By Professor Lorna Woods
One aspect of the Leveson recommendations that seems to have escaped the headlines is that relating to data protection, though implementation of his recommendations could give those adversely affected by media treatment of their personal data some tools.
Section 32 Data Protection Act provides an exception to data processing rules in relation to a number of ‘special purposes’, which includes media purposes. The scope of the exemption is pretty broad: it provides an exemption to non-compliance with any of the Data Protection Principles except the Seventh Principle (security), the right of access and objection (Ss32(2)(a) Data Protection Act).
This exemption is available provided the press-related data controller believes that the special importance of the public interest in freedom of expression is served by the processing of personal data, and that the processing of such data is with a view to publication.
The terms of the Act in this regard are thus vague and potentially subjective; they do not really give any clear steer on when processing of data might be protected. Section 32(3) specifically provides, however, that when considering whether such belief was reasonable, “regard may be had to [a data controller’s] compliance with any code of practice” and provides that such codes may be designated by statutory instrument.
While there are existing codes for journalists (which are not limited to the PCC Code (SI 2000/1864), but include those put together by other media organisations, e.g. the BBC), they are not sufficiently detailed guidance on data protection obligations either. Section 51 Data Protection Act empowers the drawing up of codes of good practice, or encouraging trade associations so to do. On this basis the ICO consulted (close date 15th March) on the intention to produce a code of conduct aimed at media organisations, including but not limited to the press, as it proposed in its response to the Leveson Report.
So given that there are existing codes under the system, what is the big deal about a new code? Well, if it is designated under s.32(3), then this brings into play the (statutory) enforcement procedures under the Data Protection Act. Given the monetary penalties that the ICO can now apply, this might get some attention.
More generally, the ICO has committed itself –again in response to Leveson – to “provid[ing] regular updates to Parliament on the effectiveness of the measures we are adopting in response to Lord Justice Leveson’s recommendations and more generally on our assessment of the culture, practices and ethics of the press in relation to the processing of personal data”. This may give evidence about whether any new system of regulation is working which, crucially, comes from outside the system.
This then re-emphasises the importance of the scope of the journalistic exception and the meaning of ‘public interest in freedom of expression’, which is presumably tied in to the fourth estate capacity of the media, rather than its capacity for spreading rumour and gossip.
Further, how closely connected must the processing of the data be to the publication of a story to benefit from the exception? Mr Jay made this point at the Leveson Inquiry: when the press obtains an ex-directory number (for hacking purposes), is it likely that the press would publish the ex-directory number? The answer is “no”, so presumably processing such material cannot benefit from Article 32.
Read the rest of this entry »
alexkantoniou
citycljj
Jamie Thunder
jtownend
admin
Natalie
oliverocallaghancity
sammc123
data protection, ecj, google, google spain
Lorna Woods: Google and Data Protection – Again!
In Comment, Law on March 16, 2025 at 9:52 amBy Professor Lorna Woods
A new reference has landed on the ECJ’s desk: Google Spain and Google (Case C-131/12) from the Audiencia Nacional in Spain.
The ECJ official website is a bit thin on details, but this seems to be the same case reported by Reuters. That case concerns the right to be forgotten – implicit in the current data protection regime (but which would be made explicit were the draft Data Protection Regulation ever to come in to being).
While the judge apparently referred a number of questions, including one about jurisdiction, the central issue is whether Google should be obliged to delete data referring to individuals. The impetus for the cases comes from aggrieved individuals who have applied to the Spanish data protection authority to have information deleted. This case is likely to be one that is closely watched given the likely stormy passage of the proposed Data Protection Regulation.
Central to the discussion will be the relationship between the e-Commerce Directive (Directive 2000/31/EC) and the Data Protection Directive. While the e-Commerce Directive shields ISPs from liability in a range of circumstances, that directive is expressed not to apply to ‘questions relating to information society services covered by Directives 95/46/EC and 97/66/EC’ (article 1(5)(b) e-Commerce Directive and Recital 14). Directive 95/46/EC is, of course, the current Data Protection Directive.
Google is, of course, not unfamiliar with the exception to the e-Commerce Directive, as it arose when directors of Google were charged under Italian data protection laws relating to user generated content (UGC) posted on a You-Tube type service operated by Google. The UGC was a clip from a mobile phone which showed some boys bullying another boy with Downs Syndrome. The Google executives were given 6 month suspended gaol sentences. A decision on appeal was due to be handed down by the Court of Appeal in Milan in 2011, though in September the case, according to one of those involved (Peter Fleischer) had not been assigned. One would hope that in the interests of timely just that this issue is decided before the ECJ hands down its ruling in Case C-131/12.
If the non-availability of the hosting exceptions, then presumably the key issue is the scope of the rights under the DPD. Therein lies the rub. While the DPD is set against a privacy (Article 8 ECHR) backdrop, it does not grant any particular right to be forgotten. Instead, the DPD provides how data should be managed, which includes the archiving and deletion obligations. How far the ECJ is prepared to push this, especially in the light of data protection as a fully fledged right in the EU Charter, remains to be seen. This is the new contentious issue in the privacy/freedom of expression debate. For a range of views see: Google’s privacy counsel; a security consultant; and an academic viewpoint [PDF], among, no doubt, many more.