Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope


Published on

How is and should the future of data protection regulation of the journalistic media develop under the GDPR? State law in this area remains highly divergent but the great majority do recognise that qualified data protection requirements and partial regulatory supervision should apply here. This points to a continuing, albeit sensitive, role for DPAs. But these authorities have many other demands and remain highly resource constrained. It is argued that a co-regulatory synergy between self- and statutory regulation provide the best mechanism to elucidate the necessary detailed balanced standards and for monitoring these. DPAs should develop a strategic approach including through according greater deference to self-regulatory bodies which take data protection standards and this balancing task seriously. The codes of conduct and monitoring provisions in articles 40 and 41 of the GDPR may be deployed directly here or at least provide a guide for a sui generis approach, with the new European Data Protection Board playing a facilitative rather than a controlling role.
N.B. These slides are based on a talk I gave at a joint HEC Paris Law Department and Science Po Law School seminar on 30 November 2018. I am grateful for the feedback I received there.
N.N.B. Please note that the chart in Slide Six unfortunately failed to display that as of Autumn 2018 approximately 40% of statutory data protection laws enacted by EEA jurisdictions still subject journalism to full DPA supervision.

Published in: Law
  • Be the first to comment

  • Be the first to like this

GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope

  1. 1. Dr David Erdos University of Cambridge
  2. 2. Why An Interface? GPDR Material Scope  Personal data broadly conceived:  So long as remains identifiable:  And (private sector) digital processing takes place: “wide scope … not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective … provided it that it ʻrelatesʼ to the data subject … by reason of its content, purpose or effect” Exclusion only “prohibited by law or practically impossible … so that risk of identification appears in reality insignificant.” “any operation … which is performed on personal data” Luxembourg CNPD
  3. 3. Why A Tension? GDPR’s Wide Default Duties Personal Data Processing DP Principles • Fair, lawful, transparent • Purpose quality & limits • Information quality & limits • Integrity & confidentiality Legal Basis • Legitimating Criteria Transparency & Control • Proactive Direct • Proactive Indirect • Subject Access • Control rights – RtbF, objection Sensitive Data • Criminal Data • Other: • Political, • Religious, • Trade union Discipline • Demo compliance • Security • Record-keeping • DP Officer • Joint Controller agreements • Processor agreements • Impact Assessments • DPA Consultation • Data Exports Oversight • Courts • DP Authorities
  4. 4. Journalism: A Special Case in EU DP Law  Largely mirrors previous provisions in DP Directive.  Thus, Article 85(2) itself provides that:  Meanwhile Recital 153 stresses: o Should interpret journalism “broadly” to cover inter alia “news archives and press libraries”. o Only “certain provisions” require derogations (N.B. art. 85(2) itself excludes chapter on remedies, liabilities & penalties). o Only should adopt limits were “necessary for the purpose of balancing” fundamental rights. “For the processing carried out for journalistic purposes … Member States shall provide exemptions or derogations … if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.” (GDPR, art. 85(2))
  5. 5. State Law: Formal Substantive Outcomes  Wide divergences ranging from no explicit limitation (e.g. Spain, Croatia) to complete exemption (e.g. Sweden and Norway).  But vast majority do subject to journalism to qualified DP standards, often based on modified version of the data protection principles.  There is evidence of broad continuity here as compared with the DP Directive era.
  6. 6. Local Law: Formal Regulatory Outcomes 0% 10% 20% 30% 40% 50% 60% 70% 80% Full Supervision Partial Supervision No Supervision DPD GDPR (as at Autumn 2018)
  7. 7. DP: New Status as Fundamental Legal Right 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
  8. 8. Resource Constraints on DPAs  DPAs also suffer from severe resource constraints.  Average 2017 budget of only around 5m (including for non-DP functions).  Total budget of perhaps 120m & only increased by c. 15% in last five years.  In contrast, Ofcom in UK alone had budget of 141m in same period.
