![Sample our Humanities journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5939/TOC-Subject-Sample-2021-Humanities.jpg"})
ABSTRACT
European data protection aims to protect the privacy and related rights of individuals, purposes which come into tension with the free speech of professional journalism. Moreover, statutory Data Protection Authorities (DPAs) act as the ‘guardians’ of the data protection framework across the European Economic Area. In light of this, the article explores the enforcement efforts of these critical actors through both a DPA questionnaire and a DPA website review. The results indicate that, notwithstanding stringent statutory provisions enforceable by DPAs in many Member States, activity has been patchy even in areas which raise limited free speech concern (e.g. tackling significant inaccuracy). Nevertheless, many DPAs do engage in this area especially when sensitive or important confidential information is involved. The stringency of local law also positively correlates with the extent of enforcement, whilst the level of resourcing surprisingly does not. The article proposes action by both Member States and DPAs to ensure more regulatory coherence under the forthcoming General Data Protection Regulation.
Acknowledgements
I would like to thank those who aided the research presented here including, in particular, the Data Protection Authorities (DPAs) who participated in the 2013 questionnaire, the large number of research assistants especially those who helped collect material for the DPA website review and also the anonymous reviewer. This work was supported by the British Academy [grant number SG112737]. All views and any errors remain my own.
Notes on contributor
David Erdos is University Lecturer in Law and the Open Society in the Faculty of Law and WYNG Fellow in Law at Trinity Hall, University of Cambridge.
Notes
1 Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31 (Directive 95/46), art 1
2 Although Directive 95/46 itself only refers to the EU, European Economic Area law extends its provisions to three associated states (Iceland, Liechtenstein and Norway) which, together with the EU, comprise the EEA. See EEA Joint Committee, Decision 84/1999 of 25 June 1999 amending Protocol 37 and Annex XI (Telecommunication Services) to the EEA Agreement <http://www.efta.int/media/documents/legal-texts/eea/other-legal-documents/adopted-joint-committee-decisions/1999%20-%20English/084-1999.pdf> accessed 1 November 2016. The precise relationship between the legal duties of Iceland, Liechtenstein and Norway and both related legal provisions such the protection of data protection within the EU treaties and interpretations of data protection by the Court of Justice of the European Union remains a matter of great complexity, the consideration of which is beyond the scope of this article. Following the results of a referendum on 24 June 2016, the UK Government is now committed to the country (together with the UK's intra-EU overseas territory of Gibraltar) leaving the EU. Its position on continued membership of the EEA remains more ambiguous. For now, however, the UK remains a full member of the EU, as it was when the data presented in this article was collated.
3 Directive 95/46, recital 37.
4 Directive 95/46, recital 8.
5 EU Charter of Fundamental Rights, art 8, 7, 11.
6 TFEU, art 16(1).
7 Directive 95/46, art 9 and recital 37.
8 EU Agency for Fundamental Rights, Access to Data Protection Remedies in EU Member States (Publications Office of the European Union 2013) 9.
9 David Erdos, ‘European Data Protection and Media Expression: Fundamentally Off Balance' (2016) 65(1) International and Comparative Law Quarterly 139.
10 David Erdos, ‘European Regulatory Interpretation of the Interface between Data Protection and Journalism: An Incomplete and Imperfect Balancing Act?' (2016) 4 Public Law 631.
11 David Erdos, ‘Data Protection Confronts Freedom of Expression on the “New Media” Internet: The Stance of European Regulatory Authorities' (2015) 40(4) European Law Review 531.
12 David Erdos, ‘European Data Protection Regulation and Online New Media: Mind the Enforcement Gaps' (2016) Journal of Law and Society doi:10.17863/CAM.6010.
13 Erdos, ‘European Data Protection Regulation’ (n 12).
14 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
15 Certain public sector tasks (for example, as regards national security) as well as ‘purely personal or household activity’ performed by a natural person are excluded under article 3 of the Directive.
16 Directive 95/46, art 3.2.
17 Ibid, art 2(d).
18 Ibid, art 1.
19 Ibid, art 2(d).
20 Ibid, art 6.
21 Ibid, arts 10–12.
22 Ibid, recital 34.
23 Ibid, art 8.
24 Ibid, arts 7, 17, 18–21, 25–26.
25 Ibid, art 22.
26 Ibid, art 28.
27 Established under art 29 of Directive 95/46 and with tasks as set out in art 30, this group comprises a DPA representative from each of the EU Member States together with two pan-EU members, namely, the European Data Protection Supervisor and a (non-voting) representative of the European Commission. The non-EU EEA DPAs participate in the Working Party's activities as observers (see EEA Joint Committee Decision 83/1999, art 2: see n 2).
