exemption only applies if the data subject ‘publicly announces them without any evident or explicit purpose of restricting their use’ and consent must ‘as a rule be in writing’ (Slovenia, Personal Data Protection Act, art 13).

¹³⁷ In Portugal, a DPA prior check must take place if consent is being relied upon (Portugal, Article on the Protection of Personal Data, art 7(2)) and the public domain exception is restricted to circumstances where consent for the processing in question can be ‘clearly inferred’ (ibid art 7(3)(c)).

¹³⁸ In Lithuania, consent must be in a ‘form giving an unambiguous evidence of the data subject's free will’ (Lithuania, Law on the Legal Protection of Personal Data, art 2(11)) and, in addition, a prior DPA check must take place if sensitive data is to be processed on a computer (ibid art 33(1)(1)). Processing for very limited purposes such as internal administration is excluded from this latter requirement.

¹³⁹ Spanish law does not refer to group (xv) data vis-à-vis the private sector but otherwise fails to provide a public domain exception and additionally requires that as regards group (x), (xi) and (xii) data any consent be in writing. It is additionally stipulated that ‘[f]iles created for the sole purpose of storing personal data which reveal the ideology [political opinion], trade union membership, religion, beliefs , racial or ethnic origin or sex life remain prohibited’ (Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, art 7).

¹⁴⁰ In Hungary, there is no public domain exception and any consent must be in writing (Hungary, Act CXII of 2011 On Informational Self-Determination and Freedom of Information, section 5(2)(a)).

¹⁴¹ Greece, Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended), art 7(2)(g). It should further be noted that under Greek data protection law a permit must even be obtained if processing data on the basis of consent (which in any case must be written) (art 7(2)(a)) or when such processing is justified by the fact that it relates to data which are manifestly made public by the data subject (art 7(2)(c)).

¹⁴² Belgium, Data Protection Act, art 3(3)(a).

¹⁴³ Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 9(a). The exemption also only applies in so far as ‘necessary to reconcile the right to privacy with the rules governing freedom of expression’.

¹⁴⁴ Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, art 11.

¹⁴⁵ In Cyprus, this exemption applies ‘as long as the right to privacy and family life are not violated’ (Cyprus, Processing of Personal Data (Protection of Individuals) Law, section 6(2)(i)).

¹⁴⁶ Netherlands, Personal Data Protection Act, art 3(2).

¹⁴⁷ Denmark, Lov om massemediers informationsdataaser, section 8(3)). For the purposes of this section, such sensitive information is defined as [i]nformation on individuals’ purely private matters, including information on race, religion, political, fraternal, sexual, criminal record, health, serious social problems and the abuse of stimulants and the like’ (translated from Danish).

¹⁴⁸ In sum, art 8(4) of the Danish Lov om massemediers informationsdataaser states that this restriction does not apply if ‘there is such an interest that the information is publicly available that concern for the individual's interest in ensuring that the information is erased should give way to the interest in freedom of information’ (ibid art 8(4)) (translated from Danish).

¹⁴⁹ Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

¹⁵⁰ Italy, Personal Data Protection Code, section 137.

¹⁵¹ Art 10 of the Italian Data Protection Journalism Code provides that ‘[i] n referring to the health of an identified or identifiable person, journalists must respect his/her dignity, right to privacy and decorum especially in cases of severe or terminal diseases; they must avoid publishing analysis data of exclusively clinical interest’. Nevertheless, as a partial caveat, ‘[p]ublication is allowed for the purpose of ensuring that all material information is disclosed and by respecting a person's dignity, if such person plays an especially important social or public role’.

¹⁵² Art 11 of the Italian Data Protection Journalism Code states that journalists ‘must avoid reporting the sex life of any identified or identifiable person’. The same caveat is then stated as applies in relation to health data under art 10 (see n 151).

¹⁵³ Here, art 5 of the Code provides that when processing sensitive data ‘journalists must ensure the right to information on facts of public interest, by having regard to the materiality of such information, and avoid any reference to relatives or other persons who are not involved in the relevant events’ but adds the caveat that ‘[w]ith regard to data concerning circumstances or events that have been known either directly by the persons concerned or on account of their public conduct, the right to subsequently provide proof of the existence of lawful justification deserving legal protection is hereby left unprejudiced’. The application of art 5 of the Code to data related to criminal proceedings (category (xv)) is specified by art 12. Art 9 of the Code further requires that ‘[i]n exercising the rights and duties related to freedom of the press, journalists must respect a person's right to non-discrimination on account of his/her race, religion, political opinions, sex, personal circumstances, bodily or mental condition’.

