The Development of European Data Protection Law and Regulation

This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ rights, such as freedom of expression and even privacy, data protection only emerged as a discrete concept with the rise of computer power in the 1970s. The focus in Europe from this time has been on elaborating a progressively more detailed and harmonized regulatory code to govern the processing of personal data across the EU and wider European Economic Area (EEA). Advisory Council of Europe Resolutions in the 1970s led to a binding but optional Data Protection Convention in the 1980s, to a mandatory Data Protection Directive in the 1990s, and finally to a General Data Protection Regulation (GDPR) in the 2010s which is directly applicable across the EU. In addition, data protection has increasingly been recognized as a fundamental right and, in particular, was included within the EU Charter that was drafted in 2000 and acquired pan-EU legal status in 2009. These developments have dovetailed with the emergence of a significant body of relevant Court of Justice of the EU (CJEU) jurisprudence. However, the regulatory Data Protection Authorities (DPAs) also remain critical interpretative actors and have issued a number of important opinions including through the Article 29 Working Party that under the GDPR has become the European Data Protection Board.

The Future Shape of European Data Protection Regulation and Professional Journalism

This chapter explores the approach European Data Protection Authorities (DPAs) should take to their role vis-à-vis the professional journalistic media under the General Data Protection Regulation (GDPR). Such an approach must take into account the contextual trend within European Court of Human Rights case law, the growth of a stricter Court of Justice of the European Union data protection jurisprudence, and continuing severe resource constraints. In the area of standards, DPAs should endorse a broad construction of the journalistic derogation that encompasses news/media archives but should also promote a specific and structured approach to contextual balancing within this derogation. Such detailed standard-setting raises acute sensitivities. Therefore, guidance should be formulated through a co-regulatory process which adopts the GDPR’s code of conduct provisions as a broad guideline. Enforcement remains even more delicate, potentially very expensive, but nevertheless vital. A strategic co-regulatory approach is appropriate here too. DPAs should encourage self-regulatory monitoring mechanisms and, in cases where these meet the criteria laid down in the GDPR, should defer to them other than when particular systematic or serious issues arise. If such criteria are not satisfied, DPAs need to deploy their powers proactively across the board. Finally, where no self-regulatory mechanism exists, DPAs must independently ensure a proportionate response to all complaints and issues that arise. Media regulation rightly remains largely within State jurisdiction. Therefore, the European Data Protection Regulation should avoid coercive intervention here. Nevertheless, it should play a valuable ʻsoftʼ role through drafting non-binding guidance and promoting information exchange, dialogue, and cooperation.

Second-Generation European Data Protection and Professional Journalism

Drawing on the results of an extensive questionnaire of European Data Protection Authorities (DPAs), this chapter explores these regulators’ substantive orientation and detailed approach to standard-setting in the area of professional journalism under the Data Protection Directive. As regards news production, a large majority of DPAs accepted that the special expressive purposes derogation was engaged. Notwithstanding a greater emphasis on an internal balancing of rights within default data protection norms, this also remained the plurality view also as regards news archives. Detailed standard-setting was explored through hypothetical scenarios relating to undercover investigative journalism and data subject access demands made of journalists. It was found that, notwithstanding conflicts in many cases with statutory transparency and sensitive data provisions, all DPAs accepted the essential legitimacy of undercover journalism and over one-third only required that such activity conform to a permissive public interest test that didn’t explicitly incorporate a necessity threshold. In contrast, a much stricter approach was taken to the articulation of standards relating to subject access, with over one-third arguing that, aside from protecting information relating to sources, journalists would be obliged to comply with the default rules here in full. This difference may be linked to the divergent treatment of these issues within self-regulatory media codes: whilst almost all set down general ‘ethical’ norms applicable to undercover journalism, almost none did so as regards subject access. Despite the general tendency to ‘read down’ statutory provisions relating to undercover journalism, the severity of a DPAs’ approach to each scenario remained strongly correlated with the stringency of local law applicable to journalism.