28 C-518/07 Commission v Germany, [23].
29 See in this general vein Michael Schudson, The Sociology of News (Norton, 2003) 11.
30 UK, Parliament, Select Committee on the European Communities, Protection of Personal Data (HL 1992–93, 75) 39.
31 Lord Phillips of Worth Matravers in Campbell v Mirror Group Newspapers [2002] EWCA Civ 1373 [2003] QB 633, [123].
32 Art 9 excluded the possibility of derogations from the right to a judicial remedy (art 22), to compensation for damage suffered as a result of violation of the substantive rules and principles (art 23) and to the adoption of suitable measures and sanctions by Member States to ensure full implementation of the Directive (art 24).
33 Art 9 similarly addressed the interface between data protection and ‘the purpose of artistic or literary expression’. Whilst clearly important, further consideration of this tension falls outside the scope of analysis here.
34 EU, Article 29 Working Party, Recommendation 1/1997 Data Protection law and the media (1997) <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/1997/wp1_en.pdf> accessed 1 November 2016, 4–5.
35 C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy, EU:C:2008:727, [56] (emphasis added).
36 This is the case in Finland (see Finland, Personal Data Act, s 2 (5)), Norway (see Norway, Personal Data Act, sec 7), Sweden (see Personal Data Act, s 7) and, as regards the Press, also Germany (see Germany, Federal Data Protection Act, s 41).
37 Namely, Spain, the Czech Republic and Croatia.
38 See Erdos, ‘European Data Protection and Media Expression’ (n 9).
39 Malta, Data Protection Act, s 6; United Kingdom, Data Protection Act 1998, ss 44, 46, 53, 56.
40 Denmark, Law on Mass Media Information Databases, ss 12–17; Lithuania, Data Protection Act, art 8. The bodies in question are the Danish Press Council and the Lithuanian Inspector of Journalist Ethics.
41 Austria, Federal Act Concerning the Protection of Personal Data (DSG), s 48; Iceland, Act on the Protection of Privacy as Regards the Processing of Personal Data, art 5; Netherlands, Personal Data Protection Act, art 3.
42 As regards the German DPAs including in the research presented below, such powers are only applicable in the case of Schleswig-Holstein. See Staatsvertrag über das Medienrecht in Hamburg und Schleswig-Holstein (Medienstaatsvertrag HSH), s 37 (5)–(11).
43 Spain, Organic Law 15/1999 of 13 December on the Protection of Personal Data, art 2.
44 See Spain, Basque Country, Ley 2/2004, de 25 de febrero, de Ficheros de Datos de Carácter Personal de Titularidad Pública y de Creación de la Agencia Vasca de Protección de Datos, art 2; Spain, Catalonia, Ley 32/2010, de 1 de octubre, de la Autoridad Catalana de Protección de Datos, art 3.
45 See arts 10 and 8, European Convention on Human Rights.
46 Paul Craig and Gráine de Búrca, EU Law: Text, Cases and Materials (Oxford University Press, 4th edn 2011) 394.
47 See EU Charter, arts 11, 7, 8. Emphasising the need for regulatory oversight in relation to data protection, the latter provision also explicitly states that ‘compliance … shall be subject to control by an independent authority’.
48 See the discussion in Joseph Cannataci and Jeanne Misfud-Bonnici, ‘Data Protection Comes of Age: The Data Protection Clauses in the European Constitutional Treaty' (2005) 14(1) Information and Communications Technology Law 5.
49 TFEU, art 16.
50 Regional DPAs have been established in Spain and Germany as well as in Gibraltar.
51 Given the survey as the whole explored not just journalism but also a range of other matters related to the tension between data protection and openness, it was decided not to separately send the survey to the specialist media regulators which in Lithuania and Denmark exercise certain powers over the media in the area of data protection (see n 40). In fact, however, the DPA's as regards journalism was filled out in cooperation with the specialist media regulator, the Inspector of Journalist Ethics. Meanwhile, the Danish DPA did not participate in the survey.
