The outcome in Buivids draws significantly on long-standing CJEU jurisprudence.  Thus, as far back as 2003, Lindqvist had already stressed the broad material applicability of data protection in an online publishing context and also argued that the personal/household exemption was not applicable where “data are made accessible to an indefinite number of people” (at [47]).

Meanwhile, the Grand Chamber judgment in Satamedia in 2008 had emphasised the need for a broad construction of journalism, argued that courts should therefore consider if the “sole object” of any activity “is the disclosure to the public of information, opinions or ideas” (at [62]) and emphasised that even in relation to journalism, any derogations or exemptions from data protection “must apply only in so far as is strictly necessary” (at [56]).

Despite this, it would be a great mistake to see Buivids as simply a straightforward application of Lindqvist and Satamedia.  Turning first to Lindqvist, a number (albeit only a minority) of DPAs have claimed that the statements in this case shouldn’t be taken literally since Mrs Lindqvist’s amateur publication was related to her activity within the Swedish Protestant Church (which was clearly a corporate not amateur individual controller) and, in any case, was handed down in the relatively early days of the internet, before full online social networking and Web 2.0.

Indeed, as a result, the UK Information Commissioner’s Office (ICO) has felt justified over many years in applying a blanket policy which refuses to consider “complaints made against individuals who have posted personal data whilst acting in a personal capacity, no matter how unfair, derogatory or distressing the posts may be” (p. 15).  However, the unequivocal adoption of the same wording as Lindqvist in Buivids, a case which concerns processing taking place in the 2010s and unequivocally in a purely amateur/personal context, powerfully demonstrates (alongside the copious case law which the CJEU quotes in its support) that an approach such as the ICO’s has no legal basis within the European data protection scheme.

Turning to Satamedia, this case’s suggested positive definition of journalism was not tempered by any explicit recognition that the reference to “the public” was importantly different from the dissemination of information to an indefinite number of people generally.  This led a number of authoritative commentators to argue that the case favoured “the delivery of information in the public domain through the chaos of the market” (Vousden, 2009, p. 533) and allowed “national courts to exempt virtually any form of expression involving personal data processing from the scope of the Directive” (Lynskey, 2013, p. 71).

In contrast, through balancing the positive definition of journalism originally set out in Satamedia with a recognition that this must not encompass all information published on the internet, Buivids explicitly recognises the critical point that the reference to “the public” in Satamedia must be understood in the collective sense of “the body politic” (Erdos, 2015, p. 129) rather than simply any indeterminate number of people.  Application of the journalistic derogation thereby comes clearly to rest on an analysis of whether processing is solely intended to contribute to some kind of “collective, public debate” (Ibid).   Admittedly, even before Buivids, such an understanding had been implied by the CJEU finding in Google Spain that an internet search engine, despite disseminating its indexing results to an indeterminate number, could not (at least directly) benefit from the journalistic derogation (at [85]).

Finally, the initial reference in Satamedia to a requirement of strict necessity in relation to the application of the journalistic derogation was potentially compatible with the national legislature being uniquely responsible for the implementation of this test.  Especially since different Member State legislatures both have and continue to adopt radically different approaches to this provision, that would severely limit the potential for both individual redress and moves towards a harmonized approach here.  In contrast, Buivids clearly states that, apparently notwithstanding any such national legislation, courts are responsible for interpreting and applying these “necessity” and “strict necessity” tests.  By clear implication (not least as the Latvian regulator made the initial determinations in the instant case), DPAs would have similar initial responsibilities (albeit whilst remaining subject to potential judicial review).

Implications under the GDPR

Buivids has significant implications for the interface between data protection and freedom of expression.  To begin within, it gives emphasis to the idea that data protection applies to a host of amateur publication activities which involve the indeterminate publication of third-party personal data, whether this is on YouTube, Facebook, Instagram or a myriad of other online possibilities.  Given that such activities are carried out by potentially hundreds of millions of users across Europe, that itself remains a conclusion of profound significance.

Since the GDPR has at least as broad a basic material scope as the DPD and maintains only a narrowly crafted exemption for “purely personal or household activity” (art. 2(2)(c)), the transition from Directive to Regulation cannot fundamentally displace this.  Admittedly, a recital in the GDPR acknowledges that the exemption “could include … social networking and online activity undertaken within the context” of purely personal or household activities (Recital 18). This recital might be invoked by the CJEU to exclude amateur online publication posing only a low risk to the relevant individuals’ data protection rights (e.g. the posting of innocuous pictures of family, friends or other acquaintances online).

