This document discusses the interface between data protection law and journalism. It notes that while EU law provides some exemptions for journalism, most countries still subject it to qualified data protection standards. It argues that data protection authorities (DPAs) should take a co-regulatory approach when setting standards and enforcing data protection in journalism. Specifically, DPAs should engage with self-regulatory bodies to help ensure protections for vulnerable groups while respecting press freedom. Enforcement should show deference to self-regulation but DPAs must ultimately make independent assessments.

1. Dr David Erdos
University of Cambridge

2. Why An Interface? GPDR Material Scope
 Personal data broadly conceived:
 So long as remains identifiable:
 And (private sector) digital processing takes place:
“wide scope … not restricted to information that is sensitive or
private, but potentially encompasses all kinds of information, not
only objective but also subjective … provided it that it ʻrelatesʼ to
the data subject … by reason of its content, purpose or effect”
Exclusion only “prohibited by law or practically impossible … so that
risk of identification appears in reality insignificant.”
“any operation … which is performed on personal data”
Luxembourg CNPD

3. Why A Tension? GDPR’s Wide Default Duties
Personal
Data
Processing
DP Principles
• Fair, lawful,
transparent
• Purpose quality &
limits
• Information
quality & limits
• Integrity &
confidentiality
Legal Basis
• Legitimating
Criteria
Transparency &
Control
• Proactive Direct
• Proactive Indirect
• Subject Access
• Control rights –
RtbF, objection
Sensitive Data
• Criminal Data
• Other:
• Political,
• Religious,
• Trade union
Discipline
• Demo compliance
• Security
• Record-keeping
• DP Officer
• Joint Controller
agreements
• Processor
agreements
• Impact
Assessments
• DPA Consultation
• Data Exports
Oversight
• Courts
• DP Authorities

4. Journalism: A Special Case in EU DP Law
 Largely mirrors previous provisions in DP Directive.
 Thus, Article 85(2) itself provides that:
 Meanwhile Recital 153 stresses:
o Should interpret journalism “broadly” to cover inter alia “news
archives and press libraries”.
o Only “certain provisions” require derogations (N.B. art. 85(2) itself
excludes chapter on remedies, liabilities & penalties).
o Only should adopt limits were “necessary for the purpose of
balancing” fundamental rights.
“For the processing carried out for journalistic purposes … Member States
shall provide exemptions or derogations … if they are necessary to reconcile
the right to the protection of personal data with the freedom of expression
and information.” (GDPR, art. 85(2))

5. State Law: Formal Substantive Outcomes
 Wide divergences ranging from no explicit limitation
(e.g. Spain, Croatia) to complete exemption (e.g. Sweden
and Norway).
 But vast majority do subject to journalism to qualified
DP standards, often based on modified version of the
data protection principles.
 There is evidence of broad continuity here as compared
with the DP Directive era.

6. Local Law: Formal Regulatory Outcomes
0%
10%
20%
30%
40%
50%
60%
70%
80%
Full Supervision Partial Supervision No Supervision
DPD GDPR (as at Autumn 2018)

7. DP: New Status as Fundamental Legal Right
1. Everyone has the right to the protection of personal data
concerning him or her.
2. Such data must be processed fairly for specified purposes
and on the basis of the consent of the person concerned or
some other legitimate basis laid down by law. Everyone has
the right of access to data which has been collected
concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.

8. Resource Constraints on DPAs
 DPAs also suffer from severe resource constraints.
 Average 2017 budget of only around 5m (including
for non-DP functions).
 Total budget of perhaps 120m & only increased by c.
15% in last five years.
 In contrast, Ofcom in UK alone had budget of 141m
in same period.

9. How should DPAs interface with Journalism?
 DPAs are constrained legally, financially and perhaps
also epistemically in this area.
 But they generally retain important albeit sensitive role
here as “the guardian” of data protection rights.
 Drawing on past experience, need to explore how that
role might best be discharged vis-à-vis:
 Standards-setting, and
 Enforcement.