52 Erdos, ‘European Data Protection and Media Expression’ (n 9).
53 UK, Information Commissioner’s Office, What Price Privacy? (The Stationary Office 2006).
54 See Erdos, ‘Data Protection Confronts Freedom of Expression’ (n 11) and Erdos, ‘European Data Protection Regulation’ (n 12).
55 It should also be noted that the Greek DPA slightly altered the wording of the two pre-formulated responses it indicated assent to. In sum, both as regards material obtained without authorisation from another Data Controller and otherwise, it replaced the phrase ‘action to prevent the processing/publication of personal data’ with ‘action to erase the published personal data’. It was felt, however, that this would still constitute enforcement in relation to ‘processing’ and that, therefore, a standard response could still be recorded here.
56 As regards the free-text responses, the Bulgarian DPA did indicated that it had conducted ‘inspections and follow-up imposition of administrative penalties to paper media in connection with … publishing of false information about publicly known person in order to discredit him’.
57 As regards the free-text responses, the Bulgarian DPA indicated that it conducted ‘inspections and follow-up imposition of administrative penalties to paper media’ in connection with both ‘unlawful personal data dissemination (including of special categories of data) without individuals’ knowledge and consent’ and ‘excessive personal data processing by media by publishing bigger amounts of individuals’ personal data then [sic] necessary for the performance of journalistic investigations and lack of adequate technical and organisation measure for protecting the data against unlawful dissemination’. The Czech DPA stated that it had ‘taken an action to remove an article containing personal data from the electronic media’. Meanwhile, the Maltese DPA stated that it had ‘taken action to ensure removal of contents from journalistic blogs or media-related internet publications which involved the unlawful processing of personal data’. Finally, the UK DPA stated that that whilst it had not undertaken enforcement action ‘in the sense of issuing enforcement notices or monetary penalties’ it had undertaken ‘other forms of regulatory action’ including ‘most notably’ publishing ‘two reports on the use of private investigators by the media’ which ‘focused on the unauthorized obtaining of personal information in pursuit of journalistic activity’.
58 As detailed in note 55, the Greek DPA slightly altered the wording of both these responses but not in ways which would take the answer provided outside the scope of the broad concept of ‘processing'.
59 All these DPAs not only indicated no activity as regards any of the enforcements specified (i.e. (i)–(v)) but also positively assented to the statement that they ‘had not taken any enforcement action in relation to media entities’ pursuit of their journalistic activities’. Nevertheless, the French DPA did state that it had ‘taken other action [not constituting enforcement] such as educational measures’.
60 The meaning of ‘enforcement activity’ was not explicitly defined in the survey itself. However, as regards the DPA website review, it was taken to refer any type of action which clearly went beyond purely investigatory activity or the issuing of ‘soft' non-binding guidance to data controllers.
61 In the case of Denmark and Lithuania this also involved the checking of the websites of the Danish Press Council and Lithuanian Inspector of Journalism Ethics respectively.
62 There have been sporadic efforts to improve and render more systematic the transparency of DPA decision-making. For example, in 2009 the International Conference of Data Protection and Privacy Commissioners even agreed to a Resolution on this topic: International Conference of Data Protection and Privacy Commissioners, Resolution on Case Reporting (2009) <https://icdppc.org/wp-content/uploads/2015/02/Resolution-on-Case-Reporting.pdf> accessed 1 November 2016. It is clear that such a goal remains, at best, a work-in-progress even within the EU.
63 In addition, as regards the Belgium DPA website, evidence was found of enforcement as regards newspaper archives only (see Belgian, Commission de la Protection de la vie privée, Rappport annuel 2011 <https://www.privacycommission.be/sites/privacycommission/files/documents/rapport-annuel-2011.pdf> accessed 1 November 2016, 52–53. However, since the focus of the article here is on traditional, professional journalism and a different part of the survey focused on ‘newspaper archives' this (as well as other DPA website examples of enforcement activity specifically focused on archives) was excluded from the analysis. Meanwhile, in Latvia evidence of two enforcements were found from 2003, just outside the period when this country joined the EU and became subject to Directive 95/46. In sum, the DPA firstly ruled that the publication in a magazine of a photograph from a CCTV camera was using data for an unlawful purpose and secondly that a TV presenter had engaged in incorrect data processing by publishing during a show an identification document including a photo, identity code and the registration number of the document. See Latvia, Datu valst inspekcija, 2003.gada darba rezultāti (2003) <http://www.dvi.gov.lv/lv/wp-content/uploads/inspekcija/gada-parskati/2003.pdf>, accessed 1 November 2016, 19–20.
