The first relates to so-called citizen journalism. The draft Code rightly (and in a UK-context refreshingly) points to European case law which establishes that individuals cannot benefit from a blanket free pass simply on account of being amateurs (p. 24). It would be perverse if those pursuing essentially the same activity were not expected to abide by essentially the same substantive legal standards. (As explored below, whether such standards are being adhered to in practice must also be systematically monitored by ICO including in this citizen media context).
At the same time, the appropriateness or otherwise of particular compliance processes and procedures needs to take contextual account of at least the scale of a controller’s activities. The draft Code currently largely ignores this point although, in fairness, some of the key restraints here do arise from the law itself.
What is reasonably considered “incompatible” with a journalistic purpose can and should take into account scale amongst other factors. However, as the guide emphasises, most of the GDPR obligations to ensure accountability fall outside of this exemption. Nevertheless, a number of them may still be subject to a degree of contextual interpretation.
It is also true that certain problems here arise not from the GDPR itself or from the DPA 2018 but rather from the Information Commissioner’s own rule-making. In particular, the ICO has itself has chosen to establish an Article 35(4) list of the kind of processing subject to a Data Protection Impact Assessment duty which not only appears to encompass almost all journalism (e.g. “[c]ombining, comparing or matching personal data obtained from multiple sources”) but does not include any express exemption for small-scale processing.
The draft Code’s contextualized acknowledgment that one DPIA can cover an entire type of processing such as “special investigations journalism” (p. 39) may well prove useful to large media organisations. However, it is unlikely to be sufficient for your average journalistic blogger.
The second pressing issue concerns the ICO’s own role. The Information Commissioner did undertake innovative enforcement action in 2019 (upheld in its essence by the Tribunal in 2020) on the need to consider “incompatibility” very carefully when directly collecting health data for journalistic purposes in a confidential medical setting.
However, mirroring Leveson’s findings in 2012, it may still be true that there is “little evidence of the realisation of [the ICO’s] potential [in the journalistic area], or, in practice, of [its] role having been fulfilled” (p. 1065). Whilst the ICO implemented some of Leveson’s suggestions in 2013-14, it generally failed to maintain momentum in the years following and rejected his recommendation that this be ensured through regular updates in its annual reports.
Following the new duties established in the DPA 2018 (and after an initial call for views), the ICO stated that it would produce and consult on a text and lay this before Parliament by the end of 2019 (p. 21). However, this did not happen and (albeit partly due to Covid) the production of even a draft Code has been delayed until now.
This is particularly problematic since the taking account or otherwise of any Code should clearly be integral to the ICO’s periodic review of journalism’s compliance with data protection law and good practice. Moreover, the first review period starts as early as next year when the Code will (at best) only just have been finalised.
There are also some signs in the draft Code itself that the ICO might be seeking to side-line its own supervisory role here (which is admittedly highly circumscribed under the law itself anyway). For example, the draft states that the ICO can’t issue an enforcement notice “if the processing is only for the special purposes [of journalism]” (p. 87) when, in fact, the legislative framework appears to allow such action when it has been determined either that a separate processing purpose is in play or that the material at issue has already been published by the controller (DPA 2018, s. 174). In other words, post-publication injunctive action to, for example, limit the ongoing ready availability of manifestly illegally published personal data would still be possible even if this arose from purely journalistic processing.
A second example is that the draft states that “[m]ost, if not all, journalistic organisations already have suitable broader policies and procedures which can easily be adapted if necessary to include data protection considerations” (p. 33). However, not only would this be strongly disputed by pressure groups such as Hacked Off, but the ICO has not itself clearly determined whether this is or is not the case. Indeed, it is precisely these sorts of questions which should be considered in the forthcoming statutory review and Schedule 17 of the DPA 2018 ensures that the ICO has all the necessary powers to ensure that it can do this systematically. It is vital that this review (and any subsequent review) is carried out and is seen to be carried out in a robust and comprehensive fashion so that it can constitute a truly authoritative contribution to the evolving policy landscape in this area of acute rights conflict.
The ICO consultation on the draft Code (and also on the accompanying draft economic assessment) is open until 10 January 2022. The ICO is also inviting interest in taking part in some more specialist online workshops this November (the closing date for which is 5 November). It is really important that a range of voices are heard. So please do check out the draft Code and associated materials and have your say!
Part 1 of this post was published on 26 October 2021
Dr David Erdos is Co-Director of the Centre for Intellectual Property and Information Law and WYNG Fellow in Law at Trinity Hall, University of Cambridge. He is also author of European Data Protection, Journalism and Traditional Publishers: Balancing on a Tightrope? which was published by Oxford University Press in 2019.