The General Data Protection Regulation (GDPR) presaged major changes in the governance of personal information including (and perhaps especially) in the UK. Nevertheless, three and a half years since it first applied (and despite proposals for further reforms now being advanced) even changes at the purely legal level are still percolating through.
One of these is the Data Protection and Journalism Code which is mandated under section 124 of the UK Data Protection Act (DPA) 2018. To fully comprehend the context of this and various associated provisions we need to go even further back to the Leveson Inquiry (Part I) Report in 2012. Leveson’s Report was highly critical of the apparent side-lining of data protection including by the Information Commissioner’s Office (ICO) and made a slew of recommendations directed at both the Government and the ICO itself.
Some of these were partially implemented, notably the issuing of guidance on data protection and journalism by the ICO in 2014. However, many were not. The debate on the DPA 2018 provided an opportunity for pro-Leveson forces especially within the House of Lords to revisit this. Although there was also parliamentary pressure from the opposite quarter (and calls to proceed Part II of the Leveson Inquiry were successfully rebuffed), the final Act includes a slew of new provisions which were clearly inspired by Leveson.
The centrepiece of this is a requirement to establish a Journalism Code alongside new duties and powers for ICO to periodically review media compliance with data protection going forward rather than (as would have been the case with Leveson II) retrospectively. Although rather belated, the launch of a Draft Code and associated consultation by the ICO this month represents the start of its implementation of these new provisions.
At a fundamental level, the journalism framework in the new DPA 2018 as compared to the old DPA 1998 remains stable. In each case, there is a procedural shield preventing either the courts or the ICO using data protection as a tool of pre-publication restraint in the area of journalism and a wide-ranging substantive exemption for processing linked to this type of publication which nevertheless requires demonstrating a “reasonable belief” that publication is in the “public interest” and that it is “incompatible” with the journalistic purposes to observe data protection’s default requirements.
Perhaps unsurprisingly therefore, there is also a good deal of continuity between the existing guidance and the draft Code. Both emphasise the broad scope of data protection, its wide-ranging default duties and the need for proportionality when applying the special provisions. They also display more deference to journalists in relation to the assessment of public interest as opposed to the incompatibility test, with the old text maintaining that compliance with data protection’s default should still be ensured “wherever possible” (p. 8) or where not “unreasonable” (p. 27) and the new draft stating that it should be “necessary to not comply” (p. 32).
At the same time, the draft Code provides considerably more coverage of some of the specific issues which arise in journalism including consideration of how data protection might affect their handling. For example, alongside a related discussion about sourcing special category from social media (p. 47), there is considerable detail on the processing of both criminal findings and allegations and the importance of balancing publicity with privacy (and in the case of the former also rehabilitation) rights here (pp. 48-53).
There is also much greater detail on how and why strong account must be taken in journalism of the accuracy principle and even the allied right to rectification (pp. 59-63). Other issues, such as those related to the archiving of long stale news, are (at most) more cursorily addressed.
Nevertheless, as well as a stress on the “strong, general public interest in the preservation of news archives” there is a recognition that it “may be proportionate to rectify inaccurate or incomplete information … from time to time” and “[t]he extent to which material is amplified online may be a relevant factor” (p. 84) here.
These changes reflect the emphasis in the new law on the need to provide truly “practical guidance” (DPA 2018, s. 124(1)(a)) on legal compliance and good practice and also the maturing of data protection especially through case law over the past decade (for example, Google Spain is cited in relation to online amplification).
The links between data protection and the allied laws of defamation and the misuse of private information (MOPI) have also been firmly integrated into the draft Code, whilst still taking care to recognise key divergences. For example, the MOPI discussion correctly highlights that “it is important to note that not all personal data is necessarily private” (p. 19). This inclusion draws on the greater coverage of these links within recent case law (something which is particularly apparent as regards defamation and data protection). Nevertheless, this is also clearly a conscious decision of the Code’s drafters and is welcome.
Even where the 2014 guidance and the draft Code appear very similar, it must be recognised that that the Code will have a much more potent legal status. Thus, in contrast to the old guidance which “does not have any formal status or legal force” (p. 4), the final Code will need to be taken into account not only the ICO but even by any court whenever it appears relevant to an issue before it (DPA 2018, s. 127). In other words, it could effectively operate as an interpretative gloss on the law itself. In recognition of its formal legal effect, the Code must be approved by Parliament under the negative resolution procedure (s. 125) and can contain transitional provisions or savings clauses (s. 124(4)).
Dr David Erdos is Co-Director of the Centre for Intellectual Property and Information Law and WYNG Fellow in Law at Trinity Hall, University of Cambridge. He is also author of European Data Protection, Journalism and Traditional Publishers: Balancing on a Tightrope? which was published by Oxford University Press in 2019.
Handley Gill Limited has published its response to the ICO’s consultation on the draft Journalism Code, and we have published it on our website: https://www.handleygill.co.uk/response-to-ico-draft-journalism-code-of-practice
We are concerned that, as currently drafted, the Code fails to reflect existing law, and fails to draw an appropriate balance between the fundamental right to freedom of expression and information on the one hand and data protection rights on the other.
The draft Code is fails to distinguish between what is necessary for compliance and what best practice in the most highly regulated, well resourced media organisations might look like, setting unnecessarily high expectations and failing to provide practical guidance to the individuals and SMEs who most need it.
Furthermore, the draft Code seeks to impose more stringent requirements than the existing guidance and, dangerously, creates a codified privacy law in ways which go beyond the decisions of the courts.