64 This may be linked a reality that ‘processes for resolving privacy complaints are often carried out in private to promote conciliation and efficient dispute resolution’: International Conference of Data Protection and Privacy Commissioners, Resolution on Case Reporting (2009).
65 For such an example see Estonia, Eesti Andmekaitse Inspecktsioon, Ettekirjutused: <http://www.aki.ee/et/menetluspraktika/ettekirjutused> accessed 16 April 2013.
66 In fact, evidence of enforcement action which could clearly be characterised as involving the processing of information obtained without authorisation was only found on six DPA websites (two of which provided non-standard response to the survey). In contrast, evidence of action which appeared to relate to other types of information was found on eight DPA websites (one of which had provided a non-standard response to the survey). The attempt to place the examples in one or other of these categories did, however, indicate that this was by no means a simple task especially given the very limited information often disclosed in the published material.
67 Paul McNally, ‘Freelancers threatened with data protection fine’, Press Gazette, 8 August 2008 <http://www.pressgazette.co.uk/freelances-threatened-with-data-protection-fine/> accessed 2 November 2016.
68 Unlike in a number of other Member States, in Iceland data relating to the deceased remains protected as personal data. See Iceland, Act on the Protection of Privacy as regards the Processing of Personal Data, art 2(1).
69 Iceland, Persónvernd, Ársskýrsla Persónuverndar 2003 (<http://www.personuvernd.is/utgefid-efni/arsskyrslur/2003/> accessed 1 November 2016. Interestingly, three years later, and also in response to a complaint against the same newspaper, the authority changed tack and held that it had no authority to rule on journalistic matters. See Iceland, Persónvernd, Persónuvernd Ársskýrsla 2006 (<http://www.personuvernd.is/media/frettir/arsskyrsla2006.pdf> accessed 1 November 2016, 45–47.
70 Greece, Αρχής Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, Case 38/2006. A list of, and links to, Greek DPA media cases can be found at Greece, Αρχής Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, Αποφάσεις 14) Μέσα Μαζικής Ενημέρωσης <http://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=-1&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=187&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7> accessed 1 November 2016.
71 Directive 95/46, art 8.
72 Bulgaria, Комисия за защита на личните данни, РЕШЕНИЕ № 14/19.03.2009 r <http://www.cpdp.bg/index.php?p=element_view&aid=145> accessed 1 November 2016.
73 Bulgaria, Комисия за защита на личните данни, РЕШЕНИЕ № 69/23.01.2008 r <https://www.cpdp.bg/index.php?p=element_view&aid=105> accessed 1 November 2016.
74 Italy Garante per la protezione dei dati personali, Annual Report for 2006 – Summary <http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1750262> accessed 1 November 2016.
75 Netherlands Autoriteit Persoonsgegevens, Preface to Annual Report 2012 <https://autoriteitpersoonsgegevens.nl/sites/default/files/downloads/mijn_privacy/annual_report_2012_preface.pdf> accessed 1 November 2016.
76 Slovenia, Informacijski pooblaščenec, Decision 0613-1/2006-22 <<https://www.ip-rs.si/index.php?id=379> accessed 4 July 2013. Similarly to Iceland (see n 69) and Italy (see n 77), in Slovenia data relating to the deceased continues to be regulated under data protection. See Slovenia, Personal Data Protection Act, art 23.
77 Italian Garante per la protezione dei dati personali, Introduction to Annual Report 2008–09 <http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1630962> accessed 1 November 2016. This case would appear to relate to the death of Meredith Kircher. Similarly to Iceland (see n 69) and Slovenia (see note 76) data concerning the deceased falls within the scope of Italian data protection. See Italy, Personal Data Protection Code, s 9(3).
78 Ibid.
79 Cyprus, Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, ΑΠΟΦΑΣΗ: Δημοσίευση υπερβολικών δεδομένων στην εφημερίδα “ΠΟΛΙΤΗΣ” <http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/878B2BB3BB9C507FC2257914003A27B9?OpenDocument> accessed 1 November 2016.
