The GDPR enters the SLAPP scene: GDPR proceedings as emerging forms of strategic litigation against public participation
The EU General Data Protection Regulation 2016/679 (GDPR) imposes far-reaching obligations on those handling personal data, and in principle this conclusion also holds for those who handle personal data for journalistic purposes. Mindful of the potential tension between data protection and journalistic freedoms, the GDPR provides for a so-called journalistic exemption. However, due to incomplete, confused or overly narrow national implementations of this journalistic exemption, the GDPR is increasingly discovered as an instrument to discourage, or punish, critical news coverage. GDPR-based litigation and administrative proceedings emerge as new forms of strategic litigation against public participation (SLAPP), with dangerous implications for the protection of public interest journalism in Europe. After providing a brief background note on SLAPPs, this blogpost explores the interface between the GDPR and journalistic activities and draws on GDPR proceedings from various EU Member States to illustrate the potential of the GDPR to be instrumentalised as a SLAPP strategy.
Background on SLAPPs
The SLAPP concept was coined in the 1980s in order to capture a growing trend of civil society activists being targeted with multi-million-dollar civil lawsuits in the United States. SLAPPs are typically initiated by persons wielding considerable power, such as high-profile politicians or influential businesspersons, against individuals expressing critical opinions on an issue of public interest, such as journalists, human rights defenders or academics. The purpose of a SLAPP filer is not to win the lawsuit – in fact, most SLAPP suits turn out to be meritless and result in eventual triumph of the target. Instead, SLAPP filers aim to bully the targets into silence by launching bogus lawsuits. Even with the prospect of eventual victory, defending oneself in a civil lawsuit costs a lot of money, time and is a psychologically draining process. Moreover, SLAPPs may also discourage others from speaking up, leading to far-reaching and dangerous ‘ripple effects’ (p. 30).
Although the SLAPP concept originates from the United States, abusive lawsuits, particularly abusive defamation lawsuits, have also been salient issues in Europe. The Maltese investigative journalist Daphne Caruana Galizia was facing 47 defamation lawsuits at the time of her murder, forcing her to appear in court almost every day in the last year of her life. After her tragic death, momentum to introduce legal safeguards against SLAPPs surged in the EU. The European Parliament repeatedly called on the European Commission to table a legislative initiative against SLAPPs. In its Democracy Action Plan, the Commission recognised SLAPPs as one of the key challenges to media freedom and pluralism, and committed itself to present an initiative to protect journalists and civil society organisations against SLAPPs. The Commission is expected to present its anti-SLAPP proposal in March 2022.
The GDPR and journalistic activities
SLAPPs exploit vague or overly broad legislative provisions regulating some form of expression. While defamation laws have been considered particularly susceptible to abuse and have been the most common breeding ground for SLAPPs, the potential of the GDPR to turn into an alternative SLAPP basis is gaining increasing attention.
The GDPR attaches obligations to the handling of personal data, and personal data is central to the activities of journalists. Whenever journalists seek out information relating to individuals, compile it, write up stories and disseminate them to the public, they are considered data controllers within the meaning of the GDPR. It is generally acknowledged that the full application of the GDPR to journalistic activities would disproportionately undermine the exercise of the right to freedom of expression, especially journalistic freedoms. Therefore, the need to reconcile personal data protection with freedom of expression resonates across the GDPR. Recital 4, although not binding, stipulates that the right to personal data protection ‘must be considered in relation to its function in society and be balanced against other fundamental rights’ including ‘the right to freedom of expression and information’.
Article 85, the GDPR’s principal provision on the topic, provides special recognition to journalistic expression and envisages derogations from data protection standards in the context of journalism. Article 85(2) reads:
For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations […] if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
The GDPR, thus, generally leaves it to Member States to define the scope of application of the journalistic exemption. This deferential approach was considered necessary in light of different constitutional traditions relating to journalism among EU Member States and corresponding limited legislative competences of the EU. While the provision itself offers little guidance in terms of the application of the journalistic exemption, the jurisprudence of the Court of Justice of the European Union (CJEU) may provide some flesh to Article 85 of the GDPR. The CJEU held that the journalistic exemption may be invoked by anyone engaging in journalism, and not just members of the traditional press. As stated in Satamedia – and also in recital 153 of the GDPR – the notion of journalism has to be interpreted broadly (para. 56). In Buivids, the CJEU found that journalism generally involves activities that ‘have as their purpose the disclosure to the public of information, opinions or ideas’ (para. 53). Although the cases where the CJEU explored the tension between data protection and journalism concerned the EU Data Protection Directive 95/46, the GDPR did not significantly depart from the DPD’s approach to journalism and thus the CJEU’s jurisprudence arguably remains relevant.
Fragmented national implementations
The national implementation of the GDPR’s journalistic exemption has proven to be a complex and contested task. The European Commission identified three main approaches followed by Member States: some codified the precedence of journalistic freedoms per se, others have only allowed for exemptions for journalistic processing in very limited situations, while yet others have provided for case-by-case balancing. The flexibility reserved for Member States has, thus, led to significant fragmentation of the operation of the GDPR when it comes to journalistic activities. There is a concern that this flexibility may provide excessive leeway to introduce or maintain disproportionate restrictions on press freedom, ostensibly to advance personal data protection. In Bulgaria, the transposition of Article 85 GDPR was invalidated by the Constitutional Court for its disproportionate effect on freedom of expression. The Romanian implementation faced international criticism for being overly restrictive regarding the type of activities that may trigger the journalistic exemption, whereas Hungary has been criticised for failing to implement a journalistic exemption at all.
