home . about the EPC . press centre . fact sheets . issues . members' area . links

Issues

Contribution from the European Publishers Council on the review of the data protection directive 1995/46/EC (30th August 2002)

The European Publishers’ Council (EPC) is a high level group of Chairmen and CEOs of leading European media corporations actively involved in multimedia markets spanning newspaper, magazine, Internet and on-line database publishing; many EPC members also have significant interests in private television and radio. A list of our members is attached.

Part 1 - Freedom of expression

The EPC welcomes the opportunity to comment on this important area of legislation at this preliminary stage of the review. We may have further comments to make as the review proceeds, which we shall pass on. At this point we shall mainly comment and raise some questions on the impact of data protection legislation on the freedom of expression; particularly with regard to the application of Article 9, which requires Member States to provide for derogations from sections of the directive “for journalistic purposes”. Our comments in this section do not relate to other areas of the publishing enterprise which are affected by data privacy rules, including our commercial activities.

1.1  Limitations on the Freedom of Expression

At the time of adoption of the original directive the European Publishers Council expressed grave concern about the last minute amendment that was introduced by the Council to the original exemption for journalistic purposes as proposed by the European Commission. We stated that the original wording proposed by the Commission “was the minimum protection needed to guarantee that journalistic freedom was ensured”. It was our view that the subsequent changes limited the scope of the exemption significantly by introducing a legislative basis to test against the public interest the rights of the media to process and ultimately publish personal data, on a case by case approach. We believed that such a basis severely undermined the fundamental right of the freedom of expression as enshrined in Article 10 of the European Convention on Human Rights.

The EPC believes it was right to be concerned and that in many Member States the freedom of expression has been impeded as we had anticipated by the way in which certain Member States have chosen to interpret Article 9.

1.2  Implementation of the exemption for journalistic purposes

In our view, the ways in which the Member States have implemented the exemption gives cause for concern in several areas:

1.2.1 Differences in application

We understand that as part of the review by the European Commission, the way in which the legislation has been implemented across the EU will be assessed and analysed. The EPC believes that as part of this process, the Commission should consider how these implementing regulations could be simplified so that Member States national laws become more consistent. Several Member States have implemented laws that are more stringent than the Directive required which, contrary to one of the core objectives of the directive, interferes with the free flow of data. Furthermore, since the implementation process has led to 15 different sets of laws the costs of compliance for business is disproportionate to any improvement in data privacy since the Directive requires that all Member States laws offer an “equivalent” protection.

We would ask the European Commission to look specifically at the differences in the way in which the Article 9 exemption has been implemented and to report accordingly and we would be prepared to assist in this process.

It is apparent that Member States have tackled their obligations in different ways that may have caused distortions within the internal market and given rise to imbalances between the rights to the freedom of expression and the right to privacy.

The Member States have followed four main approaches:

a)  No express exemption from the application of the directive to the media (Belgium, Spain, Portugal, Sweden);

b)  Specific exemption from several of the provisions (Germany except for public service broadcasters (see para (c) below), UK, France, The Netherlands, Austria, Finland, and Italy);

c)  In Denmark, and in Germany for public service broadcasters, there is a specific exemption from the general data protection legislation for the media, but instead they are subject to specific data protection provisions.

1.2.2  Incompatibility with Article 10 of the ECHR

We would urge the Commission to pay special attention to the incompatibility with Article 10 of the ECHR and certain national implementing regulations. This is partly but not solely because of the way in which sensitive personal data – which includes any information contained in the data - must be treated in some Member States (e.g. UK, Portugal and France) so as to include political opinion, religious belief, affiliation to a trade union, club or political party, sexual or health matters, etc. If journalists must seek prior, explicit consent before publication of material containing sensitive personal data this leads to severe limitations on the freedom of expression. 
In the United Kingdom for example, it is clear that the original exemption has not been properly implemented and that severe limits are placed on the freedom of expression by data protection legislation. This situation post-implementation of the directive has been exacerbated by the subsequent implementation of the European Convention of Human Rights, since when insufficient weight is being attached to Article 10 of the ECHR which leads to a failure to provide adequate safeguards for a free press.

The first area of concern is the limited nature of the exemption under Section 32 of the UK Act. Under current provisions, a journalist is relieved of some of the obligations under the Act, provided the processing of the data is carried out with a view to publication of the journalistic material. The publication must also be in the public interest and compliance with the Act must be compatible with the public interest. 