80 Slovenia, Informacijski pooblaščenec, Annual Report 2009 <https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Annual-report-2009.pdf> accessed 1 November 2016, 31.
81 Slovenia, Informacijski pooblaščenec, Annual Report 2007 <https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno-porocilo-07-ang.pdf> accessed 1 November 2016, 32–33.
82 Lithuania, Žurnalistų etikos inspektorė, Surašytas administracinis nurodymas laikraščio ‘Palangos tiltas’ redaktoriui-direktoriui <http://www.lrs.lt/intl/zeit.show?theme=781&lang=1&doc=3133> accessed 4 June 2014.
83 Bulgaria, Комисия за защита на личните данни, РЕШЕНИЕ № 551/11 r <https://www.cpdp.bg/index.php?p=element_view&aid=503> accessed 1 November 2016.
84 Italy, Garante per la protezione dei dati personali, Annual Report for 2006 – Summary <http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1750262> accessed 1 November 2016.
85 What Price Privacy? (n 55) 5. It later became clear that the obtaining especially of ex-directory mobile telephone numbers (which often had not had their security codes changed from the manufacturer's published default) was linked to media hacking into individual's voicemail systems. This prompted the UK Government to set up the Leveson Inquiry in 2011 which duly reported in late 2012. See UK, Leveson Inquiry, An Inquiry into the Culture, Practices, and Ethics of the Press: Report (The Stationary Office 2012) 673 (UK, Leveson Inquiry).
86 Ibid, 6.
87 UK, Information Commissioner's Office, What Price Privacy Now? (Stationary Office 2006) 9.
88 Hungary, Nemzeti Adatvédelmi és Információszabadság Hatóság, Az Adatvédelmi biztos beszámolója 2007, (Case 1848/K/2007) <http://www.naih.hu/files/Adatvedelmi-biztos-beszamoloja-2007.PDF> accessed 1 November 2016, 137–38.
89 Hungary, Nemzeti Adatvédelmi és Információszabadság Hatóság, Beszámoló az adatvédelmi bistos 2010. évi tevékenységéröl <http://www.naih.hu/files/Adatvedelmi-biztos-beszamoloja-2010.PDF> accessed 1 November 2016, 150–51.
90 Ireland, Data Protection Commissioner, Case Study 6 of 2006: News of the World: Limits of the Media Exemption <https://www.dataprotection.ie/docs/Case-Study-6-News-of-the-World:-Limits-of-the-Media-Exemption-/463.htm> accessed 2 November 2016.
91 Sentencia De la Audiencia Nacional de 24-01.2003. Sala de lo contenciosoadministrativo. Sección primera. Tratamiento de datos de carácter personal a través de imágenes captadas por una webcam y su transmisión a través de Internet <https://www.agpd.es/portalwebAGPD/canaldocumentacion/sentencias/common/Sentencia-De-la-Audiencia-Nacional-de24.pdf> accessed 1 November 2016.
92 Erdos, ‘European Data Protection and Media Expression’ (n 9); ‘European Regulatory Interpretation’ (n 10); ‘Data Protection Confronts Freedom of Expression’ (n 11); ‘European Data Protection Regulation’ (n 12).
93 Please note that all five DPAs (Bulgaria, Czech Republic, Luxembourg, Malta and UK) which only provided non-standard answers to the professional journalism enforcement part of the survey provided a standard response to the ‘(new internet media enforcement questions. In contrast, the German Federal DPA did not do so. As a result, the sample size (n) is slightly different. This difference, however, does not impact on the overall thrust of these results. For a complete analysis of the ‘new' internet media results see Erdos, ‘European Data Protection Regulation’ (n 12).
94 Namely, the Austrian, German Federal, the German Brandenberg, the German Mecklenberg-Vorpommern, the German Rhineland and the Netherlands DPA.
95 Namely, the German Schlewig-Holstein and the Lithuanian DPAs (the latter coupled with the transfer to responsibility to the Lithuanian Inspector of Journalism Ethics). The Spain Catalan DPA, which provided a standard response in both sections of the survey, also has limited powers here but this is due to the federal distribution of power rather than due to concerns specific to special expression.
96 In contrast, with the exception of newspaper archiving and to a certain extent individual blogging, the DPAs surveyed very clearly rejected the proposition that special expressive purpose derogations were applicable vis-à-vis ‘new' internet media. Again, for a full analysis of this issue see Erdos, ‘European Data Protection Regulation’ (n 12).
