The rise of GDPR in media law

To what extent can a person rely on the GDPR to try to prevent the future publication of media content, or to obtain the removal of already published media content? What aspects of the GDPR would claimants rely on and how can media defendants defend against such claims? Given that data subjects have the right to withdraw their consent at any time where consent provides the lawful basis for processing personal data (GDPR Article 7), does this mean that media releases (for example, signed by participants for a TV show) are no longer effective? We look at these questions from an English law perspective. However, as the GDPR is an EU instrument with potentially extra-territorial effect, similar considerations may apply well beyond the UK.

Background

Traditionally, if an individual objected to content which was going to be, or had been, published or broadcast by the media, they would rely on defamation and privacy law. Defamation law would be relied on with respect to false information which damaged the person's reputation. Privacy law would be relied on in relation to (true or false) private information. These laws provide checks and balances between the rights of the claimant and the rights of free speech, including the rights of the media to disseminate, and the public to receive, information.

Data protection law, governing the use of information which identifies individuals, is, however, now routinely relied on when bringing privacy claims, for example in Cliff Richard v BBC. This is due to the broad range of information protected by EU data protection law, but also to its wide territorial reach, confirmed in Google Spain v Gonzalez (2014) and enshrined into the GDPR.  

To succeed in a defamation claim, the claimant must establish at least that: (i) the statement complained of is defamatory of him or her; and (ii) the serious harm to reputation threshold has been met. For a privacy claim, the claimant must establish that information is private. In contrast, a claimant relying on data protection law need not prove either of these things. To see how a data protection claim can be deployed against media content, it is necessary to explain some fundamental concepts of the GDPR.

Fundamentals of the GDPR for claims against media content

Personal data (Article 4)

The starting point is that the GDPR concerns personal data. This means "any information relating to an identified or identifiable natural person (data subject)". As long as the data relates to a data subject, the GDPR potentially kicks in and regulates the processing – there is no need for it to be defamatory or private. Once that happens, as is the case with any media content (whether or not published) about or concerning an individual, various principles of data protection potentially apply. 

Controller (Article 4(7))

The controller determines the purposes and means of the processing of personal data. Where a media organisation is processing personal data with a view to publication or making editorial content available, they will ordinarily be the controller.

Territorial scope (Article 3)

The territorial scope of the GDPR has two bases. First, it applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place there. In short, EU media organisations will be controllers falling within this first category. Establishment is widely defined and "implies the effective and real exercise of activity through stable arrangements" (recital 22). Therefore, for example, if a non-EU media organisation has a bureau or a team of journalists permanently on the ground in the EU, it is likely to have an establishment for these purposes. If only one or two journalists were in the EU under a "stable arrangement", eg freelancers based permanently in the EU, this may constitute an establishment in the EU. However, non-EU-based journalists flying in to conduct interviews or investigations in the EU would be unlikely to constitute an establishment.

Second, the GDPR also applies to processing of personal data of data subjects by media organisations without an establishment in the EU to the extent the media company is offering goods and/or services to such data subjects in the EU or monitoring their behaviour.

Principles relating to processing of personal data (Article 5)

Where a controller is processing personal data about a person, the controller must ensure that the personal data is:

• Processed lawfully, fairly and in a transparent manner;
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible ('purpose limitation');
• Adequate, relevant and limited to what is necessary for the purposes ('data minimisation');
• Accurate and, where necessary, kept up to date and every reasonable step must be taken to ensure that inaccurate data are erased or rectified without delay ('accuracy');
• Kept in a form which permits identification for no longer than is necessary for the purposes;
• Processed in a manner which ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction and damage.

These principles in the context of media content are far more onerous for journalists than simply investigating and writing a story about an individual and trying to avoid a defamation or privacy claim and, as in Google Spain and subsequent decisions, can lead to the removal of content which has become out of date, inaccurate or irrelevant, even where the content is true and was accurate at the time of publication (see our article for more).