Alternatively, the court could insist that this exemption has no applicability to the online sharing of third-party data beyond a closed or determinate number of people.  Either way, post-Buivids any notion, as forwarded for example by ICO, that amateur publication of third-party personal data is generally exempt from European data protection is entirely illusory.  Furthermore, a good portion of this amateur publication is not “solely” or even predominantly concerned with disseminating a message to the collective public but, rather, finds its potential justification in “self-expression and a general freedom to converse” (Erdos, 2016/17, p. 4).  Therefore, the definition of journalism articulated by Buivids also points to many individual publishers falling outside of the special expression derogation.  Again, the very minor drafting differences of the GDPR, namely moving the sole processing requirement from the body of the instrument (art. 85(1)) to a recital (recital 153), will not fundamentally alter this reality.

Nevertheless, what Buivids does not resolve is how data protection should be balanced against specific freedom of expression demands which lie outside of special expression.  For example, what should the law say to individuals who choose to publicly chronicle their everyday interactions with others through sounds, images and other post, for the purposes of self-expression but not to contribute a message to the public at large?

The same kind of legal issue are in place in the current CJEU search engine cases involving sensitive data and the geographical reach of deindexing.   Hopefully, these forthcoming Grand Chamber judgments will add some further clarity in this space.  Importantly, the GDPR itself also emphases the need for a reconciliation between data protection and freedom of expression outside of special expression (art. 85(1)) but, as yet, Member State implementation of this requirement remains very limited.

Finally, Buivids also critically emphases the role of the courts (and, by implication, also DPAs) in considering the ʻnecessityʼ and even ʻstrict necessityʼ of any application of the special expression derogation.  The reference to ʻstrict necessityʼ chimes with Digital Rights Ireland (2014) and highlights the priority which the CJEU continues to ascribe to data protection (apparently even when this is pitted against a core exercise of another fundamental right).  Moreover, the move from a Directive (the DPD) to directly applicable Regulation (the GDPR) can only strengthen the role of courts and regulators here.  At the same time, it remains unclear to what extent the CJEU will mandate that these actors craft a balance based on their own understanding of primary EU and other fundamental rights law or whether, instead, it will expect them to continue to strongly defer to (sometimes rather unbalanced) special expression schemes already put in place by democratically elected national legislatures.  Hopefully, further light on this critical issue will be shed by the CJEU in the forthcoming case of Stunt.  This case will consider whether the UK courts should disapply national provisions excluding the possibility of pre-publication injunctions under data protection in relation to journalistic and other special expression processing.

Conclusions

Ultimately, Buivids leaves as many questions unanswered as resolved within this space.  However, what the case does clearly demonstrate is that the European data protection scheme and the exercise of freedom of expression interact in many and deep ways and that courts and DPAs have important roles to play in addressing this.  That interaction will certainly keep not only these two actors but also journalists, academics, the general public, online platforms and hopefully also democratically elected politicians busy for many years to come.

References
Erdos, “From the Scylla of Restriction to the Charybdis of Licence? Exploring the scope of the ʻspecial purposesʼ freedom of expression shield in European data protection”, 52 Common Market Law Review (2015)

Erdos, “Beyond ʽHaving a Domesticʼ? Regulatory Interpretation of European Data Protection Law and Individual Publication”, 33 Computer Law and Security Review (2017) (and 2016 SSRN pre-print)

Lynskey, “From market-making tool to fundamental right: The role of the Court of Justice in data protection’s identity crisis”, in Gutwirth, Leenes, de Hert and Poullet (eds.), European Data Protection: Coming of Age (Springer, 2013)

Vousden, “Satamedia and the Single European audiovisual area”, 31 European Intellectual Property Review (2009)

Part 1 of this post: “Decision” appeared yesterday.

David Erdos is a Fellow of Trinity Hall, Cambridge, a University Lecturer in Law and the Open Society and the Deputy Director, Centre for Intellectual Property and Information Law (CIPIL)

This piece originally appeared on the European Law Blog