97 Meanwhile, responses from DPA's whose powers of otherwise especially restricted are also similarly excluded then the figure becomes 63% (n=19).
98 Indeed, such a recognition may be traced back at least to the late nineteenth century. See, in particular, Samuel Warren and Louis Brandeis, ‘The Right to Privacy' [1890] Harvard Law Review 193.
99 Hugh Grant, ‘Introduction' in Brian Cathcart, Everybody's Hacked Off: Why We Don’t Have the Press We Deserve and What To Do About It (Penguin, 2012) viii.
100 For a comprehensive elucidation of the statutory data protection law applicable to journalism in each EEA state (including references to all applicable legislation) see Erdos, ‘European Data Protection and Media Expression’ (n 9).
101 These were from Estonia, Hungary, Ireland, Italy and Slovenia.
102 Namely, Cyprus, Greece, Hungary, Italy, Latvia, Slovakia, Slovenia and Spain Catalonia. In all of these jurisdictions bar Spain Catalonia, DPA regulatory competence to enforce is also statutorily untrammelled.
103 Namely, Hungary and Italy.
104 Namely, Austria, Finland, Lithuania, the Netherlands and Sweden.
105 These were from Belgium, Hungary, Italy and Latvia.
106 Namely, Belgium, Cyprus, Estonia, France, Greece, Hungary, Latvia, Liechtenstein, Lithuania, Luxembourg, the Netherlands, Portugal, Slovakia, Slovenia and Spain Catalonia. In all of these jurisdictions bar Lithuania, the Netherlands and Spain Catalonia, regulatory competence is also statutorily untrammelled.
107 Namely, Finland and Sweden. In both these cases DPA competence over journalism is also absent (see note 133).
108 Namely, Liechtenstein.
109 Namely, Belgium, Cyprus, Estonia, Greece, Portugal, Slovakia and Spain Catalonia.
110 In this case, a larger grouping of 15 (58%) of jurisdictions do grant institutional journalism an absolute exemption here. These are Austria, Finland, the German federal DPA jurisdiction as well as the four German Länder jurisdictions falling within the survey, Hungary, Ireland, Italy, Lithuania, Luxembourg, the Netherlands, Slovenia and Sweden.
111 Either through the obtaining of explicit consent or through that individual manifestly making public the information. See Directive 95/46, art 8(2)(a); 8(2)(e).
112 These jurisdictions are Hungary, Liechtenstein, Lithuania, Slovakia, Slovenia, Spanish Catalonia and Portugal.
113 Thorgeirson v Iceland (1992) 14 EHRR 843, [68].
114 For a full write-up of this example see Erdos, ‘European Regulatory Interpretation’ (n 10) 639–43, 645–46.
115 UK, Leveson Inquiry (n 85) 673.
116 UK, Information Commissioner's Office, Data Protection and Journalism: A Guide for the Media (2013) <https://ico.org.uk/media/for-organisations/documents/1552/data-protection-and-journalism-media-guidance.pdf> accessed 2 November 2016.
117 Namely, the Belgium, Estonian, German Schlewig-Holstein, Gibraltan, Greek, Italian, Maltese, Slovakian, Slovenian and Cypriot DPAs (the latter in principle not even accepting the caveat as regards source information).
118 Namely, the Austrian, Finnish, French, German Rhineland-Palatinate and Swedish DPAs.
119 See Erdos, ‘European Regulatory Interpretation’ (n 10) 645.
120 Namely, the Estonian, Hungarian, Irish, Italian and Slovenian DPAs.
121 See Lara Fielden, Regulating the Press: A Comparative Study of International Press Councils (Reuters Institute, 2012).
122 See Tobias Eberwein, Susanne Fengler, Epp Lauk and Tanja Leppik-Bork (eds.), Mapping Media Accountability - in Europe and Beyond (Verlag, 2011).
123 UK, Leveson Inquiry (n 85) 739.
124 Ibid, 1579.
125 Lara Fielden, Regulating the Press: A Comparative Study of International Press Councils, International Forum for Responsible Media Blog (3 May 20112) <https://inforrm.wordpress.com/2012/05/03/regulating-the-press-a-comparative-study-of-international-press-councils-lara-fielden/> accessed 1 November 2016. Whilst the Danish Press Council does, as detailed above (n 40), have limited responsibilities to police data protection law vis-à-vis the media, its responsibilities are principally established under the Danish Media Liability Act 1998.
