GDPR and the Data Protection Act 2018 – how do they impact publishers?
The need for publishers to ensure that their processing of personal data complies with the law is more important than ever.
The EU's General Data Protection Regulation EU/2016/679 comes into force today, hopefully bringing to an end the wave of privacy notices that have been flooding inboxes over the last few weeks. With somewhat less attention, Parliament has supplemented the GDPR in domestic law by enacting the Data Protection Act 2018, which received Royal Assent only on Wednesday 23 May 2018. The statute, which clarifies and supplements the GDPR, replaces the Data Protection Act 1998 as the new statutory framework governing personal data in this country.
Media lawyers and journalists might feel a degree of trepidation at this news. The Data Protection Act 1998 has become a mainstay of media disputes, with its importance and impact increasingly felt by publishers. So what changes do the traditional media publishers, online platforms and journalists face under the new 2018 Act?
The journalism exemption at s.32(1) Data Protection Act 1998 has been reproduced and its application expanded in the Data Protection Act 2018 at Schedule 2, Part 5 para.26.
The statutory stay procedure at s.32(4) Data Protection Act 1998 has been reproduced in similar terms at s176.
New criminal data offences have been introduced alongside explicit journalism public interest defences at ss170-171.
The Information Commissioner has been granted significant powers and responsibility to encourage media compliance with data protection laws, including periodic review and reporting on compliance, an obligation to issue guidance to individuals on seeking redress against media organisations and creation of a code of practice for media organisations on data protection compliance to be approved by Parliament.
The Secretary of State must report every three years on the effectiveness of the media dispute resolution procedures, including under the Editors' Code of Practice.
The Special Purposes Exemption
Unsurprisingly, given the explicit requirement in the GDPR to provide protection for the right to freedom of expression and information, the special purposes exemption, which protects processing for the purposes of journalism, art and literature (and now academic purposes) has survived and in fact has widened in scope and application under the new Act.
The journalism exemption at section 32(1) of the DPA 1998 provided that personal data have to be processed only for one of the 'special purposes', including journalism, in order for the exemption to be capable of applying, subject to meeting the s.32(1) criteria. Consequently, a data controller processing for two or more substantive purposes, including for journalism, was on the face of the legislation precluded from relying on the exemption.
The exemption in the Data Protection Act 2018 is wider. Schedule 2, Part 5, para 26(3) of the DPA 2018 contains the new exemption which notably includes no provision that personal data must be processed only for the special purposes: instead the dis-application of certain GDPR provisions for journalists will apply 'to the processing of personal data carried out for the special purposes', whether or not the data are being processed for a second or ancillary purpose. This will avoid the scenario where the media potentially faced losing the protection of the exemption if they assisted the police in connection with a criminal investigation, and may also have an impact on online platforms and search engine providers. In the recent case of NT1 and NT2 v Google LLC  EWHC 799 (QB), Warby J countenanced that if Google were processing for the special purposes, they were not doing so "only" for the special purposes – that may now be of little significance.
Otherwise, the exemption criteria are substantively the same as to what they were under DPA 1998:
the data in question must be being processed with a view to the publication of journalistic material,
the data controller must reasonably believe that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
the data controller must reasonably believe that the application of the listed GDPR provision would be incompatible with its journalistic purpose.
Assuming these criteria are met, a data controller will be exempt from complying with an extensive list of GDPR rights and obligations (which itself has substantially increased). Notably, Codes of Practice have added importance for a publisher seeking to rely on the exemption. The Act provides explicitly at para 26(5) that when forming a belief that publication is in the public interest a data controller must have regard to relevant codes of practice, namely the BBC Editorial Guidelines, the Ofcom Broadcasting Code and the Editors' Code of Practice.
Section 176 of the DPA 2018 replicates the statutory stay provision at s.32(4) of the DPA 1998, providing that where a data controller claims, or it appears to the court, that personal data are being processed only for the special purposes, with a view to publication of journalistic material and the data have not previously been published by the controller, the court must stay any data protection proceedings brought over such data. By contrast to the exemption itself, the requirement in this case is that data must be being processed 'only' for journalism – so publishers seeking to rely on the statutory stay must be confident the data are not being processed for another substantive purpose.
