Journalism vs. data privacy: The GDPR dilemma in reporting crimes

Kamrul Faisal, University of Helsinki, Finland

PUBLISHED ON: 25 Jul 2024

When reporting crimes, news portals (hereinafter often referred to as controllers who determine the means and purposes of processing personal data) frequently publish personal data (any information that directly or indirectly identifies an individual, as defined in Article 4(1), Regulation 2016/679). For instance, during the Madeleine McCann case, news agencies published unproven allegations against the accused (Bubola, 2023). Similarly, in the case of Amanda Knox, details about her romantic relationships were widely publicised (Biography.Com Editors & Piccotti, 2024). In Julian Assange's espionage trial, extensive reporting included details about his living conditions and relationships (BBC News, 2024; Psaropoulos, 2024). This practice creates a tension between the public’s right to freedom of expression and information and individuals' right to have their data protected from controllers (American Chamber of Commerce Bulgaria, 2020), both of which are fundamental human rights under the EU legal system (Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland, 2017). Balancing and harmonising these rights which, currently disharmonised across the EU risk chilling effects on both freedom of expression and data protection rights, is crucial to fulfilling the GDPR's objectives (Recital 3, GDPR).

Personal data related to crimes received a broad definition under the GDPR as criminal conviction and offence data (Article 10, GDPR). Any personal data linked to a court conviction, including information about judges and lawyers, qualifies as personal criminal conviction data (Case of Khelili v. Switzerland, 2011). Personal data linked to any penal laws is classified as personal offences data (Case C-489/10, para. 37). Overall, anyone’s personal information in a crime report may comprise personal criminal conviction and offences data.

Publishing crime-related news is crucial in democracies, as journalists serve as societal watchdogs, informing the public, shaping opinions, and exercising their freedom of expression and information (Erdos, 2016; Case of M.L. AND W.W. v. Germany, 2018; Rucz, 2022). However, data subjects also have the right to data protection to prevent harm from such dissemination (Etienne, 2012, p. 151). Compromising this data can significantly harm their privacy – facilitating open-source intelligence use and enabling discrimination by employers and landlords (Georgieva, 2020). Individuals might find it impossible to escape their past, affecting their present and future (Georgiades, 2020, p. 1151; Faisal, 2023, p. 96). Thus, reporting crimes requires balancing two fundamental rights protected by the Charter of Fundamental Rights of the European Union (the Charter) (Faisal, 2021, p. 2). Article 52(1) of the Charter, which outlines principles and conditions of limiting fundamental rights, allows limiting any fundamental right only if it is strictly necessary and serves a general interest. Therefore, news agencies must process personal criminal conviction and offence data carefully, ensuring compliance with these limitations.

The default GDPR application restricts news agencies from easily reporting crime stories involving personal criminal convictions and offences data. Article 10 of GDPR allows processing such data only when 1) under the control of official authorities, or 2) authorised by Union or Member State law with appropriate safeguards for data subjects’ rights and freedoms. Without these permissions, news agencies rely on Article 85 GDPR (journalistic exemption), which allows the processing of criminal conviction and offences data for journalistic purposes, exempting them from most GDPR provisions, including Article 10.

Article 85 empowers Member States to balance or reconcile rights by defining journalistic exemptions. However, the power is not exclusive. The phrase "Member States shall provide for exemptions…" in Article 85(2) indicates that Member States must exempt controllers from certain GDPR chapters when necessary, implying that fewer exemptions than the provisions outlined in those chapters are unacceptable. Conversely, full exemptions from GDPR compliance may also be inconsistent with Article 52(1) of the Charter and Article 85. Member States can define the scope of journalistic exemption according to their legal and cultural contexts, but it must align with EU law. (Miadzvetskaya & Van Calster, 2020, p. 151). It must be remembered that, according to the principle of supremacy of the EU law, EU law presides over Member State law in terms of EU policies (Case 6/64).

Evidence shows that Member States have varying standards for journalistic exemptions, often inconsistent with EU law. Countries such as Austria, Italy, and Bulgaria narrowly define these exemptions, restricting news portals' ability to process criminal conviction and offence data for journalistic purposes (Erdos, 2016, p. 179). In contrast, Nordic countries like Norway, Sweden, and Finland provide broad exemptions, allowing extensive data processing by news portals (Erdos, 2016, p. 179; Bitiukova, 2023). The Bulgarian Constitutional Court has invalidated national laws requiring journalists to balance rights using specific criteria, deeming them incompatible with EU case law (American Chamber of Commerce Bulgaria, 2020). The European Data Protection Board (EDPB) should prioritise this in its working plan, while the Court of Justice of the European Union (CJEU) case laws may help fill the existing void. Analysis of relevant CJEU case laws supports a functional approach to defining journalistic exemptions, consistent with Article 52(1) of the Charter. This approach allows anyone (beyond journalists) to process personal criminal conviction and offence data, provided the processing is strictly necessary to communicate information, opinions, and ideas to the public in their general interest (Brimblecombe & Fenwick, 2022; Case C-73/07; Case C-345/17). Therefore, purposes that are discrete and privatised fall outside the scope of the journalistic exemption (Erdos, 2015, p. 138).

This disharmonisation contradicts GDPR objectives, as the GDPR established the European Data Protection Board (EDPB) to ensure consistent application across the Union (Article 70(1), GDPR). The promised legal certainty is undermined (Recital 13, GDPR), complicating compliance for controllers, creating uneven protection, impeding cross-border data flows, and disrupting the EU market's seamless operation.

In conclusion, an EU-wide shared standard for journalistic exemption is essential to address these discrepancies.