Lawful processing (Article 6)

The controller must have a lawful basis for processing the data, for example:

• The data subject has given consent to the processing for a specific purpose;
• The processing is necessary for performance of a contract to which the data subject is a party; or
• The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Where consent is the lawful basis relied on, it must be freely given, specific, informed and an unambiguous indication of the data subject's wishes. If a journalist or controller has not satisfied this strict test by making crystal clear (including by supplying certain information) to the relevant individual the ways in which their personal data will be used, a valid consent will be unlikely. Data subjects have the right to withdraw their consent at any time. This could mean that a contributor who has voluntarily provided consent for their personal data to be included in media content can withdraw that consent and, potentially, try to obtain removal of their personal data even after it has been published.

If the contributor or source enters into a contract with the media organisation in relation to the content (eg a written release), then this may be sufficient to ward off a future claim if the person subsequently requests that the content featuring them not be published or be removed. The contract will probably require consideration, as mere consent is unlikely to be sufficient.

The most common lawful basis used by a media organisation to justify processing editorial content which includes personal data is legitimate interest (aside from relying on the journalistic exemption). However, this involves a balancing exercise between the legitimate interests of the media organisation and the rights and freedoms of the individual which will depend on all the circumstances and may have to be re-evaluated if new information or facts become relevant.  

Special categories of personal data (Article 9)

Where the processing involves particularly sensitive personal information about a person ('special categories'), including racial or ethnic origin, political opinions, data concerning health or a person's sex life or sexual orientation, the processing is prohibited unless there is an additional basis for processing, such as 'explicit consent', or where an exemption applies. While most of the additional bases are unlikely to apply in a media context, there is an exemption to the prohibition where a person (eg a source or programme participant) has manifestly made such personal data public. Whether or not merely providing content to a journalist for publication would satisfy this test is yet to be tested. It seems likely that knowingly providing special category data about oneself on TV would also satisfy this requirement (assuming that the data subject was an adult and knew what they were doing).

Rights of data subjects (Chapter III)

A data subject under the GDPR has numerous rights, to which the data controller must give effect where applicable. Data subjects have, for example, the right:

• To access to a copy of their personal data, including the purposes of processing, categories, recipients and sources.
• To rectification, without undue delay, of inaccurate personal data.
• To erasure ('the right to be forgotten') without undue delay if eg:
  • The personal data are no longer necessary in relation to the purposes for which they were processed.
  • The data subject withdraws consent and there are no other legal grounds for the processing.
  • The data subject objects and there is no overriding legitimate grounds for processing. Or
  • The person data have been unlawfully processed.

There is an exception to the right to be forgotten to the extent necessary eg for exercising the right of freedom of expression and information:

• To restrict processing to merely storing of data eg where accuracy is disputed and time is required for the controller to verify the accuracy.
• To object to processing unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

Unless an exemption applies (for example, the journalistic exemption), a data subject can exercise one or more of these rights.

The right to erasure ('right to be forgotten') (Article 17)

The most important right as regards individuals trying to control media content is the right of erasure, also known as the right to be forgotten. This right can be deployed by a person instead of or in addition to a privacy or defamation claim in order to try to prevent publication or to try to obtain the removal of content about them. However, the right to be forgotten is not absolute and comes down to a balancing exercise between the data protection and privacy rights of the data subject on the one hand, and the free speech rights of the media organisation and the public (eg to receive information on a matter of public interest) on the other. We discuss the legal evolution of the right to be forgotten in more detail in our article.

In a media context, the court will consider an application to 'be forgotten' by weighing up the balance between Articles 8 and 10 of the European Convention on Human Rights (ECHR), based on numerous factors potentially including the extent to which:

• the claimant is a public figure or plays a role in public life
• the claimant is a child
• the data is accurate
• the data is relevant and up to date
• the data falls within a special category
• the processing causes prejudice to or an invasion of privacy of the data subject
• the data subject made the information public or reasonably knew the information would be published
• the journalistic nature of the content
• the information is publicly available
• the data relates to a criminal offence.

These factors are based on the Article 29 Working Party Guidelines on the implementation of the Google Spain decision and subsequent case law such as NT1 and NT2 v Google (see our article for more).