GDPR proceedings against journalists emerge across Europe
The GDPR’s potential to stifle public interest journalism became evident a few months after the Regulation’s entry into force. In Romania, a journalism project, RISE, investigated misuse of EU subsidies involving a political leader. After RISE published a sneak-peak video of the investigation, the Romanian data protection authority sent a letter to the journalists, requesting clarification (among others) on the source of the information. The letter mentioned the possibility of receiving a fine of up to 20 million euros upon non-compliance with the request. Given the evident tension between the authority’s request and the importance of source protection for the democratic role of journalism, the incident attracted criticism from civil society organisations as well as the European Commission. Similar concerns also arose in relation to the Slovakian and Lithuanian data protection authorities.
In Hungary, a large energy drink manufacturer’s crusade against newspapers put the spotlight on the silencing potential of the GDPR. In 2019, Hell Energy filed for preliminary injunctions to prevent reporting on its business by Forbes Hungary and Magyar Narancs. The newspapers aimed to report on Hell Energy’s rise in economic power, the role of state subsidies and the company’s ties to the Hungarian government. Hell Energy invoked the GDPR in both proceedings, primarily complaining that the newspapers processed personal data without a legal basis. Granting the preliminary injunctions, Hungarian courts ordered Forbes Hungary to recall its 2019 issue, and obliged Magyar Narancs to publish a significantly redacted version of its article. The civil lawsuits following the preliminary injunctions are still working their way through the judicial system. Parallel to the civil lawsuits, Hell Energy also initiated administrative proceedings before the Hungarian data protection authority against both publishers. Judicial review of these administrative proceedings is still ongoing at the time of writing.
GDPR-based SLAPPs and their threat to public interest journalism
The GDPR can, thus, be misused and instrumentalised to obstruct those engaging in public interest journalism. The cases of Forbes Hungary and Magyar Narancs illustrate that regardless the potential of eventual victory, the newspapers have to invest substantial amount of time into defending themselves in costly proceedings. Even if they triumph, their news articles reporting on developments in the Hungarian business sector in 2019 will have lost their relevance, currency and newsworthiness. These targets have, therefore, not much to win and a lot to lose from a SLAPP suit. Although a SLAPP may backfire and increase public awareness of the contestation at the basis of the suit, this is generally an insufficient incentive for targets to resist filers’ silencing efforts and an insufficient deterrent for filers against initiating a SLAPP. Because most SLAPP targets cannot afford to defend themselves in these lavish lawsuits, many decide to abandon their critical reporting. This is exactly the purpose of SLAPPers; they seek to silence and nip criticism in the bud.
Furthermore, the GDPR has a particularly strong system of enforcement with unusually high sanctions for infringement. The fact that authorities indicate to journalists the possibility of multi-million-euro fines – like in the Romanian incident mentioned above – is inherently problematic. It is well-established in European human rights law that the mere possibility of disproportionately high fines is capable of inducing chilling effects on the right to freedom of expression. Given the strong involvement of administrative authorities in these proceedings, data protection authorities emerge as de facto regulators of journalistic activities. It is in itself questionable whether this is a desirable development, and it also raises pertinent questions about the role of administrative authorities in facilitating SLAPPs.
Moreover, abusive data protection proceedings may be particularly dangerous for journalistic freedoms. Notably, Hell Energy did not argue that the news articles prepared by Forbes Hungary and Magyar Narancs damage their reputation or contain false statements. This is because for data protection law it is irrelevant whether the information is true or false, how the audience perceives it or whether its publication causes harm. In contrast to the conventional defamation-based SLAPPs, the GDPR does not require demonstration of harm and does not allow a defence of truth or honest opinion, potentially making it an especially convenient SLAPP tool.
The discretion left to EU Member States in respect of the GDPR’s journalistic exemption can, therefore, have unintended adverse consequences for journalistic freedoms. This danger is especially acute in Member States where independent journalism has already been under pressure. It is no surprise that the abuse of the GDPR has been most prominent in Member States with problematic records with press freedom, such as Hungary. Where critical journalism is already struggling for survival and a large portion of media outlets and regulatory authorities are captured by government-friendly forces, GDPR-based SLAPPs amount to a particularly ‘scary’ development and a genuinely existential threat.
As previously written on this blog, the tension between European data protection law and freedom of expression is ‘increasingly significant’. This is even more so when the tension is fuelled by politically motivated abuse of data protection law. In SLAPP cases, the interface between data protection and journalistic freedoms ties into deeper issues relating to media freedom, a core dimension of the rule of law crisis in some European states. GDPR-based SLAPPs, thus, not only manifest an awkward tension between data protection and freedom of expression but also represent a fundamental challenge to European democracy.
The European Parliament acknowledged the GDPR-SLAPP issue in a resolution in 2021. It expressed ‘strong concerns over abuse of the GDPR’ and warned that ‘data protection rules should not affect the exercise of freedom of expression and information, especially by creating a chilling effect’ (para. 24). It remains to be seen whether and how this mounting challenge could be addressed amidst limited EU competences in the field of journalism and scant willingness to remedy the problem in Member States where a remedy would be most needed. The upcoming EU anti-SLAPP initiative is an important starting point but policy debates on SLAPPs have so far mostly focused on abusive defamation lawsuits. As GDPR proceedings that interfere with journalism continue surfacing across Europe (see e.g. here or here), it is imperative that the abuse of the GDPR is recognised as an emerging form of SLAPP raising unique challenges to journalistic freedoms.