Paul Quinn (Brussels Privacy Hub, LSTS, VUB).
In her presentation, Michils first explained the relationship between journalism and the General Data Protection Regulation (GDPR) as stated in the GDPR itself. As the definition of “personal data” used in the GDPR is very broad and processing relies often on consent, the journalistic profession would be heavily restricted, according to Michils, would the GDPR apply fully. For example, for investigative journalists, trying to cover a topic in depths, it is unfeasible and potentially counter-productive to their investigation to inform the data subject (and also the subject of their journalistic investigation) of the processing in advance. The GDPR tries to balance these concerns in Article 85, where it obliges to reconcile data protection with the freedom of expression (both protected rights in the Charter of Fundamental Rights of the European Union ‘CFR’). In Article 85(2), the GDPR grants the Member States the possibility of adopting a wide exception for “processing for journalistic purposes” within their national rules. On 30 July 2018, the Belgian legislator made use of this provision and adopted a framework law to that purpose.
In a second step, Michils continued by explaining in detail the different definitions and aspects of the Belgian Framework Law of 30 July 2018. She started by laying out that the law overall was neither the strictest nor the most lenient among EU national laws adopted under Article 85(2) GDPR. While the German legislator granted more leeway for journalists, the Dutch legislator included less exceptions.
The core point of the Belgian framework is the definition of journalist purposes. For Belgian law, everybody can be a journalist, so it does not matter whether the person claiming the exception for journalistic purposes is a certified or registered journalist. It is therefore only relevant that journalistic activities are being conducted. Those are to be understood widely, including all sorts of writings, video, investigations or blogging. Everyone undertaking journalistic activities is then obliged to follow the Belgian deontological rules for journalists and is under the jurisdiction of the Belgian Council for journalists.
As Michils explained, once it is established that there is a journalistic activity (or processing for journalistic purposes in data protection terms), many rules of the GDPR become inapplicable, as for example nearly all data subject rights though the obligation to respond to a data subject rights request to use a data subject right remains. This means journalists relying on the exception will have to explain to the data subject why he or she cannot use their rights. The proof of journalistic activity has to be established by the party wanting to rely on the exception.
The exceptions to the GDPR granted to journalistic purposes by Belgian law, do not exclude application of all rules as Michils further specified. Main principles, such as that processing needs to be lawful, fair and transparent will still apply. In the end, those rules linked to the essence of data protection cannot be avoided by relying on the exception. All penalties introduced by the GDPR also remain applicable. As Michils concludes, while the Belgian framework law tries to grant a wide exception to journalists, its vagueness lead to many case-specific questions. Such uncertainty leads to bogus cases brought against journalists as attempts to silence them. As Michils stated, the GDPR has not made the profession of a journalist more attractive to potential interested individuals.
The presentation was followed by an intense debate with the audience. Among the themes discussed were whether Belgian law provides quality rules for journalistic content (short answer: they are included in the deontological rules for journalists), whether data processors could rely on the exemptions, how far the exception from data subject rights is reaching and whether the Belgian framework law is in line with the Google Spain case law of the Court of Justice of the European Union (CJEU).
Copyright © Brussels Privacy Hub