GDPR and media: points of intersection

December 6, 2018

On May 25, 2018 the General Data Protection Regulation З2016/679 became valid in EU (here and after referred to as Regulation) which replaced Directive 95/46 which formerly governed protection of private individuals during processing personal data. Someone attributes to it a role of worldwide trigger which has to call global review of personal data processing rules and someone promotes that it is just a little details standards acting before and doesn`t change anything regarding some issues at all. As is often the case that truth is somewhere between. When it is about media the level of their responsibility in the context depends on what role they play in processing of personal data: they act as business or for the purpose of journalistic. To understand the reasons I offer to puzzle out what Regulation was approved for.

What Regulation is needed for?

First of all, you should know that within the ranges of European right these two acts have different grades. Directive establishes certain goal which should be reached by all EU countries. At this, decision about on which way this would happen is made by members states which approve national legislation for execution. Regulation is much more serious document which is obligatory to execute at all EU territory without necessity of approval the additional acts for implementation.

This Regulation is not in stark contrast to Directive which was replaced by it. Many provisions are left unchanged and as for range of issues the liability of correspondent rules is left for state members of EU. Regulation establishes standards about protection of rights of private individuals in connection with processing of personal data and standards regarding free flow of personal data, in opposite to Directive which directly not declares targeting for protection of free flow. What this means? Despite panic in connection with approval of Regulation and initial misunderstanding of how to work within the new circumstances it is required to remember that the goal of Regulation is not prohibition of personal data processing, blocking of information exchange or freezing of freedom of discussion. Regulation is the answer of EU for 2 challenges:

  1. Difficulty of free flow of personal data due to difference in national legislation of EU members which stands in the way of performing business operations.
  2. Need of protection of personal data within the circumstances of rapid development of technologies and globalization.


Approval of Regulation is the attempt to find a balance between normal business performing and information exchange from the one hand and person right which data are processed without suffering self-defeating damage during this process from the other hand. And the answer on this question is quite more strict rules of processing, which has to be uniform in all EU. Regulation details requirements which allow person to know what information about him/her is gathered and for what as well as opportunity to ask about its deletion if, for example, there are no groundings for further saving of this information. For example, particular attention is given to way of notification about gathering and processing of personal data. In a nutshell it should be clearly, understandable and essentially i.e. at “human language” but not by endless scroll of juridical text typed by font of “ten point size”.

As specified in preamble of Regulation the right on protection of personal data is not total. It serves to society the same as freedom of speech or opportunity to perform business activity. The question is where it`s inviolable limits are and where the opportunity to bypass them is in a legal way.

 

What and who are included in the scope of Regulation?

Corporal part of Regulation scope includes complete or partial processing of personal data by automated means or without its implementation for accounting of data (includes any lists or otherwise ranked personal data). Territorial part of Regulation scope though bind to personal data of EU habitants is different for controllers or operators of personal data located in EU and those located behind it`s borders. The latest are governed by Regulation only in two cases indicating just about economic reasons of approval of this document:

  • Providing goods or services to bodies of personal data within EU without reference to paycheck,
  • Monitoring of behavior of data bodies within EU.


The question arises at once: will a company registered in Ukraine and acceptable through a web-site at the territory of EU fall within the ambit of Regulation? Automatically no seeing that Regulation specifies that just that fact is not enough to talk about intention to provide services to EU habitants. With that, in conjunction with such factors as i.e. translation of sight to languages used in EU members as well as opportunity to pay an account by certain currency, the presence of such intention could be admitted. I.e. when it is about Ukrainian companies they mostly will go to the grey area where necessity to reckon with new rules has to be discovered in each separate case.

The understanding of Regulation and ostensibly suddenness of approval by companies themselves is interesting in the context. It should be recalled that 2 years was given for preparation to new rules. But for many platforms it seems was not enough. Several American news sites being afraid to violate new European rules and correspondingly be levied a huge has decided that it would be easier just to block the access to them from the EU territory and to wait instead of study out a new liabilities on their own. They can be understood. They calculate own risks.


Media: different roles means different responsibility

As it appears from the goal of Regulation approval it has economic grounds of free market procurement as a basis but forces to set sights on possible undesirable rebound to media activity. The Regulation by itself avoids determine interrelation between personal data protection and right for freedom of speech. There is only general declaration of adherence with all main rights and freedoms and necessity of balance finding between them in accordance with pro rata principle in the text.

In this context, the only one criterion regarding of which Regulation makes direct exception from personal data protection is the right for deletion or so called right for forgetting. One of the reasons for reject to delete personal data is that their processing is required for implementation of the right for a freedom of speech and information. However, since the procedure of such deletion is not specified this standard could fail to save from deletion of absolutely legal content due to fear of negative consequences particularly increased amounts of fees for violation of rules of personal data processing.

In rest of issues concerning “special situations of data processing” including freedom of speech Regulations rests responsibility for coordination of these rights upon EU members. Pursuant to Article 85 of Regulations, EU members are obliged to coordinate the right for personal data protection and freedom speech and information right in particular processing for the purposes of journalism. It is important to emphasize that such coordination should be performed at legislative level but not e.g. through courts in each individual case which has to guarantee predictability.

It should be also highlighted that according to Regulations exceptions from the rules of personal data processing should be settled up only in case of two conditions:

  • If this required for coordination of right for personal data protection with right for freedom speech and information,
  • Only for the purpose of journalistic.


What conclusions could be made taking into consideration these statements? First of all, exceptions that could be settled up for protection of right for freedom of speech likely will go through further step-by-step finishing with respect to necessity through the courts. At the second, it is required to draw a line between media activity as a business which will fall within the ambit of Regulation in a part e.g. monitoring of visitation of web-sites, multi-casts creation, advertising or employment and journalists activity on implementation of right for freedom of speech e.g. when they publish a pictures of persons taking part in a public discussion at a conference. The last one as specified in Regulations should be widely understood taking into account it`s importance in democratic society.

At any case there is no reasons for panic this is because ECHR already had a time to tell its` first word after entering Regulations in force. In decision “L.M. and W.W. against Germany” as of June 28, 2018 court gave priority to the right for freedom of speech over the right for deletion in the case on claim regarding deletion of information about judgment of two persons for murder at German media portal. Court emphasized the freedom of journalists to choose those facts at their will during work on footages if their choice is based on a professional conduct rules.

 

Conclusions

As for journalistic activity Regulations have no fundamental changes for media but will have influence on processing of personal data in other aspects of media activity. Ukrainian media are in grey area where it is impossible to say definitively will they fall within the ambit of Regulation in particular situation. Answer for this question should first of all be searched through their role in a process of personal data processing. As for freedom of speech the Regulations does not change rules of game significantly so when media act as a business which has an intention to interact with audience at the territory of EU it is necessary to review your practices in this case.