By David Erdos
On 14 February the Court of Justice of the EU (CJEU) handed down its decision in Buivids, a case which pitted an amateur individual online publisher against the Latvian Data Protection Authority (DPA). This important case raises fundamental questions concerning the scope of European data protection, the ambit of the personal/household exemption, the legal definition of journalism and the role of data protection as regards to this and also related academic, artistic and literary expression. The Court’s answers to these questions highlight the close and tense interface between European data protection and freedom of expression. At the same time, they provide only relatively limited insight as to how the serious tension between data protection, special expression and freedom of expression more broadly should be resolved. What they do suggest, however, is that not only national legislators but also courts and regulators have active and important roles toplay within this space. The full implications of this, as well as further guidance on how to balance data protection and special expression, should be provided in the forthcoming case of Stunt which will require the Court to consider whether national courts should disapply the ban on pre-publication injunctions against special expression processing which is set out in UK data protection legislation. In addition, Grand Chamber CJEU judgments on internet search engines and data protection are awaited both in relation to sensitive data and the geographical reach of any remedy here. In sum, slowly but surely, an albeit messy corpus of European jurisprudence on data protection and freedom of expression is in the process of gestation.
Facts and Questions Referred
The facts of the instant case are as follows. In the context of making a statement in administrative proceedings brought against him, Mr Buivids made a “video recording in the station of the Latvian national police” (at ) which inter alia showed “police officers going about their duties” (at ). He then published it on YouTube. Presumably following a complaint, the Latvian DPA held that Buivids had thereby infringed data protection, notably by failing to provide the police officers with a transparency notice as specified in the law. In August 2013, this DPA therefore ordered that he remove the video from YouTube (and other websites). Buivids sought judicial review of this decision, arguing in the publication’s justification that he wished “to bring to the attention of society something which he considered to constitute unlawful conduct on the part of the police” (at ). Whilst unsuccessful both initially and on appeal before the Regional Administrative Court, a further appeal to the Latvian Supreme Court resulted in this body issuing a preliminary reference asking the CJEU to clarify, firstly, whether Buivids’ activity fell within the scope of European data protection and, secondly, whether the journalistic derogation was engaged. Given the time framework of the relevant processing, these questions were to be resolved by reference to the (now erstwhile) Data Protection Directive (DPD) 95/46. Nevertheless, the General Data Protection Regulation (GDPR) 2016/679 has a very similar scope and structure; therefore, as explored below, the CJEU’s answers also have far-reaching implications for the future of European data protection.
Court of Justice Answers
The CJEU had absolutely no difficulty in finding that the recording and upload activity engaged the basic material scope of the DPD and that no exemption was applicable. The recorded images rendered the police officers identifiable and so were indubitably “personal data” (at ) which had been subject to automatic data processing through Buivids’ digital photo camera since it stored the recording “on a continuous recording device, namely the memory of that camera” (at ). The fact that this recording “was made on only one occasion” (at ) had no bearing on that basic issue. The uploading of the data on to the internet constituted a further processing (at ). Meanwhile, the DPD’s exemptions were clearly not engaged and, in any case, full carve-outs had generally to be “interpreted strictly” (at ). In particular, since Buivids had not restricted the dissemination of the video and had thereby permitted “access to personal data to an indefinite number of people”, the processing did not fall within the exempted “context of purely personal or household activities” (at ).
The Court found the second question on journalism much more difficult and complex. In the first place, it acknowledged that in light of the “importance of the right to freedom of expression in every democratic society”, it was necessary to interpret “notions relating to that freedom, such as journalism, broadly” (at ). The journalistic derogation could not be confined to an institutional or professional context but rather was applicable to “every person engaged in journalism” (at ). However, echoing the Opinion of Advocate General Sharpston in the same case, the Court emphasised that “the view cannot be taken that all information published on the internet involving personal data, comes under the concept of ʻjournalistic activitiesʼ” (at ). Rather, in order to see whether the journalistic derogation was engaged, the referring court was told to consider whether the recording and publishing of the video were “intended solely to disclose information, opinions or ideas to the public” (at ). Furthermore, and in an important twist which did not directly answer any question posed to it, the CJEU emphasised that even if this definition was met this court would still need to determine “whether the exemptions or derogations provided for … are necessary in order to reconcile the right to privacy with the rules governing freedom of expression, and whether those exemptions and derogations are applied only in so far as is strictly necessary” (at ).