¹⁵⁴ Directive 95/46, art 7(f).

¹⁵⁵ European Commission (n 19) 16.

¹⁵⁶ For example, the Greek Data Protection Act not only sets out a presumption that data consent will be obtained (art 5(1)) but also provides that the open-textured equivalent of art 7(1)(g) in the Directive may only be utilized when processing is ‘absolutely necessary’ for the purposes of a legitimate interest (art 5(2)(e)). Spanish law goes much further by generally preventing the open-textured condition being relied upon when data are communicated to third parties unless that data in question have been collected from publicly available sources (Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, art 11). The Spanish provisions were held to be invalid by the CJEU in C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and another v Administración del Estado, EU:C:2011:777.

¹⁵⁷ Liechtenstein, Data Protection Act, art 17(2)(d).

¹⁵⁸ Italy, Personal Data Protection Code, section 171.2. Again, interpretation of this exemption is complicated by the fact that, similarly to Spain, general use of the open-textured condition is excluded if processing involves ‘dissemination of the data’ (section 24(f)) unless the processing ‘concerns data taken from public registers, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations and Community legislation with regard to their disclosure and publicity’ (section 24(c)).

¹⁵⁹ Italy, Data Protection Journalism Code, art 6.

¹⁶⁰ ibid art 3.

¹⁶¹ ibid art 7.

¹⁶² ibid art 8.

¹⁶³ Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of such Data, art 11.

¹⁶⁴ Whilst Slovakian law does not set out a precise equivalent of the sixth open-textured provision, it does specifically authorize processing ‘necessary … for the purpose of informing the public by means of mass media’ unless if ‘by processing of personal data for such purpose the controller violates the data subject's right to protection of his personal rights and privacy’ (Slovakia, Act on the Protection of Personal Data, section 10(3)(a)). This provision also stipulates that such an exemption is also not available ‘if such processing of personal data without consent of the data subject is prohibited by a special Act or an international treaty binding for the Slovak Republic’.

¹⁶⁵ Denmark, Compiled Version of the Act on Processing of Personal Data, section 2.

¹⁶⁶ Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

¹⁶⁷ Directive 95/46, art 21.2. In order not to undermine the measures taken, details related to the security of processing are excluded from the public version of the register.

¹⁶⁸ Directive 95/46, art 19.

¹⁶⁹ ibid art 18.

¹⁷⁰ ibid art 21.3.

¹⁷¹ European Commission (n 19) 28.

¹⁷² Estonian law is a clear exception to this. Here, since registration is only required when processing sensitive data (Estonia, Personal Data Protection Act, section 27) and, even in these cases, data controllers may alternatively notify the DPA of the appointment of an independent data protection officer who must keep a register of processing carried out by the data controller (ibid section 30). In tension with the Directive, Estonian law does not appear to place any duty on data controllers appointing such officers or who are otherwise not subject to registration to make otherwise registrable information available on request to members of the public.

¹⁷³ Belgium law does not provide a journalistic exemption from the duty to notify itself. However, as a result of exceptions set out in art 3(d) of its Data Protection Act, the DPA it not required to place the information received on a public register (otherwise governed by art 18 of this Act). The public would also not have any right to receive this information direct from the media itself.

¹⁷⁴ In Denmark, the Law on Mass Media Information Databases requires that the mass media notify the DPA of all internal editorial mass media electronic information databases and that the latter publish an annual list of these. Publicly available mass media information databases are also subject to notification both to the DPA and the Press Council. In both cases the notifiable information is rather narrower than that required generally under the information notification requirement. Databases which only include already published text, images, periodicals, audio or video programmes are excluded from these requirements. See Denmark, Lov om massemediers informationsdatabaser, section 1(1), 3 and 6.

¹⁷⁵ In France the media must notify the DPA of the appointment of an independent Data Protection Officer and that person must maintain a register of processing carried out by the data controller (France, Data Protection Act, art 67).

¹⁷⁶ In Latvia, an exemption is only available if no data on a person's health or offences, criminal convictions and administration violation cases are to be processed and if no data are to be transferred outside the EEA (Latvia, Personal Data Protection Law, section 21(2)(3) and section 21(3)).

¹⁷⁷ Specifically, it is necessary that files ‘are being used by journalists exclusively as a personal work aid’ or ‘used exclusively for publication in the editorially-controlled section of a periodically-published media organ’ but in this case not if data is ‘disclosed to third parties without the knowledge of the data subjects’ (Liechtenstein, Data Protection Ordinance, art 4).

¹⁷⁸ Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57 (1).