First-Generation European Data Protection Regulation and Professional Journalism

This chapter explores the interface between professional journalism and early efforts at European data protection regulation prior to the genesis of the Data Protection Directive in the 1990s. Despite some pan-European efforts to explore this interaction including through the Council of Europe’s Committee of Experts on Data Protection, European States took a strongly divergent approach to this from the beginning. In many cases, a clear gap—generally in favour of the media—was apparent between the statutory requirements laid down in law and practical implementation on the ground. Nevertheless, a number of Nordic Data Protection Authorities made a sustained and far-reaching attempt to constrain media databases including, in some cases, by banning publicly available electronic news archives entirely and heavily regulating internal record-keeping or press libraries. This regulation was particularly focused on ensuring a right to be forgotten, to rehabilitation, and to the rectification of inaccuracies. However, this stringent approach came under sustained attack especially following the birth of the World Wide Web. The end of the period was marked by a growing consensus that most journalistic activity did fall within the scope of data protection but that wide-ranging derogations from its default norms were necessary in order to safeguard freedom of expression.

Balancing on a Tightrope in an Age of New Online Media?

This chapter explores the significance of the book’s empirical and normative study of the interface between European data protection regulation and professional journalists, artists, and both academic and non-academic writers within the contemporary online media. The study has elucidated practical attempts at regulating professional journalism through a contextual rights-balancing paradigm, argued that this should be generalized to other traditional publishers, and proposed that it be systematically developed through co-regulation and strategic enforcement. It is contended that, notwithstanding the rise of new online media, an examination of the regulation of traditional publishers still has strong significance in and of itself. These actors continue to possess disproportionate information power and perform a vital role in distilling, explaining and putting new information and ideas into the public realm. The themes of the book may also contribute to thinking on new online media regulation. Whilst such media often does not orientate itself towards a public discourse, some kind of contextual balancing (even if often internal to default data protection norms) remains necessary. Co-regulation, encompassing not just platforms but also users, could also play some role in specifying that (albeit stricter) balance. Finally, not least given the severe resource constraints of Data Protection Authorities (DPAs), strategic enforcement is likely to be necessary in this context also. Through engagement with both traditional and new media, data protection is becoming a holistic regulator of the information ecosystem, thereby highlighting its importance within contemporary society.

European Data Protection Regulation and ‘Non-Journalistic’ Traditional Publishers

This chapter explores both the statutory law applicable and the regulatory approach taken to the activity of professional artists and writers outside journalism under European data protection as it developed until the end of the Data Protection Directive (DPD) era. It is found that no pan-European data protection instrument prior to the DPD addressed this interface and such a lacuna was also reflected in the majority of first-generation data protection laws adopted at State-level. In contrast, the DPD provides special (but not absolute) derogations not just for ‘journalistic purposes’ but also for ‘literary and artistic expression’ and this was reflected in the second-generation laws of approximately two-thirds of European Economic Area (EEA) States. Despite falling within data protection’s scope, Data Protection Authorities (DPAs) have generally avoided addressing these actors’ positions. In the early period, the Swedish DPA proved a partial exception to this by publishing guidance on media created on CD-ROMs and even attempted to set license conditions for the use of a computer to produce a book manuscript. Under second-generation data protection, both the Italian and Maltese DPAs issued some specific guidance and the Italian and Slovenian engaged in concrete enforcement. These interventions pointed to a lack of consistency as regards applicable norms. Thus, whilst the Italian DPA crafted a deferential approach based on contextual rights balancing, the Maltese and Slovenian DPAs developed a much more peremptory and restrictive perspective at least as regards photographic images.

