To what extent can a person rely on the GDPR to try to prevent the future publication of media content, or to obtain the removal of already published media content? What aspects of the GDPR would claimants rely on and how can media defendants defend against such claims? Given that data subjects have the right to withdraw their consent at any time where consent provides the lawful basis for processing personal data (GDPR Article 7), does this mean that media releases (for example, signed by participants for a TV show) are no longer effective? We look at these questions from an English law perspective. However, as the GDPR is an EU instrument with potentially extra-territorial effect, similar considerations may apply well beyond the UK.
Traditionally, if an individual objected to content which was going to be, or had been, published or broadcast by the media, they would rely on defamation and privacy law. Defamation law would be relied on with respect to false information which damaged the person's reputation. Privacy law would be relied on in relation to (true or false) private information. These laws provide checks and balances between the rights of the claimant and the rights of free speech, including the rights of the media to disseminate, and the public to receive, information.
Data protection law, governing the use of information which identifies individuals, is, however, now routinely relied on when bringing privacy claims, for example in Cliff Richard v BBC. This is due to the broad range of information protected by EU data protection law, but also to its wide territorial reach, confirmed in Google Spain v Gonzalez (2014) and enshrined into the GDPR.
To succeed in a defamation claim, the claimant must establish at least that: (i) the statement complained of is defamatory of him or her; and (ii) the serious harm to reputation threshold has been met. For a privacy claim, the claimant must establish that information is private. In contrast, a claimant relying on data protection law need not prove either of these things. To see how a data protection claim can be deployed against media content, it is necessary to explain some fundamental concepts of the GDPR.
The starting point is that the GDPR concerns personal data. This means "any information relating to an identified or identifiable natural person (data subject)". As long as the data relates to a data subject, the GDPR potentially kicks in and regulates the processing – there is no need for it to be defamatory or private. Once that happens, as is the case with any media content (whether or not published) about or concerning an individual, various principles of data protection potentially apply.
The controller determines the purposes and means of the processing of personal data. Where a media organisation is processing personal data with a view to publication or making editorial content available, they will ordinarily be the controller.
The territorial scope of the GDPR has two bases. First, it applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place there. In short, EU media organisations will be controllers falling within this first category. Establishment is widely defined and "implies the effective and real exercise of activity through stable arrangements" (recital 22). Therefore, for example, if a non-EU media organisation has a bureau or a team of journalists permanently on the ground in the EU, it is likely to have an establishment for these purposes. If only one or two journalists were in the EU under a "stable arrangement", eg freelancers based permanently in the EU, this may constitute an establishment in the EU. However, non-EU-based journalists flying in to conduct interviews or investigations in the EU would be unlikely to constitute an establishment.
Second, the GDPR also applies to processing of personal data of data subjects by media organisations without an establishment in the EU to the extent the media company is offering goods and/or services to such data subjects in the EU or monitoring their behaviour.
Where a controller is processing personal data about a person, the controller must ensure that the personal data is:
These principles in the context of media content are far more onerous for journalists than simply investigating and writing a story about an individual and trying to avoid a defamation or privacy claim and, as in Google Spain and subsequent decisions, can lead to the removal of content which has become out of date, inaccurate or irrelevant, even where the content is true and was accurate at the time of publication (see our article for more).
The controller must have a lawful basis for processing the data, for example:
Where consent is the lawful basis relied on, it must be freely given, specific, informed and an unambiguous indication of the data subject's wishes. If a journalist or controller has not satisfied this strict test by making crystal clear (including by supplying certain information) to the relevant individual the ways in which their personal data will be used, a valid consent will be unlikely. Data subjects have the right to withdraw their consent at any time. This could mean that a contributor who has voluntarily provided consent for their personal data to be included in media content can withdraw that consent and, potentially, try to obtain removal of their personal data even after it has been published.
If the contributor or source enters into a contract with the media organisation in relation to the content (eg a written release), then this may be sufficient to ward off a future claim if the person subsequently requests that the content featuring them not be published or be removed. The contract will probably require consideration, as mere consent is unlikely to be sufficient.
The most common lawful basis used by a media organisation to justify processing editorial content which includes personal data is legitimate interest (aside from relying on the journalistic exemption). However, this involves a balancing exercise between the legitimate interests of the media organisation and the rights and freedoms of the individual which will depend on all the circumstances and may have to be re-evaluated if new information or facts become relevant.
Where the processing involves particularly sensitive personal information about a person ('special categories'), including racial or ethnic origin, political opinions, data concerning health or a person's sex life or sexual orientation, the processing is prohibited unless there is an additional basis for processing, such as 'explicit consent', or where an exemption applies. While most of the additional bases are unlikely to apply in a media context, there is an exemption to the prohibition where a person (eg a source or programme participant) has manifestly made such personal data public. Whether or not merely providing content to a journalist for publication would satisfy this test is yet to be tested. It seems likely that knowingly providing special category data about oneself on TV would also satisfy this requirement (assuming that the data subject was an adult and knew what they were doing).
A data subject under the GDPR has numerous rights, to which the data controller must give effect where applicable. Data subjects have, for example, the right:
There is an exception to the right to be forgotten to the extent necessary eg for exercising the right of freedom of expression and information:
Unless an exemption applies (for example, the journalistic exemption), a data subject can exercise one or more of these rights.
