Abstract
Journalists who believed they were exempt from law on data protection are having to think again
In 2013, publishers and journalists breathed a sigh of relief as the new Defamation Act came into force. It was going to end libel tourism, protect honest reviewers and free archives from the threat of claims years after publication of the original article. Pesky trivial claims brought by claimant lawyers on no-win, no-fee deals to extract money from honest publishers would be quashed by the new “substantial harm” test. Free speech rocked once again.
But never underestimate the ingenuity of a claimant lawyer with a client who wants to keep secrets. Just when it might have been thought the tide had turned back in favour of publishers, a new means of oppressing them has arisen. Or rather, not a new threat, but a new use for existing legislation that most journalists didn't think applied to them.
When in 1998, the Data Protection Act was passed, it was described as an act “to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information”. It replaced an earlier DPA, and contained a revised set of rules for “data controllers” who were processing data, and rules to allow “data subjects” access to and control over the way their data was processed and retained. The original intention of the act was essentially to protect an individual's private information from being misused, big brother-style, by businesses and the government, and to allow people to see what information was kept on them so that they could, for example, check and correct their credit history files. The act regulated the recording and processing of “data” by “equipment operating automatically in response to instructions given for that purpose” (essentially a computer) and set out eight principles to govern the collection, processing and security of data, including common sense requirements that the data be obtained only for lawful purposes, that it should be accurate and kept up-to-date, that it should not be kept for longer than necessary and that it should be processed in accordance with the rights of the data subject. It set out in detail the process and procedure governing the rights of individuals to access to their personal data. It's not exactly bedtime reading, but viewed in that light, it is a sensible attempt to give some control to individuals in a world of big data.
For journalists, concerned that the definitions in the act would bite on material held on the subject of their investigations, there was the comfort of section 32. This said that where data processing was undertaken with a view to publication of journalistic material and the data controller reasonably believed publication would both be in the public interest and – in their opinion – in all the circumstances it was not possible to comply with the provisions of the DPA and still undertake journalism, then the majority of the provisions of the act simply would not apply, though they would still be obliged to keep the data secure. By and large it was thought that the act could be treated for most practical purposes as irrelevant to the fourth estate.
Move forward 15 years and the precise wording of the act has come under scrutiny. The act is being relied on to create a new law that is liable to cost publishers many thousands of pounds in efforts to comply with the current interpretation of a data controller's responsibilities. Even the question of whether otherwise publicly available information such as an individual's name falls in the definition of “personal data” has been tested by the courts.
For the section 32 exemption to apply, the data must be being processed for the purposes of journalism, or literature, or art. Processing has to comply precisely with the limitations laid down in the section. But what, precisely, is journalism in the eyes of the law? Who is a journalist? On 16 December 2013, four officials of Beny Steinmetz Group Resources (including Beny Steinmetz, one of the world's biggest diamond traders) filed a claim in the high court, claiming that their privacy rights had been breached by Global Witness, a not-for-profit organisation that prides itself on highlighting links between environmental exploitation and human rights abuses.
Global Witness had been investigating how BSGR had obtained rights to one of the world's largest iron ore deposits in Guinea, one of the poorest countries in Africa. Beny Steinmetz and his colleagues filed subject access requests under the DPA, asking for production of details of their personal data held by Global Witness together with the source of that data, and demanding that Global Witness should stop processing their data – in other words, that it should not publish anything concerning them. Global Witness refused to comply with the requests, citing section 32, but BSGR argued that as a not-for-profit organisation, Global Witness was not a journalist and was processing the data for political purposes, which would not be protected by section 32.
Case-by-case justification
At first instance, the ICO (Information Commissioner's Office) expressed the view that Global Witness had misunderstood the workings of the DPA and asked it to disclose the personal data. When Global Witness declined, the claim was referred first to the courts then back to the ICO with a strong message from the judiciary that they had to get off the fence. The ICO decided that, on the facts of the case, Global Witness was entitled to rely on section 32. But while the ICO confirmed that it was required to give a broad interpretation to freedom of expression, it warned that it expected organisations to be able to justify the exemption on the merits of each individual case and said that the law does not provide journalists with an automatic exemption from the provisions of the act.