10. DPAs and Standard-Setting: DPD Experience
 Around 65% national DPAs did publish guidance here
but in most cases very limited.
 2013 DPA survey probing detailed understanding found
different DP aspects approached very differently:
 Undercover journalism – permissive approach (around
60% either exempt or apply weak public interest test).
 Subject Access - much stricter (around 1/3 back full access
minus sources).
 This divergence was in turn linked to whether issue dealt
with (in some way) via self-regulatory codes.

11. DPAs, Standard-Setting and Self-Regulation
 Clear case for DPAs interfacing with self-regulation:
 Core exercise of freedom of expression,
 Self-regulatory expertise.
 But DPAs need to be active participants here:
 Tackle epistemic & economically-motivated bias,
 Protect children & other vulnerable data subjects,
 Ensure due attention to given to legal framework,
 Ensure coherent development regulation,
 Ensure focus on impact of new technology – algorithms,
data journalism, drones, digital archives etc.

12. Codes of Conduct (A 40): A Possible Approach
Ff1. The … supervisory authorities … shall encourage the drawing up of
codes of conduct intended to contribute to the proper application
of this Regulation, taking into account the specific features of the
various processing sectors …
2. Associations and other bodies representing categories of
controllers or processors may prepare or amend such codes for the
purpose of specifying the application of this Regulation ….
…
5. Association and other bodies … shall submit the draft code,
amendment or extension to the supervisory authority … The
supervisory shall provide an opinion on whether the draft …
compies with the Regulation and shall approve … if it finds it
provides sufficient appropriate safeguards.”

13. DPA Guidance: Need for Publicity
Targeted
Publicity
Media
Organisations
Journalists
(Freelance)
Legal &
Judicial
Community
General
Public

14. DPA Enforcement: Context & Experience
 Context:
 Even more sensitive area than standard-setting.
 Enforcement can also be very expensive.
 Pure “advise & persuade” strategy is clearly flawed.
 DPA Experience:
 2013 Survey suggested around ½ carried out enforcement.
 But actions generally very selective, focused on:
 Intimate private life (especially re: sensitive data),
 Data linked to key social relationships (e.g. ID numbers).
 Self-regulation cited but little evidence of strategic approach.

15. Monitoring Bodies: A. 41(2) Standards
FfA body … may be accredited [by the DPA] to monitor compliance with a
code of conduct where that body has:
a) Demonstrated its independence and expertise…
b) Established procedures which allow it to assess the eligibility of
controllers and processors concerned to apply the code, to monitor
their compliance with its provisions and to periodically review its
operation;
c) Established procedures and structures to handle complaints about
infringements … and to make those procedures and structures
transparent to data subjects and the public; and
d) Demonstrated … that its tasks and duties do not result in a conflict
of interests.

16. DPA Enforcement: How Much Deference?
No Self-Regulatory Body
- Fully independent assessment.
- “Advise and persuade” not ruled out.
- But use of formal powers more likely.
Non-Accredited Body
- Encourage use by data subjects.
- Take into account, liase and cooperate.
- But ultimately independent assessment
Accredited Body
- Meta-regulatory review.
- Reasonableness standard otherwise.
- Intervene in serious individual cases

17. What role for European DP Board?
 Media regulation could interface with “consistency mechanism”.
 But even if the case, “hard” intervention should be avoided:
 Local DPAs best placed to interpret widely divergent local laws,
 Media generally remains strongly locally orientated,
 Such intervention likely to be counter-productive.
 Even so, the EDPB could usefully engage in “soft” action:
 Forum for especially small DPAs to work through common issues,
 Is increasing “mutual interpenetration” of media sectors.
 Soft guidance could lead to slow development of common norms,

18. Conclusions
 DP interface with media is sensitive & diverse.
 Regulatory resources are also very scare.
 But DPAs almost always retain important as “the
guardian” of DP in this space.
 Argued that both re: standards & enforcement, role best
fulfilled via co-regulatory, strategic approach.
 EDPB should play “soft” role here but avoid
“hard”/coercive action.