As in the DPA 1998, the Information Commissioner again may make a written negative determination, in effect as to whether such a stay is appropriate. Section 174(3)(b) of the Act provides that the Commissioner may determine whether personal data are either not being processed only for the special purposes (including journalism); or whether the data are being processed without a view to the publication of journalistic material that has not previously been published. The ICO's efforts to secure the right to also determine whether compliance with a relevant provision of the DPA 2018 was incompatible with the special purposes was unsuccessful.
Nonetheless, it remains open to a claimant facing the prospect or reality of a stay under section 176 to turn to the ICO and make a complaint to the Commissioner pursuant to section 165, although the ICO's powers to require the provision of information, co-operation and to enforce are limited where no determination under section 174 has been made. In any event, any outcome would not necessarily be final as a right of appeal exists under section 162 DPA 2018.
New Offences and new Defences
Sections 170 and 171 of the DPA 2018 adds to the existing offence of unlawfully obtaining personal data a new offence of re-identification of de-identified personal data. Given the risk of impinging on investigative journalism, each offence provides expressly for new defences that mirror the special purposes exemption.
An offence will not be committed in either case if the data controller (1) acted for the special purposes, (2) with a view to publication of journalistic material, and (3) with a reasonable belief that their conduct was justified as in the public interest. These defences will be welcomed by the media, and will add to the protection afforded by the Crown Prosecution Service's 'Guidance for prosecutors on assessing the public interest in cases affecting the media'.
Assistance in special purposes proceedings
Section 175 DPA 2018 replicates the provision that a party who is subject to special purposes proceedings can apply to the Information Commissioner for assistance in those proceedings. However, before providing any such assistance, the Commissioner must be of the opinion that a matter carries substantial public importance.
On the face of the Act, it is therefore open for either a prospective claimant or defendant, most likely one with limited resource but involved in a data dispute of significance to apply to the ICO for assistance in their claim. With the threshold of 'substantial public importance' markedly high and with the ICO able to simply apply to intervene in litigation instead of taking on the burden of assisting a party to a dispute, it remains to be seen whether this will be used by parties and how interventionist the Commissioner will be in future cases.
Guidance, Review and Reporting obligations
Following legislative wrangling between the House of Commons and the House of Lords just days before the Bill received Royal Assent, and against the backdrop of arguments calling for 'Leveson 2', both the Secretary of State for Digital, Culture, Media and Sport and the Information Commissioner have had their responsibilities as watchdogs over the media increased.
the media has been singled out as an industry with an obligation on the Information Commissioner to produce guidance in the next year on how to seek redress against media organisations where an individual considers that a media organisation has failed to comply with data protection legislation (s.177 DPA 2018); this will not necessarily apply to online platforms.
The Information Commissioner must consult on, prepare and submit to the Secretary of State within 18 months a code of practice to be approved by Parliament containing practical guidance on compliant processing of personal data for the purposes of journalism and practice which is desirable having regard to the interests of data subjects and the special importance of the public interest in freedom of expression and information (s.124 DPA 1998);
the Information Commissioner is now also obliged to carry out periodic reviews of whether the data protection legislation is being complied with by the media and report her findings to the Secretary of State. The first review must be commenced within four and a half years and completed within six years, and then repeated every five years (s.178 DPA 2018 and Schedule 17).
Separately the Secretary of State must report every three years to Parliament on the use and effectiveness of the media's dispute resolution procedures in cases involving allegations of breaches of data protection legislation, specifically on any dispute resolution procedures provided by those who enforce codes of practice for relevant media organisations (s.179 DPA 2018). This will include IPSO, IMPRESS and, perhaps unintentionally since what constitutes an alternative dispute resolution procedure is not defined, potentially also OFCOM in so far as its code relates to on-demand publishers.
While the GDPR and DPA 2018 do not, on their face, require alterations to journalistic practice, there is cause for both optimism and a degree of caution for media organisations. The journalism exemption is marginally wider, and new data offences are counterbalanced by explicit public interest journalism defences, which provide welcome clarity. Perhaps most notable however are the provisions for continuing regulation and oversight of the media and its compliance with data protection legislation. With the Commissioner's obligations to produce a code of conduct for journalism, guidance to the public on seeking redress against media organisations, and to carry out periodic reviews of sector compliance, the need for publishers to ensure that their processing of personal data complies with the law is more important than ever.
RPC was instructed by the Media Lawyer's Association in relation to the Data Protection Bill.