These provisions raise specific problems:

i) There is no definition of “journalistic material”.

ii) Following a recent Court decision it is clear that the exemption only applies before publication, so that once publication has taken place, the publisher and journalist must comply with all the provisions of the Act^[*].

iii) The exemption before publication sets a high threshold. The Act requires a publisher to “reasonably believe” that it would be unable to publish the work if it were to comply with the data protection principles. This involves difficult and time-consuming decisions for the publisher.

iv) Unless these conditions are met, it appears that the explicit consent of a data subject must be obtained. Explicit consent will often be difficult or impossible to obtain which imposes a severe restriction on the ability of journalists to investigate and research.

v) If consent is not obtained, a publisher may be in breach of duty for processing sensitive personal data.

This could have an extraordinarily wide impact on the ability of the press to expose examples of unlawful or dubious activity and hypocritical behaviour etc. As mentioned above, such material might consist of someone’s political views, religious beliefs, health or sexual life or commission of an offence, all of which might be relevant to a particular article. The UK Data Protection Act can be used to prevent, or at least discourage, newspapers publishing stories which raise questions about the credibility and integrity of well-known personalities and/or politicians, for example details of donations to political parties and associated interests in certain pieces of legislation, details of tax payments and/or avoidance, financial affairs, etc.

We would ask that such anomalies be examined during the review and ultimately amended in order that the press can function properly without such constraints. Measures of public interest must we believe be left to self-regulation to ensure true freedom of expression as guaranteed by Article 10 of the ECHR.

1.2.3  Impact of data processing requirements on the day-to-day function of journalism

During the review, we would like the Commission to look into the ways in which data protection legislation has affected the practices of the courts and the police and how this can have a detrimental affect on the freedom of expression. For example, journalists do not always receive the promised, essential information in time, i.e. without delay. Prompt access to such information is clearly necessary for news reporting and any delay is a barrier to the freedom of expression. Furthermore, the way in which the police and courts comply with data protection legislation varies within and between Member States. Police officers and court officials often seem unsure about their duties and ultimately what they can disseminate in terms of information, e.g. court records, minutes of preliminary investigations, and/or annexes to these minutes. Unfortunately, these officials tend to err on the side of caution and refuse to provide journalists with information to which they are entitled. Apologies for non-disclosure of information on the grounds of compliance with data protection legislation are an all too common occurrence and a barrier to the free flow of information and freedom of expression.

1.2.4  Data Access

A further area of concern is the right of data subjects or regulatory authorities to request access to data. Such requests are being used with more frequency and, in some cases, as a fishing exercise to establish whether any kind of claim for damages might be assembled; as a way of by-passing court proceedings and of circumventing pre-trial discovery.

Such requests place significant burdens on journalists who are not only required to understand the complex provisions of data protection legislation but assess what data the data subject is entitled to. There is no clear guidance from the directive what level of detail must be furnished or how far back into archives publishers must go to meet such requests. It is not uncommon for data access requests to involve 2 to 5 days work of several people, producing a catalogue of around 750 photographs and 2000 references and articles. During this process, a journalist may have to transcribe hand written notes and redact documents to avoid the identification of third parties which imposes disproportionate burdens on the press. Some of this information has been disclosed to journalists in confidence and as such in the secure knowledge that their sources will not be disclosed. There is a direct conflict between provisions requiring disclosure of information and confidentiality of sources. Ultimately, information sources will decrease, publication will be delayed and investigations hampered which would be contrary to the public’s interest in a free press.

It is also worth mentioning at this point that although digital technologies facilitate storage, processing and manipulation of large amounts of detailed text and images this is not sufficient reason to increase powers of access to information held by journalists and publishers by an individual data subject or of a regulatory authority. On the contrary, we believe that the exemption for journalistic purposes should be extended to data access request.

1.2.5  Confidentiality of journalists sources

As mentioned above, the confidentiality of journalists’ sources can be compromised by data access requests. In addition, Data protection legislation can be used as a powerful tool for anybody wanting to curb the activities of investigative journalists. Because data privacy laws cover paper as well as electronic files, personal information leaked to journalists on a confidential basis can be covered in a very wide manner. As a result, Data Protection Authorities could be brought in by complainants to investigate journalists’ sources. This would give individuals wishing to protect against publication of details they wish to conceal immense scope to inhibit the press from carrying out inquiries which would otherwise expose details which were certainly in the public interest.