¹⁷⁹ Hungary, act CXII of 2011 on Informational Self-Determination and Freedom of Information, section 65(3)(g). It should be noted that the exemption is not only limited to media service providers (a question concerning the definitional scope of the media which is outside the purview of this article) but is limited to processing ‘which exclusively serve their own information activities’. This could be read as imposing certain restrictions on the use of this exemption.

¹⁸⁰ Italy, Personal Data Protection Code, section 37 (journalism excluded from this listing of types of processing requiring notification).

¹⁸¹ Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 12(2)(d).

¹⁸² Netherlands, Personal Data Protection Act, art 3(1).

¹⁸³ Slovenia, Personal Data Protection Act, art 7(3).

¹⁸⁴ European Commission (n 19) 34.

¹⁸⁵ Such duties have become more onerous in the wake of C-362/14 Maximillian Schrems v Data Protection Commissioner (2015), EU:C:2015:650. In this case, a CJEU Grand Chamber ruled inter alia that the word ‘adequate’ in art 25 must be understood as referring to ‘a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union’ (at [73]).

¹⁸⁶ At least as regards individuals posting material on the internet, the CJEU in Lindqvist (2003) held that uploading information onto an server maintained by a hosting provider established within the EU would not result in a transfer of data (at [71]). However, this somewhat narrow holding has not altered the general understanding which DPAs have adopted as regards the relationship between global publication and the transfer regime. For example, the UK Information Commissioner's Office states clearly that a data controller will be liable for an international transfer when information is ‘loaded onto the internet with the intention that the data be accessed in a third country’ and a transfer then takes place (UK, Information Commission's Office ‘The eighth data protection principle and international transfers’ (2010) <https://ico.org.uk/media/for-organisations/documents/1566/international_transfers_legal_guidance.pdf>.

¹⁸⁷ See eg Cyprus, Processing of Personal Data (Protection of Individuals) Law, section 9(1) and Portugal, Act on the Protection of Personal Data, art 19(3). The exact requirements, however, do differ.

¹⁸⁸ For example, in Spain it would appear that only the prior authorization requirement applies and not the general requirement of specific notification of transfers (Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, arts 33 and 34).

¹⁸⁹ Ireland, Data Protection Act, section 11.

¹⁹⁰ Liechtenstein, Data Protection Ordinance, art 5. Clearly the legal value of this gloss has been reduced significantly following the CJEU's holding in Lindqvist (2003) which appeared to limit the meaning of data transfer in general and not only in media situations. See (n 186).

¹⁹¹ Romania, Data Protection Act, art 29.6.

¹⁹² The Luxembourg provision is particularly light touch since the only restriction set out is that it applies only ‘in as far as … necessary to reconcile the right to privacy to the rules governing freedom of expression’. See Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 9. This article further states that exemption is ‘[w]ithout prejudice to provisions laid down in the Law of 8 June 2004 on freedom of expression in the media’. The stipulations of this general media statute, however, are outside the scope of this article.

¹⁹³ Belgium, Data Protection Act, art 3(3).

¹⁹⁴ Denmark, Compiled Version of the Act on Processing of Personal Data, section 2.

¹⁹⁵ Finland, Personal Data Act, section 2(5).

¹⁹⁶ Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57 (1).

¹⁹⁷ Italy, Personal Data Protection Code, section 137(1)(c).

¹⁹⁸ Netherlands, Personal Data Protection Act, art 3(1).

¹⁹⁹ Slovenia, Personal Data Protection Act, art 7(3).

²⁰⁰ To check the stability of the overall result, four models were run, namely (i) the model as outlined, (ii) a model weighting the four data protection elements equally, (iii) a model simply averaging all 18 data protection provisions, (iv) a model giving double weighting to the data protection rules elements (regarding transparency and sensitive data) and treating the other elements equally. The models resulted in very similar average scores: (i) 0.54, (ii) 0.53, (iii) 0.55 and (iv) 0.51. Moreover, as regards the relative position of the jurisdictions, the alternative models only resulted in between one and three jurisdictions shifting by more than three positions as compared with the model eventually used. These were Cyprus in the case of (ii), Bulgaria, Cyprus and Lithuania in the case of (iii) and Cyprus and the Netherlands in the case of (iv).

²⁰¹ Directive 95/46, art 1.1.

²⁰² Radio Sweden, ‘Demand for law change after Lexbase launch’ (2014) <http://sverigesradio.se/sida/artikel.aspx?programid=2054&artikel=5768451>.