The most important right as regards individuals trying to control media content is the right of erasure, also known as the right to be forgotten. This right can be deployed by a person instead of or in addition to a privacy or defamation claim in order to try to prevent publication or to try to obtain the removal of content about them. However, the right to be forgotten is not absolute and comes down to a balancing exercise between the data protection and privacy rights of the data subject on the one hand, and the free speech rights of the media organisation and the public (eg to receive information on a matter of public interest) on the other. We discuss the legal evolution of the right to be forgotten in more detail in our article.
In a media context, the court will consider an application to 'be forgotten' by weighing up the balance between Articles 8 and 10 of the European Convention on Human Rights (ECHR), based on numerous factors potentially including the extent to which:
These factors are based on the Article 29 Working Party Guidelines on the implementation of the Google Spain decision and subsequent case law such as NT1 and NT2 v Google (see our article for more.
While the right to be forgotten can be asserted by a claimant in relation to published information about them which is not defamatory or private, in many cases the media organisation can rely on the journalistic exemption to override the claim. However, in practice, the parties will often disagree about where the balance falls. Moreover, there is an overlap between the GDPR concepts of legitimate interest, the right to be forgotten and the journalistic exemption when it comes to the balancing of rights in a media context.
Article 85 GDPR, requires EU Member States to reconcile the right to protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression (the special purposes). This is implemented in the UK by Part 5 of Schedule 2 of the Data Protection Act 2018 (DPA18). The main GDPR principles and rights (including the principles relating to lawful processing, special categories of data and the rights to access, rectification, erasure, to object and to restrict processing) do not apply:
The key test is whether the media organisation reasonably believes that publication would be in the public interest. This is both an objective and subjective test. Public interest is not defined and each case needs to be decided on its merits in relation to the specific information. The controller must take into account the special importance of freedom of expression and information and have regard to the following codes of practice where relevant: the BBC Editorial Code, the Ofcom Broadcasting Code and the Editors' Code of Practice. Topics such as politics, crime, education, public health and the economy will usually be in the public interest. Pure celebrity gossip is unlikely to count although this is untested under the GDPR.
The wording of the special purposes exemption in the DPA18 (in particular the words "with a view to publication") appears to suggest that the exemption only applies pre-publication. However, it seems likely that it applies to material which has already been published as well.
Making a right to be forgotten request for the removal of search engine results is well-established. The growing use of data protection law relates to the underlying content itself. For example, if a person (the data subject) gave an interview to a journalist or is referred to in an article which was published online five years ago and the data subject now decides they want the article taken down (or at least to have the references to them removed), they may attempt to rely on the right to be forgotten, even if the information is not false, defamatory or private and has been in the public domain. In such a case, the data subject and the controller will need to consider whether the GDPR applies and, if so: (i) assess whether the controller has complied with the GDPR principles and has a lawful basis for processing the data; (ii) carry out the balancing exercise required by the right to be forgotten; and (iii) consider whether the journalistic exemption applies.
Media law is not only concerned with publications and broadcasts by media organisations. Content which includes personal data is continually also being published (including online) by organisations across numerous sectors ranging from technology, financial services, consumer goods, life sciences, real estate, charities, law enforcement and government. This may be via websites, social media, in email newsletters and/or marketing communications. While the main principles of data protection law may still apply, including the right to be forgotten, the special purposes exemption may not. For example, if a business posts information about or photographs of a person (the data subject) on its website, the data subject could request removal of the information based on the right to erasure. In such a case, the controller will need to consider at least the issues referred to in the above example but the journalistic exemption is normally unlikely to apply.
Many media organisations, particularly in the television and film industry, rely on written releases from actors and contributors (including those appearing on reality TV shows) which may traditionally be based on consent. Given that consent can be withdrawn at any time under the GDPR, this could cause massive disruption to a media business if, for example, an actor or reality TV contributor suddenly decides that they no longer want to be part of a programme. It is therefore advisable to base the release upon a different lawful basis for the processing of the personal data, which will depend on the context.
It can seem surprising that data protection law can be deployed by data subjects in relation to content published or broadcast about them, in place of or in addition to the usual defamation and privacy causes of action. While the journalistic exemption is broad, it may not always apply. Data subjects and media (and non-media) controllers will benefit from understanding the fundamentals of the GDPR, including the different lawful bases for processing personal data, the right to be forgotten, the journalistic exemption and how competing rights and freedoms need to be balanced in certain circumstances.
If you have any questions on this article please contact us.
Are NDAs still an effective or realistic legal tool to use when settling disputes involving unproven allegations? If they can't be enforced, what are they worth?
1 / 4 观点
A data privacy breach can quickly cause immeasurable damage to a company's reputation. It can affect a company's brand, public perception, customer trust, future communications strategies and advertising, regulatory record, bottom line, share price and even destroy a company entirely. Where the breach involves personal data about the public, the stakes are particularly high.
2 / 4 观点
The 'right to be forgotten' in the context of EU data protection law, is something of a misnomer; it is, in fact, a qualified right to the erasure of personal data. While it does not afford individuals with a blanket right to have their personal data erased or forgotten (except in relation to direct marketing), it is an essential weapon for individuals in the wider privacy arsenal.
3 / 4 观点
返回