By Ayden Férdeline
Personal data privacy, or the general lack thereof online, has garnered a considerable amount of attention in the past month, especially in the wake of the Facebook-Cambridge Analytica controversy. The European Union’s new General Data Protection Regulation (GDPR), which will take effect on May 25 after having been a decade in the making, will fundamentally change how personal data can be collected and processed. Some have even held up this new European privacy regulation as a potential remedy for corporate neglect of individual privacy. Without a doubt, the impact of this extraordinary revision to European privacy law will be felt by journalists and publishers both inside and outside of Europe as they negotiate news standards that affect how they handle personal information.
The GDPR is playing a decisive role in the ongoing harmonization of global privacy standards by the large tech platforms. This is because the Council of the European Union has advised the European Commission that it cannot negotiate away privacy rights in trade agreements, and so a need to comply with the GDPR in order to do business in Europe will likely incentivize businesses to adopt higher privacy and data protection standards for their entire operations worldwide.
The reach of the GDPR is broad. It applies to all sectors which collect or process the data of people ordinarily resident in the European Union, including the news media. Unusually, its scope is extraterritorial, meaning that it applies irrespective of whether the “data controller” is based in a European Union member state or another country altogether. The data controller is the entity legally responsible and subject to enforcement action. For staff reporters, for example, the data controller would be the media outlet employing them. However, freelance journalists or citizen journalists would be seen as either sole or joint data controllers. The distinction between sole or joint controller is not too important, because in either case, the freelancer would personally absorb the liability for complying with the GDPR.
In order to understand why this is the case, it is helpful to explore the key principles contained within the GDPR. The GDPR applies whenever a journalist (or other entity) collects or publishes information about a living person. The GDPR holds that data subjects are entitled to control over their personal data, that data controllers must be held accountable for their actions, and it says that privacy must be the default setting.
These principles will not, for the most part, present a burden to journalists. If you are honest and transparent with a source and they are aware they are being interviewed on-the-record and disclosing information for publication, you will have met the criteria for consent.
Reassuringly, however, there are some exemptions within the GDPR for the production and publication of legitimate journalistic work where obtaining consent would not be practical. However, this exemption is only for journalists and not for media outlets in general, so the ”business side” of a publication must always comply with the GDPR. One lawful condition for the collection and publication of personal data without consent is where the legitimate interests of another party override those of the individual. What this means is vague, but essentially it is saying, the burden is on a journalist to determine that the public interest in collecting and processing personal data outweighs the rights of the individual to privacy.
How such a balancing test should be performed in practice is up to the media outlet, but in keeping with the GDPR’s principles, it would seem there should be consideration as to the potential harm that publication could cause to the data subject. Journalists should also consider whether or not the story could be reported in a less intrusive manner.
It is not enough to merely comply with the GDPR. Data controllers must be able to verifiably demonstrate their compliance with the regulation. The supervisory authorities tasked with enforcing the GDPR have the right to obtain a data controller’s internal operating procedures for processing and safeguarding personal data. Given this, it would be advisable for publications to have clear, documented policies as to editorial flows and who should sign off on what kinds of stories prior to publication. This audit trail is very important, especially for stories which could be seen as very intrusive and which do not concern public figures. Another good practice would be to ensure journalists undergo basic data protection awareness training, so that publications can demonstrate to supervisory authorities that their personnel can distinguish between personal, sensitive, and non-personal data.
The GDPR requires that personal and sensitive information be kept secure. Journalists must take reasonable steps to prevent their notes and research materials from being lost or stolen. You should be careful when out in public as to whether prying eyes could read your laptop screen or steal data over the Wi-Fi network. A good practice would be to encrypt information and to set up your devices so that they can be remotely wiped, if lost or stolen.
There is a perception that the GDPR is a heavy-handed regulation that is difficult to comply with, and while this is true for some industries and business functions, it should not cause consternation for journalists. Many provisions within the GDPR that have generated headlines are misunderstood and instead constitute best practices in information security. Lawmakers have carved out many safeguards for the exercise of freedom of expression, including within the right to erasure (also known as the ‘right to be forgotten’). This right is not absolute and only applies in certain circumstances. Another provision, that data “must be accurate,” merely indicates that if an individual disputes the accuracy of information concerning them within a story, the data controller should verify their records and, if necessary, affix a correction to the online archives.
The tussle between the right to privacy and the right to freedom of expression is not new, and not easily resolved, because both are equally fundamental, but the GDPR tries to strike an appropriate balance between the two. The GDPR’s fundamental principles of accuracy, security, fairness, and respect for the rights of the individual whose data is being processed are about building trust. In an age where trust in our institutions, and in the media, is on the decline, the GDPR should be seen as an opportunity to institutionalize respect for getting things right – developing practices for handling information securely, keeping the identities of sources safe and confidential, and upholding your reputation. There will be challenges ahead, but there is real value to be derived from the GDPR too.
Ayden Férdeline represents European civil society organizations on the Council of ICANN’s Generic Names Supporting Organization. Follow him on Twitter, @Ferdeline.