126 See Colin J Bennett and Charles D Raab, The Governance of Privacy: Privacy Instruments in Global Perspective (MIT Press, 1997) esp 155, 157.
127 Where, as is regularly the case, part of the DPA was used for other purposes, such as Freedom of Information, DPAs were asked to estimate that part of their budget allocated to data protection.
128 For completeness, the Spanish Catalan DPA reported a budget of approximately €2.8 million, whilst the German Federal DPA reported one of €8.5 million.
129 For a complete analysis of the rationale for these decisions as well as an elaboration for precisely how the calculations were performed see Erdos, ‘European Data Protection Regulation’ (n 12).
130 EU, Agency for Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities (Publications Office of the European Union 2010) 6.
131 Ibid.
132 See Erdos, ‘European Data Protection and Media Expression’ (n 9). Please note that the unit of analysis in this article was Member State jurisdiction (together with the special case of Gibraltar which effectively operates as a separate State for these purposes). In contrast, the unit of analysis here is sub-divided into regional DPA geographical jurisdictions where relevant. In addition, a small downward adjustment (from 0.72 to 0.67) has been made to the figure for Estonia reflecting the fact that this jurisdiction's law does provide a public interest exemption to the right of subject access. See Estonia, Personal Data Protection Act, s 12(4). This was not reflected in the calculation of the original figure.
133 Namely, as regards the survey participants, Austrian, Netherlands and all of the German DPAs other than that of Germany Schleswig-Holstein, together with the Norwegian and Icelandic national DPAs which did take part in the survey but whose legal frameworks were nevertheless analysed. See Austria, Federal Act Concerning the Protection of Personal Data (DSG), sec 48; Germany, Federal Data Protection Act, sec 41 (1); Germany, Brandenberg, Pressegesetz des Landes Brandenburg, sec 16a and Staatsvertrag über die Zusammenarbeit zwischen Berlin und Brandenburg im Bereich der Medien, sec 36; Germany, Mecklenburg-Vorpommern, Landespressegesetz für das Land Mecklenburg-Vorpommern and Rundfunkgesetz für das Land Mecklenburg-Vorpommern, sec 18a and Rundfunkgesetz für das Land Mecklenburg-Vorpommern;, sec 61; Germany, Rhineland Palatinate, Landesmediengesetz (LMG) Rheinland Pfalz, sec 12; Iceland, Act on the Protection of Privacy as regards the Processing of Personal Data, art 5; Netherlands, Personal Data Protection Act, art 3 (1); and Norway, Personal Data Act, sec 7.
134 This value was assigned to the following DPA survey participants, Germany Schleswig Holstein, Lithuania (with transfer of powers to the Inspector of Journalist Ethics), Malta, Spain Catalonia (due in this case to federalism rather for the specific purpose of reducing scrutiny vis-à-vis journalism), Sweden and the UK, together also with the Denmark national DPA (with transfer of powers to the Danish Press Council) which did not participate in the survey. See Denmark, Compiled version of the Act on Processing of Personal Data, s. 2 and Lov om massemediers informationsdatabaser, kapitel 4; Germany, Gesetz über die Presse, sec 10 and Medienstaatsvertrag HSH, sec 37; Lithuania, Law on the Legal Protection of Personal Data, art 8; Malta, Data Protection Act, sec 6 (1)-(3); Spain, Catalonia, Ley 32/2010, de 1 de octubre, de la Autoridad Catalana de Protección de Datos, art 3; Sweden, Personal Data Act, sec 7; and United Kingdom, Data Protection Act, sec 45-46.
135 This value was assigned to all the other DPAs which participated in the survey, together with the Croatian, Romanian and Spanish national DPAs which did not.