²⁰³ Gräslund, Göran, ‘Debatt viktig om grundläggande rättigheter [Debate on important fundamental rights]’ DIalog (June 2010) <http://www.datainspektionen.se/Documents/magasindirekt/magasindirekt-10-01.pdf>.

²⁰⁴ Erdos, D, ‘Exploring the Expansive yet Diverse Interpretative Stance of European Data Protection Authorities as regards Freedom of Expression on the “New Media”’ (2015) 40 ELRev 550–2Google Scholar groups EEA jurisdictions into five categories arrayed along a 0, 1 scale from those with the narrowest through to the broadest approach to art 9 derogations. The Spearman's rho correlation between these scope figures and the data presented in this article is −0.598 with a two-tailed significance value of 0.00.

²⁰⁵ Keller (n 6) 331.

²⁰⁶ In C-230/14 Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság, EU:C:2015:639 the CJEU adopted a ‘flexible definition’ (at [29]) of the concept of national establishment within EU data protection stressing that it would be satisfied if there was ‘any real and effective activity—even a minimal one— exercised through stable arrangements’ (at [31]). It further stressed that, even if this establishment did not itself engage in the relevant processing, national jurisdiction would be triggered so long this processing took place ‘in the context of’ the establishment's activities (at [35]).

²⁰⁷ For the full overview see Electronic Privacy Information Center, ‘Investigations of Google Street View’ (2010) <http://epic.org/privacy/streetview/>.

²⁰⁸ Google, ‘Google Dublin (EU HQ)’ (n.d.) <https://www.google.co.uk/about/careers/locations/dublin/>.

²⁰⁹ C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) at [29].

²¹⁰ Directive 95/46, art 1.

²¹¹ United Kingdom, Leveson Inquiry, An Inquiry into the Culture, Practices and Ethics of the Press: Report, (Stationery Office 2012).

²¹² Directive 95/46, recital 42.

²¹³ Thorgeirson v Iceland (1992) 14 EHRR 843 at [68].

²¹⁴ Such a complete exemption remains a demand of many of those lobbying on behalf of the European media. See European Newspaper Publishers' Association, ‘Newspaper publishers warn of risk to press freedom and distribution in proposed EU Data Protection Regulation’ (2013) <http://www.enpa.be/en/news/newspaper-publishers-warn-of-risk-to-press-freedom-and-distribution-in-proposed-eu-data-protection-regulation_109.aspx>.

²¹⁵ European Commission, Proposal for a General Data Protection Regulation COM (2012) 11 final.

²¹⁶ European Commission, Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century, COM (2012) 9 final, 7.

²¹⁷ V Reding, ‘Privacy matters – Why the EU needs new personal data protection rules [speaking notes]’ (2010) <http://europa.eu/rapid/press-release_SPEECH-10-700_en.htm?locale=en>.

²¹⁸ Directive 95/46, art 9.

²¹⁹ Proposed Regulation (n 215) art 80.

²²⁰ European Parliament, Legislative Resolution of 12 March 2014 on the Proposal for a General Data Protection Regulation <http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402>. In referring to a general reconciliation between data protection and freedom of expression, the Parliament's wording also clearly expanded the scope of this clause well beyond journalism and similarly special forms of expression. For an analysis of some of the conceptual difficulties of this approach see Erdos, D, ‘From the Scylla of Restriction to the Charybdis of Licence? Exploring the Scope of the ‘Special Purposes’ Freedom of Expression Shield in European Data Protection’ (2015) 52 CMLRev 144–51Google Scholar.

²²¹ Council of the EU, Document 9565/15 (Annex) (11 June 2015) art 80.2 <http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf>.

²²² In this regard, it should be noted that, during the final reading on the Parliament's Resolution, the Rapporteur on the Regulation Jan Albrecht MEP stated ‘The existing data protection law already provides for reconciliation of data protection and freedom of expression by the Member States, which is exactly what we ensure in Article 80. Nothing will change for journalists in this regard[.]’ European Parliament, Debates, 11 March 2014 <http://www.europarl.europa.eu/sides/getDoc.do?type=CRE&reference=20140311&secondRef=ITEM-013&language=EN>. This conservative statement may partly be explained by the strong pressure which media organizations were exerting at this time for a complete and absolute exemption from the Regulation.

²²³ European Commission, High Level Group on Media Freedom and Pluralism, A Free and Pluralistic Media to Sustain European Democracy (2013) <https://ec.europa.eu/digital-agenda/sites/digital-agenda/files/HLG%20Final%20Report.pdf>.

²²⁴ Or in the case of the affiliated EEA members, the EFTA Surveillance Authority and the EFTA Court.