The outcome in Buivids draws significantly on long-standing CJEU jurisprudence. Thus, as far back as 2003, Lindqvist had already stressed the broad material applicability of data protection in an online publishing context and also argued that the personal/household exemption was not applicable where “data are made accessible to an indefinite number of people” (at ). Meanwhile, the Grand Chamber judgment in Satamedia in 2008 had emphasised the need for a broad construction of journalism, argued that courts should therefore consider if the “sole object” of any activity “is the disclosure to the public of information, opinions or ideas” (at ) and emphasised that even in relation to journalism, any derogations or exemptions from data protection “must apply only in so far as is strictly necessary” (at ).
Despite this, it would be a great mistake to see Buivids as simply a straightforward application of Lindqvist and Satamedia. Turning first to Lindqvist, a number (albeit only a minority) of DPAs have claimed that the statements in this case shouldn’t be taken literally since Mrs Lindqvist’s amateur publication was related to her activity within the Swedish Protestant Church (which was clearly a corporate not amateur individual controller) and, in any case, was handed down in the relatively early days of the internet, before full online social networking and Web 2.0. Indeed, as a result, the UK Information Commissioner’s Office (ICO) has felt justified over many years in applying a blanket policy which refuses to consider “complaints made against individuals who have posted personal data whilst acting in a personal capacity, no matter how unfair, derogatory or distressing the posts may be” (p. 15). However, the unequivocal adoption of the same wording as Lindqvist in Buivids, a case which concerns processing taking place in the 2010s and unequivocally in a purely amateur/personal context, powerfully demonstrates (alongside the copious case law which the CJEU quotes in its support) that an approach such as the ICO’s has no legal basis within the European data protection scheme. Turning to Satamedia, this case’s suggested positive definition of journalism was not tempered by any explicit recognition that the reference to “the public” was importantly different from the dissemination of information to an indefinite number of people generally. This led a number of authoritative commentators to argue that the case favoured “the delivery of information in the public domain through the chaos of the market” (Vousden, 2009, p. 533) and allowed “national courts to exempt virtually any form of expression involving personal data processing from the scope of the Directive” (Lynskey, 2013, p. 71). In contrast, through balancing the positive definition of journalism originally set out in Satamedia with a recognition that this must not encompass all information published on the internet, Buivids explicitly recognises the critical point that the reference to “the public” in Satamedia must be understood in the collective sense of “the body politic” (Erdos, 2015, p. 129) rather than simply any indeterminate number of people. Application of the journalistic derogation thereby comes clearly to rest on an analysis of whether processing is solely intended to contribute to some kind of “collective, public debate” (Ibid). Admittedly, even before Buivids, such an understanding had been implied by the CJEU finding in Google Spain that an internet search engine, despite disseminating its indexing results to an indeterminate number, could not (at least directly) benefit from the journalistic derogation (at ). Finally, the initial reference in Satamedia to a requirement of strict necessity in relation to the application of the journalistic derogation was potentially compatible with the national legislature being uniquely responsible for the implementation of this test. Especially since different Member State legislatures both have and continue to adopt radically different approaches to this provision, that would severely limit the potential for both individual redress and moves towards a harmonized approach here. In contrast, Buivids clearly states that, apparently notwithstanding any such national legislation, courts are responsible for interpreting and applying these “necessity” and “strict necessity” tests. By clear implication (not least as the Latvian regulator made the initial determinations in the instant case), DPAs would have similar initial responsibilities (albeit whilst remaining subject to potential judicial review).