136 Given the clearly non-parametric nature of all this data, the Spearman's Rank correlative test was adopted.
137 It may be argued that, given that study is exploring enforcement since the transposition of Directive 95/46, it might be appropriate to augment both these enforcement scores for those DPA jurisdictions within Eastern Europe as well as Cyprus and Malta since they only became members of the EU and subject to the Directive well after 24 October 1998 when transposition within the EU was generally required (art 32.1, Directive 95/46). Such an augmentation can be achieved by adjusting these figures to reflect the fact that, whilst the study generally probed some 14.5 years of potential enforcement, Bulgaria only joined the EU on 1 May 2005 and therefore ‘lost’ approximately 8 years of potential enforcement (55% of the total period), whilst the other jurisdictions joined on 1 May 2005 and therefore similarly ‘lost’ approximately 5.5 years (38% of the total period). Such an adjustment in fact strengthens the findings reported here. In sum, the correlations in question shift to 0.680*** (significant 0.000), 0.594*** (significance 0.001), 0.276** (significant 0.049) and 0.220* (significance 0.096) respectively. As an EU-associated EEA state, Liechtenstein only technically became subject to the Directive on 26 June 1999 (see n 2). However, this seven-month gap was considered too small to have a significant effect on these results.
138 As noted previously, adjustments were made to reflect the federal nature of Germany and Spain. In the case of the German Länder a portion of the German Federal DPA budget was notionally reallocated to each German Land based on its population size within Germany. The German Federal DPA was then dropped from this part of the study. In the absence of a response from the Spanish Federal DPA, the Spanish Catalan DPA was also dropped.
139 If the enforcement results for Eastern Europe together with Cyprus and Malta are augmented to account for the number of years when they did not fall under Directive 95/46 (see n 137), then these results generally become slightly starker. In sum, the correlations cited shift to –0.353** (significance: 0.042), –0.340** (significance 0.048), –0.343** (significance 0.047), –0.199 (significance: 0.151), –0.011(significance 0.477) and –0.335** (significance 0.038).
140 Directive 95/46, art 9.
141 See Erdos, ‘European Data Protection Confronts Freedom of Expression’ (n 11) 541.
142 Regulation 2016/679, Recital 10.
143 See esp arts 12 to 14, Regulation 2016/679 compared to arts 10 and 11 of Directive 95/46. In some tension with this, and in contrast to Directive 95/46, recital 27 of the Regulation clarifies that it ‘does not apply to the personal data of deceased persons’. However, the recital adds that ‘Member States may provide for rules regarding the processing of personal data of deceased persons’.
144 Reg 2016/679, art 83. Due to the peculiarities of their legal system, in Denmark and Estonia special procedures will apply such that fines will be initiated by a DPA but imposed by the Courts. See Reg 2106/679, recital 165 and art 83 (9).
145 Reg 2016/679, art 83 (1).
146 Reg 2016/679, art 52 (4).
147 See Reg 2016/679, ch VII, s 2.
148 C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, EU:C:2014:317; C-362/14 Maximillian Schrems v Data Protection Commissioner, EU:C:2015:650.
149 Any subsequent amendment affecting these provisions must be similarly notified. Perhaps also to underline that this derogatory scheme is in no sense designed to remove journalism entirely from the reach of data protection, art 83(5)(d) rather problematically also provides that breach of the obligations in this area should attract DPA administrative fines of up to €20M (or in the case of commercial undertakings up to 4% of the total worldwide annual turnout if this is higher).
150 See n 34.
151 European Commission, High Level Group on Media Freedom and Pluralism, A Free and Pluralistic Media to Sustain European Democracy (2013) <https://ec.europa.eu/digital-single-market/sites/digital-agenda/files/HLG%20Final%20Report.pdf> accessed 2 November 2016, 3.
152 Leveson Inquiry (n 85).
153 Ibid, 1110.
154 Conversely, in some Member States journalism is in effect exempted from all substantive data protection liability irrespective both of its impact on data subjects and on how unfair its processing of data might be. This is similarly not in keeping with the purpose of European data protection.
155 Such requirements are set down inter alia in article 52 of the Charter of Fundamental Rights of the EU.
156 Eric Barendt, Freedom of Speech (Oxford UP, 2nd edn 2005) 117.
157 Reg 2016/679, art 58(1)(e).
158 Ibid, art 53(2)(f).
159 Ibid, art 53(2)(i).
160 EU Charter, art 8(3).
161 C-131/12 Google Spain, [38].
162 UK, Leveson Inquiry (n 85) 1107.
163 Directive 95/46, recital 8.
164 Directive 95/46, art 1.
165 EU, Agency for Fundamental Rights, Access to Data Protection Remedies (n 8).