1.2.6  Damages and Compensation

The EPC would like to express the industry’s concerns about the actual, potential and very serious, impact of claims for damages and compensation in respect of breaches of data protection legislation which occur in the absence of proper implementation of derogations for journalistic purposes to protect the freedom of the press.

Part 2 - General comments

2.1  Transparency

The members of the EPC would welcome a more open and transparent relationship with the Data Protection Authorities at national level. In particular we would appreciate a better understanding of and ideally participation in the procedures which lead to interpretations and enforcement activity of the Data Protection Authorities. The EPC would like all the reports which are submitted by the national Authorities to the Article 29 and Article 31 Working Groups to be made public, as well as records of all proceedings, deliberations and decisions of the Article 29 and Article 31 Working Groups including any dissenting opinions. We believe these proceedings and reports could benefit greatly from specialist involvement, discussion and comment.

2.2  Consolidation of implementing legislation and sectoral directives

We request that the Commission considers consolidating the various Directives and Regulations on data protection and privacy into a single directive dealing with data protection. The current situation of multiple sectoral provisions, and sector-specific legislation has created distortions and inconsistencies in the performance of virtually identical business operations among industries.

2.3  Article 4 – Applicable law

The EPC supports the principle of “country of origin” determining which data protection legislation should apply, but the current wording of Article 4 creates difficulties with interpretation as it is very difficult to determine with certainty which national law applies to a particular act of data processing and whether EU law applies at all when the data controller is established outside the Community; this is especially true when the processing is done on-line. The EPC believes the Commission should consider introducing a definition of “establishment” in order to update the directive in line with existing definitions of establishment in other EU such as that in the Electronic Commerce Directive^[1]. This definition is based on the European Court of Justice’s case law and could provide applicable law rules that would help to define where a controller is established and limit the applicability of multiple Member State data protection laws to the same data processing.

Of particular concern is the view of the Article 29 Working Party on Article 4 (1) (c) that the use of cookies subjects the users to the data protection legislation of the Member State in which the user of the equipment on which the cookie is installed, resides. This means that a company or website that is based outside of the EEA will potentially be subject to all 15 different data protection regulatory regimes. The presence of incidental equipment and/or activities on European territory should not be grounds for determining applicable law.

In order to establish the country of origin of a company for the purposes of applying the law of such a country, the company should have a presence in such Member State and be actively engaged in the processing of personal data. For example, if a US company processes data of Europeans gathered through the Internet (or through mail), it should not be the case that such company is deemed established in a Member State because it has an affiliate in that Member State if the affiliate is not involved in the data processing in question.

2.4  Business Data

At the moment the Directive does not differentiate between “personal” and “business” data thereby placing compliance requirements for supplying and processing both types of data on the same footing. The EPC would like the Commission to consider derogating business-contact data when such data are processed and used for the purposes for which the data are collected. This would reduce an unnecessary area of cost and burdensome compliance for publishers where risk to personal privacy is in reality negligible.

The distinguishing characteristic is that business contact details are given out freely in the full expectation that such information will be stored and processed and passed on to additional interested parties within the recipient’s organisation or subsidiaries. In our view this constitutes consent to the processing and transfer of business contact information. We would suggest that a new recital be drawn to clarify this aspect together with a revised definition of “personal information” in Article 2(c) of the Directive to take account of the fact that the Directive’s aim is to protect “fundamental rights and freedoms”. Therefore its scope should be limited to the recognition of rights that are essential and specific to the individual as a human being.

------------------------------------------------------------------------
 

^[*] A case brought by Naomi Campbell versus Mirror Group Newspapers under the UK Data Protection Act is currently before the Courts pending Appeal

^[1] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, published in the OJ L 178/1 on July 17, 2000.

The members of the European Publishers Council would like to thank the Commission for this opportunity to comment on an important area of legislation and its impact on the media. If you have any questions or require any additional information, please do not hesitate to contact the EPC’s Executive Director, Angela C Mills.

angela.mills@epceurope.org

Telephone: +44 1865 310 732

30th August, 2002

back to top