  9. 9. How should DPAs interface with Journalism?  DPAs are constrained legally, financially and perhaps also epistemically in this area.  But they generally retain important albeit sensitive role here as “the guardian” of data protection rights.  Drawing on past experience, need to explore how that role might best be discharged vis-à-vis:  Standards-setting, and  Enforcement.
  10. 10. DPAs and Standard-Setting: DPD Experience  Around 65% national DPAs did publish guidance here but in most cases very limited.  2013 DPA survey probing detailed understanding found different DP aspects approached very differently:  Undercover journalism – permissive approach (around 60% either exempt or apply weak public interest test).  Subject Access - much stricter (around 1/3 back full access minus sources).  This divergence was in turn linked to whether issue dealt with (in some way) via self-regulatory codes.
  11. 11. DPAs, Standard-Setting and Self-Regulation  Clear case for DPAs interfacing with self-regulation:  Core exercise of freedom of expression,  Self-regulatory expertise.  But DPAs need to be active participants here:  Tackle epistemic & economically-motivated bias,  Protect children & other vulnerable data subjects,  Ensure due attention to given to legal framework,  Ensure coherent development regulation,  Ensure focus on impact of new technology – algorithms, data journalism, drones, digital archives etc.
  12. 12. Codes of Conduct (A 40): A Possible Approach Ff1. The … supervisory authorities … shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking into account the specific features of the various processing sectors … 2. Associations and other bodies representing categories of controllers or processors may prepare or amend such codes for the purpose of specifying the application of this Regulation …. … 5. Association and other bodies … shall submit the draft code, amendment or extension to the supervisory authority … The supervisory shall provide an opinion on whether the draft … compies with the Regulation and shall approve … if it finds it provides sufficient appropriate safeguards.”
  13. 13. DPA Guidance: Need for Publicity Targeted Publicity Media Organisations Journalists (Freelance) Legal & Judicial Community General Public
  14. 14. DPA Enforcement: Context & Experience  Context:  Even more sensitive area than standard-setting.  Enforcement can also be very expensive.  Pure “advise & persuade” strategy is clearly flawed.  DPA Experience:  2013 Survey suggested around ½ carried out enforcement.  But actions generally very selective, focused on:  Intimate private life (especially re: sensitive data),  Data linked to key social relationships (e.g. ID numbers).  Self-regulation cited but little evidence of strategic approach.
  15. 15. Monitoring Bodies: A. 41(2) Standards FfA body … may be accredited [by the DPA] to monitor compliance with a code of conduct where that body has: a) Demonstrated its independence and expertise… b) Established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation; c) Established procedures and structures to handle complaints about infringements … and to make those procedures and structures transparent to data subjects and the public; and d) Demonstrated … that its tasks and duties do not result in a conflict of interests.
  16. 16. DPA Enforcement: How Much Deference? No Self-Regulatory Body - Fully independent assessment. - “Advise and persuade” not ruled out. - But use of formal powers more likely. Non-Accredited Body - Encourage use by data subjects. - Take into account, liase and cooperate. - But ultimately independent assessment Accredited Body - Meta-regulatory review. - Reasonableness standard otherwise. - Intervene in serious individual cases
  17. 17. What role for European DP Board?  Media regulation could interface with “consistency mechanism”.  But even if the case, “hard” intervention should be avoided:  Local DPAs best placed to interpret widely divergent local laws,  Media generally remains strongly locally orientated,  Such intervention likely to be counter-productive.  Even so, the EDPB could usefully engage in “soft” action:  Forum for especially small DPAs to work through common issues,  Is increasing “mutual interpenetration” of media sectors.  Soft guidance could lead to slow development of common norms,
  18. 18. Conclusions  DP interface with media is sensitive & diverse.  Regulatory resources are also very scare.  But DPAs almost always retain important as “the guardian” of DP in this space.  Argued that both re: standards & enforcement, role best fulfilled via co-regulatory, strategic approach.  EDPB should play “soft” role here but avoid “hard”/coercive action.