4 GDPR applied to journalism
4.1 The GDPR in a nutshell
The GDPR is intended to stimulate the creation of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons (Recital 2). It is aimed at guaranteeing an adequate balance between data protection and privacy and some other fundamental rights, such as freedom of speech, for instance.
The Regulation is mainly focused on the processing of personal data, that is, “any information about an identifiable living person which is (or will be) stored on a computer or other digital device, or filed in an organized filing system where it can be easily found”(ICO, 2). Therefore, it focuses on any structured data that reveals information about a living person. Handwritten notes are not considered personal data, for example. However, if someone transfers those notes to a computer and organizes them, they will become personal data.
Similarly, anonymized information is not personal data, but it should not be confused with pseudonymized information, that is, information that might be linked to a person (see the conceptualization below). Information that refers to deceased people is not protected by the RGPD too, even though its publication may generate problems related to the right to honor or public image. On the other hand, the fact that a data is public or private does not change its nature as personal data. It may, however, have consequences for the lawfulness of its processing.
4.2 The legal bases for data processing
In general, no personal data can be processed if it is not on legal basis. Article 6 of the Regulation sets forth up to six legal grounds that legitimate processing, namely:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject or of another natural person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
There are three legal bases for processing that usually apply for journalist. These are consent, public interest, and legitimate interest. They will be explored in detail in section 5.3.
4.3 The special categories of data
Some data are specially protected by the GDPR and journalists must be extremely careful if they are willing to process them. The data of special categories comprises: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
A controller can only process this data if he or she has a legal ground to proceed according to article 6 of the GDPR and any of the circumstances that alleviates the ban introduced to their processing by article 9.1 applies. The circumstances are listed in article 9.2 of the GDPR. In principle, explicit consent by the subject who provides the information or public disclosure by the people with whom the information relates seem the most promising circumstances. Anyway, the controller must always consider that, since this type of data are particularly sensitive, he or she should only disclose them if a substantial public interest applies. In the following table you can find a compilation of the ECtHR provided by the Guidelines on Safeguarding Privacy in the Media, which gathers the jurisprudence by the ECtHR.
Regarding to this issue, the ICO has stated that “if the information is ‘sensitive personal data’ organisations must also meet one of the following conditions: - The person has given their explicit consent. - The information has already been made public as a result of steps that person has deliberately taken. It’s not enough that it’s already in the public domain – it must be the person concerned who took the steps which made it public.” (ICO, 41).
4.3.1 Jurisprudence by the ECtHR about health data processing for journalistic purposes
In Fürst-Pfeifer v. Austria, an article about a registered psychological expert for court proceedings was published in December 2008 on a regional news website. The article stated in particular that the psychological expert suffered from psychological problems such as mood swings and panic attacks but had been working as a courtappointed expert for many years. According to the Court, a serious debate on the mental health status of a psychological expert, evoked by reasoned suspicions, has to be seen as a debate of general interest, as an expert in court proceedings is required to meet standards of physical and psychological fitness.
In Armonienė v. Lithuania, the largest national daily newspaper published details about the medical condition of a private person who was suffering from HIV. After the person concerned died, his wife continued legal proceedings. The Court found that publicly disclosing the husband’s state of health and indicating his full name, surname and residence was not in the public interest. By confirming information on the husband’s illness, the employees at the AIDS centre could have negatively affected the willingness of others to be voluntarily screened for HIV.
In Mitkus v. Latvia, the newspaper violated a prisoner’s privacy when it reported that he was infected with HIV. The article included a picture, although the national judicial authorities had prohibited its publication. The Court found that since the prisoner’s features were clearly visible (his first name and the first letter of his surname, details of his criminal record and place of imprisonment were mentioned), it was perfectly possible that his fellow prisoners and other persons could identify him and behave differently to him based on this state of health.
4.4 The subject’s rights and the controller’s duties
Finally, it is essential to mention that the GDPR provides data subject with some essential rights that must be respected, unless derogations and exceptions are applicable. These include:
The right to access. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information regarding issues such as the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, etc. (see article 15 of the GDPR).
The right to rectification. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay when the circumstances listed in article 17 of the GDPR apply.
Right to restriction of processing. The data subject shall have the right to obtain from the controller restriction of processing where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; or the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.
Furthermore, there are two essential duties that the controller must take care of according to the GDPR:
Duty to provide the data subject with information no matter if they are collected from them or not. This includes information about the identity and the contact details of the controller and, where applicable, of the controller’s representative, the contact details of the data protection officer, where applicable, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, etc (see articles 13 and 14 of the GDPR).
Notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
4.5 The main concepts
There are several concepts that are particularly relevant in the context of the GDPR and journalist must be aware of their meaning. These are:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.