Implications under the GDPR
Buivids has significant implications for the interface between data protection and freedom of expression. To begin within, it gives emphasis to the idea that data protection applies to a host of amateur publication activities which involve the indeterminate publication of third-party personal data, whether this is on YouTube, Facebook, Instagram or a myriad of other online possibilities. Given that such activities are carried out by potentially hundreds of millions of users across Europe, that itself remains a conclusion of profound significance. Since the GDPR has at least as broad a basic material scope as the DPD and maintains only a narrowly crafted exemption for “purely personal or household activity” (art. 2(2)(c)), the transition from Directive to Regulation cannot fundamentally displace this. Admittedly, a recital in the GDPR acknowledges that the exemption “could include … social networking and online activity undertaken within the context” of purely personal or household activities (Recital 18). This recital might be invoked by the CJEU to exclude amateur online publication posing only a low risk to the relevant individuals’ data protection rights (e.g. the posting of innocuous pictures of family, friends or other acquaintances online). Alternatively, the court could insist that this exemption has no applicability to the online sharing of third-party data beyond a closed or determinate number of people. Either way, post-Buivids any notion, as forwarded for example by ICO, that amateur publication of third-party personal data is generally exempt from European data protection is entirely illusory. Furthermore, a good portion of this amateur publication is not “solely” or even predominantly concerned with disseminating a message to the collective public but, rather, finds its potential justification in “self-expression and a general freedom to converse” (Erdos, 2016/17, p. 4). Therefore, the definition of journalism articulated by Buivids also points to many individual publishers falling outside of the special expression derogation. Again, the very minor drafting differences of the GDPR, namely moving the sole processing requirement from the body of the instrument (art. 85(1)) to a recital (recital 153), will not fundamentally alter this reality. Nevertheless, what Buivids does not resolve is how data protection should be balanced against specific freedom of expression demands which lie outside of special expression. For example, what should the law say to individuals who choose to publicly chronicle their everyday interactions with others through sounds, images and other post, for the purposes of self-expression but not to contribute a message to the public at large? The same kind of legal issue are in place in the current CJEU search engine cases involving sensitive data and the geographical reach of deindexing. Hopefully, these forthcoming Grand Chamber judgments will add some further clarity in this space. Importantly, the GDPR itself also emphases the need for a reconciliation between data protection and freedom of expression outside of special expression (art. 85(1)) but, as yet, Member State implementation of this requirement remains very limited.
Finally, Buivids also critically emphases the role of the courts (and, by implication, also DPAs) in considering the ʻnecessityʼ and even ʻstrict necessityʼ of any application of the special expression derogation. The reference to ʻstrict necessityʼ chimes with Digital Rights Ireland (2014) and highlights the priority which the CJEU continues to ascribe to data protection (apparently even when this is pitted against a core exercise of another fundamental right). Moreover, the move from a Directive (the DPD) to directly applicable Regulation (the GDPR) can only strengthen the role of courts and regulators here. At the same time, it remains unclear to what extent the CJEU will mandate that these actors craft a balance based on their own understanding of primary EU and other fundamental rights law or whether, instead, it will expect them to continue to strongly defer to (sometimes rather unbalanced) special expression schemes already put in place by democratically elected national legislatures. Hopefully, further light on this critical issue will be shed by the CJEU in the forthcoming case of Stunt. This case will consider whether the UK courts should disapply national provisions excluding the possibility of pre-publication injunctions under data protection in relation to journalistic and other special expression processing.
Ultimately, Buivids leaves as many questions unanswered as resolved within this space. However, what the case does clearly demonstrate is that the European data protection scheme and the exercise of freedom of expression interact in many and deep ways and that courts and DPAs have important roles to play in addressing this. That interaction will certainly keep not only these two actors but also journalists, academics, the general public, online platforms and hopefully also democratically elected politicians busy for many years to come.
Erdos, “From the Scylla of Restriction to the Charybdis of Licence? Exploring the scope of the ʻspecial purposesʼ freedom of expression shield in European data protection”, 52 Common Market Law Review (2015)
Erdos, “Beyond ʽHaving a Domesticʼ? Regulatory Interpretation of European Data Protection Law and Individual Publication”, 33 Computer Law and Security Review (2017) (and 2016 SSRN pre-print)
Lynskey, “From market-making tool to fundamental right: The role of the Court of Justice in data protection’s identity crisis”, in Gutwirth, Leenes, de Hert and Poullet (eds.), European Data Protection: Coming of Age (Springer, 2013)
Vousden, “Satamedia and the Single European audiovisual area”, 31 European Intellectual Property Review (2009)