In Part 1 of this post I argued that the mandatory conditions for the application of the “journalism exemption” in section 32 of the Data Protection Act 1998 (“the DPA”) are strict and required careful case by case consideration. In this post I will consider some practical consequences of this analysis.
It is important to be clear at the outset that unless the exemption is establish then the data protection principles apply. This means that the default position should be that the media must comply with the provisions of the DPA. If an exemption is necessary it needs to be made out on the facts of each case.
The Exemption in relation to different types of Journalism
A number of different types of journalism can be considered.
First, there is the situation where a media organisation is processing data for purposes other than journalism (or “art” or “literature”). If, for example, a newspaper holds personal data in the form of a photograph supplied by an advertising agency for the purposes of advertising, say, a particular range of clothes, this will be personal data which does not fall with the exemption because the first condition would not be met. Doubtless, in such a case the model will have given express consent to the processing. They could, however, make a section 7 “subject access request” in relation to such material and the newspaper would be obliged to answer.
Neither would the exemption apply if a newspaper was using personal data without consent for advertising purposes. For example, MailOnline has a feature known as “femail fashion finder” in which what appear to be paparazzi photographs of celebrities are used to advertise particular items of clothing (similar to those worn by the celebrity). It is difficult to see how this use of the celebrity’s personal data (in the form of the photograph taken without consent) could fall within the “journalistic exemption”. The first condition would not be met (and neither would the third “public interest” condition).
Second, there are the large number of stories falling within the category of what Strasbourg calls “entertainment journalism”. This would cover, for example, stories about celebrities (and non-celebrities) where there is clearly no “public interest” angle. In these cases, although the first and second conditions of the section 32 exemption would be met the third (“reasonable belief in public interest”) would not be met.
This category includes a substantial proportion of the material published in tabloid and mid-market newspapers. The personal data held in relation to these kind of stories – including photographs – is subject to the provisions of the DPA in full.
In such cases, subject access requests must be answered (although confidential journalistic sources can be protected). Furthermore, as the ICO points out (Guide, pp.9-10), a person whose data is being processed should be told that this is taking place as soon as practicable. This is a requirement of “fair and lawful processing” (see DPA, Sch 1, Part II).
Personal data can only be lawfully processed if one of the conditions in Schedule 2 to the DPA are satisfied – the most obvious one is consent. Sensitive personal data (for example, in relation to political or religious beliefs, health or sex life) can only be lawfully processed if one of the conditions in Schedule 3 is satisfied – the most relevant are “explicit consent” and information made public as a result of deliberate steps taken by the data subject.
This means, for example, that non-public interest paparazzo photographs of celebrities taken in a public place are not subject to the section 32 exemption. The data in such photographs could only lawfully be processed if the person in question had agreed to be photographed or was at an obviously public event (such as a film premier or a football match). The publication of such photographs without consent is likely to be a breach of the DPA. I have previously commented on the publication by the Sun of a photograph of Kai Rooney but the same arguments apply to photographs of adults.
Third, there is ordinary “news journalism” – reporting on current events. This gives rise to potentially complex issues. The first, second and third conditions are likely to be fulfilled in most cases. There is a public interest in reporting on current events – such as political speeches, policy announcements or business results.
It may, however, be difficult to establish a reasonable belief that compliance with the provisions of the DPA would be incompatible with the special purposes. Politicians who announce policy or make speeches are plainly consenting to the processing of their personal data. Answering subject access requests in relation to such stories may be time consuming and resource intensive – but this is the position for any data controller. It is difficult to see how answering such request is “incompatible with the purposes of journalism”.
In other words, there is a strong argument that the “Section 32 exemption” has no application to either “entertainment journalism” or to ordinary reporting of current events. In such cases, the data protection principles must be complied with and subject access requests answered.
Fourth, there is “public interest” journalism properly so-called. In other words, cases in which data being processed for the purpose of stories exposing wrongdoing or designed to protect the public (and the other categories contemplated by, for example, the Ofcom Code). In this case, the first three conditions are clearly fulfilled: the data is being processed for journalistic purposes, with a view to publication of journalistic material and with a reasonable belief that publication will be in the public interest.
Furthermore, in relation to the fourth condition, it is cannot be said to be impossible to comply with all of the relevant provisions of the DPA.
However, as mentioned in Part 1, the position may be different in relation to subject access requests. If, for example, a suspected tax evader is being investigated it is likely to be “incompatible” with journalism to respond to a subject access request – certainly in advance of full publication of the story. A belief that compliance with this provision is incompatible with journalism is, in such cases. likely to be a reasonable one. In addition, as already mentioned, sources can be protected.
In other cases the question of compatibility will depend on the nature of the information being processed and the nature of the proposed publication. There can be no “blanket” decision on the fourth condition: it all depends on the facts.
Dealing with Data Protection Issues
As already mentioned, the responsibility for ensuring compliance with the DPA rests on the “data controller”. This will not be the journalist but some individual within the media organisation who is given this responsibility. That person will have to make the decisions as to whether and to what extent to comply with the DPA in relation to information obtained by journalists in particular cases.
The person with responsibility under the DPA must consider the “public interest” and “compatibility” conditions and whether the data protection principles are being complied with. As the ICO points out, there need to be clear policies and procedures in place but these are, in any event required by the Editors’ Code (Guide, p.36). In addition, there needs to be a process in place for handling subject access requests (Guide, p.14).
In summary, therefore, far from being a “blanket exemption” from the requirements of the DPA, section 32 in fact applies in only a very limited class of case and, even, then only to some of the provisions of the statute.
In most cases media organisations are, on analysis, in exactly the same position as any other data controller – they must comply with data protection principles and answer subject access requests. They can be subject to notices under section 10 or 14 requiring them to cease processing which is caused damage or distress or to the rectification, blocking or erasure of inaccurate data.
The provisions of the DPA are, in some cases, be difficult to comply with and resource intensive. But this is the same for all data controllers: the media are in no worse position than anyone else. Unless non-compliance is in the public interest or compliance makes journalism impossible media organisations are required to obey the general law of data protection, no less but no more.
Hugh Tomlinson QC is a member of Matrix Chambers and an editor of Inforrm