• Welcome
  • 1 Introduction
  • 2 The European legal framework
  • 3 The journalistic exemption in the GDPR
    • 3.1 Introduction and background
    • 3.2 The personal scope of the exemption
    • 3.3 Processing personal data: the material scope
    • 3.4 The condition for the exemption
      • 3.4.1 Kurisprudence by the European Court of Human Rights about the concept of public interest
    • 3.5 The material scope of the exception
    • 3.6 Applicable regulation
  • 4 GDPR applied to journalism
    • 4.1 The GDPR in a nutshell
    • 4.2 The legal bases for data processing
    • 4.3 The special categories of data
      • 4.3.1 Jurisprudence by the ECtHR about health data processing for journalistic purposes
    • 4.4 The subject’s rights and the controller’s duties
    • 4.5 The main concepts
  • 5 The Principles applied to journalism
    • 5.1 Introduction
    • 5.2 Lawfulness, fairness and transparency
    • 5.3 Choosing a legal basis for processing
      • 5.3.1 Consent
      • 5.3.2 Public interest
      • 5.3.3 Legitimate interest
    • 5.4 Purpose limitation
    • 5.5 Data minimisaton
    • 5.6 Accuracy
    • 5.7 Storage limitation
    • 5.8 Integrity and Confidentiality
    • 5.9 Accountability
  • 6 Additional issues
    • 6.1 Subject access requests
    • 6.2 Confidential sources
    • 6.3 Minors and vulnerable population
    • 6.4 Takeaway points
    • 6.5 Questions & Answers
  • 7 Glossary (art. 4 GDPR excerpt)
  • 8 Annex I. The balancing test
    • 8.1 Introduction
    • 8.2 The issue of the additional safeguard
    • 8.3 Some examples of balancing test
      • 8.3.1 Example 1
      • 8.3.2 Example 2
    • 8.4 DOs and DON’Ts
      • 8.4.1 DOs
      • 8.4.2 DON’Ts
      • 8.4.3 Checklist
      • 8.4.4 Further readings
  • 9 Annex II
    • 9.1 Comparative analysis of the regulatory framework at the EU Member states level
      • 9.1.1 Austria
      • 9.1.2 Belgium
      • 9.1.3 Finland
      • 9.1.4 France
      • 9.1.5 Germany
      • 9.1.6 Ireland
      • 9.1.7 Italy
      • 9.1.8 Netherlands
      • 9.1.9 Spain
      • 9.1.10 Sweden
      • 9.1.11 United Kingdom
      • 9.1.12 Information related to exceptions and derogations in a nutshell
  • Sources of information
    • 9.2 Bibliography
    • 9.3 Documents of the Council of Europe
    • 9.4 Jurisprudence by the European Court of Human Rights

Data protection in journalism: a practical handbook

2 The European legal framework

The regulatory framework regarding the right to freedom of expression and the regime of data protection in Europe is mainly linked to the Council of Europe and the European Union legal systems. In the case of the Council of Europe, the regulation is twofold. On the one hand, the main rights at stake, right to freedom of expression and right to privacy are part of the European Convention of Human Rights. Its article 10.1 states that “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This Article shall not prevent states from requiring the licensing of broadcasting, television or cinema enterprises.” Quite obviously, this right might be limited according to the provisions made by number 2 of this clause. Article 8, instead, focuses on the defense of privacy, by stating that

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

On the other hand, the Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108), also approved by the Council of Europe, regulates data protection issues. Indeed, at the present moment is the only international legally binding agreement on the data protection law. However, the European Court of Human Rights does not hear cases on the alleged violations of this Convention, since it is only related to the European Convention of Human Rights.

In the EU context, the right to freedom of expression was included in article 10 of the EU Charter of Fundamental Rights, which reads:

  1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.
  2. The freedom and pluralism of the media shall be respected.

Instead, articles 7 and 8 of the Charter included the right to privacy and the right to the protection of personal data concerning him or her. At the present moment, the legal framework for data protection is mainly drawn by the Regulation (EU) 2016/679 of the GDPR.Alleged violations of the EU law are heard by the Court of Justice of the European Union (CJEU). There is no equivalent piece of overarching and comprehensive secondary legislation about free speech and media freedom mostly due to the Commission’s position that the EU has no authority to legislate in this area (Biriukova, 6).

The GDPR applies whenever anyone processes (collects, retains, uses, or discloses, for instance) any information about a living person. As the ICO remarks, “it does not prevent responsible journalism, as the main principles are flexible enough to accommodate day-to-day journalistic practices (…) However, the media are not automatically exempt and will need to ensure they give some consideration to the data protection rights of individuals. Legal responsibility usually falls on the relevant media organization rather than individual employees, although freelance journalists are likely to have their own separate obligations”. However, it is good to keep always in mind that employees of media organizations need to be aware of their legal responsibilities, particularly day to day adherence, when working for their employer.