While the right to be forgotten can be asserted by a claimant in relation to published information about them which is not defamatory or private, in many cases the media organisation can rely on the journalistic exemption to override the claim. However, in practice, the parties will often disagree about where the balance falls. Moreover, there is an overlap between the GDPR concepts of legitimate interest, the right to be forgotten and the journalistic exemption when it comes to the balancing of rights in a media context.

The journalistic exemption (Article 85)

Article 85 GDPR, requires EU Member States to reconcile the right to protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression (the special purposes). This is implemented in the UK by Part 5 of Schedule 2 of the Data Protection Act 2018 (DPA18). The main GDPR principles and rights (including the principles relating to lawful processing, special categories of data and the rights to access, rectification, erasure, to object and to restrict processing) do not apply:

• to the extent that the controller reasonably believes that application of the GDPR principles and rights would be incompatible with the special purposes, and
• where:
  • processing is carried out with a view to publication of journalistic, artistic, etc material, and
  • the controller reasonably believes that publication would be in the public interest.

The key test is whether the media organisation reasonably believes that publication would be in the public interest. This is both an objective and subjective test. Public interest is not defined and each case needs to be decided on its merits in relation to the specific information. The controller must take into account the special importance of freedom of expression and information and have regard to the following codes of practice where relevant: the BBC Editorial Code, the Ofcom Broadcasting Code and the Editors' Code of Practice. Topics such as politics, crime, education, public health and the economy will usually be in the public interest. Pure celebrity gossip is unlikely to count although this is untested under the GDPR.

The wording of the special purposes exemption in the DPA18 (in particular the words "with a view to publication") appears to suggest that the exemption only applies pre-publication. However, it seems likely that it applies to material which has already been published as well.

Example

Making a right to be forgotten request for the removal of search engine results is well-established. The growing use of data protection law relates to the underlying content itself. For example, if a person (the data subject) gave an interview to a journalist or is referred to in an article which was published online five years ago and the data subject now decides they want the article taken down (or at least to have the references to them removed), they may attempt to rely on the right to be forgotten, even if the information is not false, defamatory or private and has been in the public domain. In such a case, the data subject and the controller will need to consider whether the GDPR applies and, if so: (i) assess whether the controller has complied with the GDPR principles and has a lawful basis for processing the data; (ii) carry out the balancing exercise required by the right to be forgotten; and (iii) consider whether the journalistic exemption applies.

Non-media organisation content

Media law is not only concerned with publications and broadcasts by media organisations. Content which includes personal data is continually also being published (including online) by organisations across numerous sectors ranging from technology, financial services, consumer goods, life sciences, real estate, charities, law enforcement and government. This may be via websites, social media, in email newsletters and/or marketing communications. While the main principles of data protection law may still apply, including the right to be forgotten, the special purposes exemption may not. For example, if a business posts information about or photographs of a person (the data subject) on its website, the data subject could request removal of the information based on the right to erasure. In such a case, the controller will need to consider at least the issues referred to in the above example but the journalistic exemption is normally unlikely to apply.

Media releases

Many media organisations, particularly in the television and film industry, rely on written releases from actors and contributors (including those appearing on reality TV shows) which may traditionally be based on consent. Given that consent can be withdrawn at any time under the GDPR, this could cause massive disruption to a media business if, for example, an actor or reality TV contributor suddenly decides that they no longer want to be part of a programme. It is therefore advisable to base the release upon a different lawful basis for the processing of the personal data, which will depend on the context.

Assessing competing rights and freedoms

It can seem surprising that data protection law can be deployed by data subjects in relation to content published or broadcast about them, in place of or in addition to the usual defamation and privacy causes of action. While the journalistic exemption is broad, it may not always apply. Data subjects and media (and non-media) controllers will benefit from understanding the fundamentals of the GDPR, including the different lawful bases for processing personal data, the right to be forgotten, the journalistic exemption and how competing rights and freedoms need to be balanced in certain circumstances.

If you have any questions on this article please contact us.