Second-Generation European Data Protection and Professional Journalism

This chapter explores the legislative interface between data protection and the professional journalistic media under the Data Protection Directive (DPD) and then examines the formal regulatory guidance produced by European Data Protection Authorities (DPAs) during the same period. Despite the DPD’s emphasis on ensuring a careful balancing between equally fundamental rights, statutory provisions at State level were profoundly divergent. In broad terms, Northern European States tended to grant journalism sweeping exemptions from data protection, whilst Southern and Eastern European States set down tough standards even in this sensitive area. These media system differences mapped on to broader cultural fissures concerning individualism, uncertainty avoidance, and attitudes towards power inequalities. In the great majority of cases the national DPA retained a supervisory role in this area and over 60 per cent of these bodies, as well as the Article 29 Working Party, had published some statutory guidance. However, this guidance was often confined to a brief elucidation of the importance of contextual rights balancing coupled, in a number of cases, with an emphasis on promoting a co-regulatory connection between statutory supervision and self-regulation. A minority of DPAs did produce much more extensive guidance focusing especially on children’s rights over data, image rights and visual/audio-visual content, and the right to be forgotten and digital news/media archives.

The Development of European Human Rights and Freedom of Expression Law

This chapter explores the legal protection of freedom of expression across Europe and situates this within the broader development of protections for civil and political rights. It argues that such protections have deep philosophical and jurisprudential roots within the European tradition and were further formalized including through the European Convention on Human Rights (ECHR) after the Second World War. Nevertheless, it was not until the 1970s that legal enforcement of these protections became widespread. The chapter considers the extensive ECHR jurisprudence that has since developed, including its special protection of ʻpublic interestʼ and, to a lesser extent, artistic expression. It considers the claim that this case law privileges the Press, arguing instead that it accords respect for the vocational task of a range of professional actors including both academics and audio-visual media. It also elucidates the much more limited but deepening jurisprudence of the Court of Justice of the EU (CJEU). Finally, the chapter considers the extent to which European States have felt it necessary to codify the rights and limits of core instances of freedom of expression such as journalism. Great divergence on this issue are apparent. Such codification is common (but increasingly contested) in the audio-visual media sector throughout Europe and in a much wider area in several civil law jurisdictions. On the other hand, extensive legal codification has been seen as inappropriate in many other contexts, with preference being given instead to the elucidation of detailed norms through ʻsoftʼ guidance and self-regulation.

Introduction

This chapter introduces the tension between European data protection regulation and freedom of expression, including the heightened form this tension assumes as regards the activity of professional journalists and other traditional publishers. These actors not only play a central role in public discourse but also often possess a disproportionate ability to gather, process, and disseminate personal data. It is therefore important both to examine how these interactions have played out at different times, in different places and contexts, and to consider how they might best evolve across the European Economic Area (EEA) under the new European Union (EU) General Data Protection Regulation (GDPR). The concept of traditional publishers is often equated to professional journalists and the institutional media but should also encompass professional artists and writers including academics. The chapter delineates the scope of this empirical and normative study, explores the key concepts deployed, and elucidates the methodological approach adopted.

‘Non-Journalistic’ Traditional Publishers and Third-Generation European Data Protection Regulation

This chapter explores the interface between data protection and professional artists and (academic and non-academic) writers both in the formal law under the General Data Protection Regulation (GDPR) and in terms of the approach that should be adopted by Data Protection Authorities (DPAs) here. The GDPR mandates that States set down derogations as are ‘necessary’ to reconcile data protection with not only journalism but other special forms of expression, namely artistic, literary, and (in a new departure) academic expression. Moreover, with a few exceptions, States grant all these forms of expression comparable shields within their statutory laws. However, contrary to the GDPR itself, most do not expressly extend these shields to ‘knowledge facilitation’ activities such as scientific research. This could undermine protections for academic expression. It is, therefore, imperative that DPAs adopt a purposive interpretation which ensures that all processing orientated towards contributing to public knowledge or discourse can benefit from these shields even if the activity could also be conceptualized as, for example, scientific research. Nevertheless, DPAs should develop specific standards and an enforcement strategy that recognizes that these shields are qualified. Both should foster co-regulatory engagement. However, co-regulation remains challenging here as a result of the entirely informal nature of norms amongst non-academic artists and writers and the dominance of a biomedical approach within many academic institutions which is alien to the much of the work in the social sciences and the humanities. DPAs will, therefore, need to be proactive rather than reactive in this area.