Acknowledgments

The work is supported by the Finnish Academy of Science and Letters' Eino Jutikkala Grant (grant number 0222799-7) and the University of Helsinki’s Generation AI project (grant number 01331393).

References

American Chamber of Commerce Bulgaria. (2020). Bulgarian Constitutional Court surprisingly invalidates local law provision implementing the journalistic exemption under Article 85 of GDPR [Press statement]. https://amcham.bg/2020/01/09/bulgarian-constitutional-court-surprisingly-invalidates-local-law-provision-implementing-the-journalistic-exemption-under-article-85-of-gdpr/

BBC News. (2024, June 26). Who is Wikileaks’ Julian Assange and what did he do? https://www.bbc.com/news/world-us-canada-68282613

Biography.Com Editors, & Piccotti, T. (2021). Amanda Knox. Biography. https://www.biography.com/crime/amanda-knox

Bitiukova, N. (2023). The GDPR’s journalistic exemption and its side effects: GDPR anniversary – What does it mean for the media? Verfassungsblog. https://doi.org/10.17176/20230616-111120-0

Brimblecombe, F., & Fenwick, H. (2022). Protecting private information in the digital era: Making the most effective use of the availability of the actions under the GDPR/DPA and the tort of misuse of private information. Northern Ireland Legal Quarterly, 73(AD1), 26–73. https://doi.org/10.53386/nilq.v73iAD1.937

Bubola, E. (2023, May 26). The Madeleine McCann case: Here’s what we know. The New York Times. https://www.nytimes.com/article/madeleine-mccann-search.html

Case 6/64. (1964). Judgment of the Court of 15 July 1964: Flaminio Costa v E.N.E.L.. The Court of Justice of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:61964CJ0006

Case C-73/07. (2008). Judgment of the Court (Grand Chamber) of 16 December 2008: Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy. The Court of Justice of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62007CJ0073

Case C–345/17. (2019). Judgment of the Court (Second Chamber) of 14 February 2019: Proceedings brought by Sergejs Buivids. The Court of Justice of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0345

Case C-489/10. (2012). Judgment of the Court (Grand Chamber), 5 June 2012: Łukasz Marcin Bonda. The Court of Justice of the European Union. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:62010CJ0489

Case of Khelili v. Switzerland. (2011). Court (Second Section) Judgment (Merits and Just Satisfaction) (16188/07). European Court of Human Rights. https://www.stradalex.eu/en/se_src_publ_jur_eur_cedh/document/echr_16188-07

Case of M.L. AND W.W. v. Germany. (2018). Judgment (60798/10 and 65599/10). European Court of Human Rights.

Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland. (2017). Communicated Case (931/13). European Court of Human Rights. https://www.stradalex.eu/en/se_src_publ_jur_eur_cedh/document/echr_931-13

Erdos, D. (2015). From the Scylla of restriction to the Charybdis of licence? Exploring the scope of the “special purposes” freedom of expression shield in European data protection. Common Market Law Review, 52(1), 119–154. https://doi.org/10.54648/cola2015005

Erdos, D. (2016). European Union data protection law and media expression: Fundamentally off balance. International and Comparative Law Quarterly, 65(1), 139–183. https://doi.org/10.1017/S0020589315000512

Etienne, M. (2012). Arrest records and the right to know. In D. Dör & R. L. Weaver (Eds.), The right to privacy in the light of media convergence -Perspectives from three continents (Vol. 3, pp. 140–153). De Gruyter. https://doi.org/10.1515/9783110276152.140

Faisal, K. (2021). Balancing between right to be forgotten and right to freedom of expression in spent criminal convictions. Security and Privacy, 4(4), 1–14. https://doi.org/10.1002/spy2.157

Faisal, K. (2023). Applying the purpose limitation principle in smart-city data-processing practices: A European data protection law perspective. Communication Law and Policy, 28(1), 67–97. https://doi.org/10.1080/10811680.2023.2180266

Georgiades, E. (2020). Down the rabbit hole: Applying a right to be forgotten to personal images uploaded on social networks. Fordham Intellectual Property, Media & Entertainment Law Journal, 30(4), 1111–1156. https://ir.lawnet.fordham.edu/iplj/vol30/iss4/2

Georgieva, L. (2020). Article 10: Processing of personal data relating to criminal convictions and offences. In C. Kuner, L. A. Bygrave, C. Docksey, & L. Drechsler (Eds.), The EU General Data Protection Regulation (GDPR): A commentary (pp. 345–354). Oxford University PressNew York. https://doi.org/10.1093/oso/9780198826491.003.0036

Miadzvetskaya, Y., & Van Calster, G. (2020). Google at the Kirchberg dock. On delisting requests, and on the territorial reach of the EU’s GDPR (C-136/17 GC and Others v CNIL, C‑507/17 Google Inc v CNIL). European Data Protection Law Review, 6(1), 143–151. https://doi.org/10.21552/edpl/2020/1/20

Psaropoulos, J. T. (2024, February 20). Julian Assange appeals in ‘most important press freedom case in the world’. Al Jazeera. https://www.aljazeera.com/news/2024/2/20/julian-assange-appeals-in-most-important-press-freedom-case-in-the-world

Regulation 2016/679. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). European Parliament and Council. https://eur-lex.europa.eu/eli/reg/2016/679/oj

Rucz, M. (2022). SLAPPed by the GDPR: Protecting public interest journalism in the face of GDPR-based strategic litigation against public participation. Journal of Media Law, 14(2), 378–405. https://doi.org/10.1080/17577632.2022.2129614