In the guide for the media published by the ICO last year, it set out its interpretation of the act. It made it clear that there is to be no broad brush exemption: it expects media organisations to be able to explain why they should be allowed to rely on the journalism exemption in each individual case, and to be able to identify how and by whom all the necessary factors were considered at the relevant time. There appears to be little regard for the realities of life in a world of 24-hour news, where budgets and staffing are tight. It is expected that whether or not the public interest is engaged will be considered “at an appropriate level” in each case, depending on the nature of the story and at the time the data was processed. The ICO expressly states that in its view “it cannot be in the public interest to disproportionately or unthinkingly interfere with an individual's fundamental privacy and data protection rights” and even if a story is clearly in the public interest, if a journalist can reasonably research and present it in a way that complies with the standard provisions of the DPA, they must do so.
There is a clear dividing line between material processed only for the purpose of journalism, art and literature with a view to publication, and any other material kept by media companies, which does not have the protection of the section. Political lobbying is specifically referred to as outside the exemption: where does that leave campaigning journalism? And it is clear that each of the elements of section 32 must be considered individually in relation to each individual's data. So not only must the processing of data be with a “view to publication” – arguably post-publication the section no longer applies – it must be on a matter where publication would be in the public interest and, most importantly, there must be a reasonable belief that it would be unreasonable or impractical, not just an inconvenience, to comply with the provisions of the act in relation to all the data. The ICO says that just because compliance with one provision can be shown to be incompatible with journalism doesn't mean that compliance with a different provision will necessarily be incompatible. Without all three, section 32 will not apply – meaning that the data subject has the right to have access to the data, the right to apply for it to be deleted, the right to apply for an injunction to stop it being processed …
The Global Witness case is one of many. The Google Spain case, in which the claimant succeeded in getting the link to a story concerning him severed on the European site, has had wide coverage and served to launch thousands of applications for stories to be deleted from archives pursuant to the “right to be forgotten”.
But for every court case, there are hundreds of applications accusing media companies of failing to keep data securely or subject access requests being made. There is a financial burden on media companies in dealing with these. A subject access request cannot simply be answered by referring to section 32. The data controller must review the data that the organisation has. They have to consider what can be disclosed – maybe some of the data is a matter of public record. Maybe the source of some of the material would agree to its disclosure: the ICO says they should be asked to consent. Maybe copies of materials – emails for example – can be disclosed if you redact anything that would identify a confidential source. This isn't confined to large well-resourced global media companies that can afford to employ compliance officers and can bring in teams of juniors who can redact third-party information, sometimes over hundreds of pages of documents. Current thinking is that every freelance journalist is a data controller in his or her own right, who should register with the ICO and who will have all the same obligations on their own account. The ICO's media guidance says that the fact you don't have the resources to respond is not an answer to a subject access request, unless you can show that it would genuinely frustrate journalism.
The reason why data protection claims have had a relatively low profile historically was probably that they were not associated with substantial claims for damages, and libel and privacy claims were well trodden paths for claimants and lawyers. The DPA said that an individual who could prove financial damage as a result of a contravention by a data controller was entitled to compensation, but damages for distress – akin to the damages in libel and privacy claims – were only to be paid in limited circumstances. In practice, claims for damages in DPA claims were treated as an afterthought to the main claim. This is about to change.
Damages paid for distress
On March 31, 2015, the court of appeal handed down a judgment that is likely to make data protection claims take centre stage. This will have a far wider reach than just for the media, but the principles that are laid down in non-media cases will inevitably impact on journalism. In the case of Vidal-Hall and others v Google Inc, which considered whether the use of the claimants’ personal search data to direct advertising to them was a misuse of personal information (and concluded that it was), the court has now ruled that it is not necessary for a claimant to show financial damage to bring a claim for damages for distress.
So in future, damage as a result of a data breach will be presumed. There is no “substantial harm” hurdle for trivial cases to cross. Journalists wanting to resist a claim will have to defend their investigations on a case-by-case basis, and the policy and procedure of the media organisation or freelancer will be subject to minute scrutiny. Haven't we been here before?