5 The Principles applied to journalism

5.1 Introduction

This section is aimed at providing some concrete tips that must serve well to journalists to deal with their day-to-day activities. It has been redacted in an easy to understand, plain language, that might be understood by a non-expert. It is structured on the grounds of the principles settled by the GDPR. This is due to a simple fact: processing must always respect those principles, which constitutes the core of the GDPR. This means that even though you have a legal ground to process personal data, you must respect these fundamental principles. Otherwise, your processing would not be lawful.

In the following paragraphs, we show these principles and provide advice on how to deal with them from the perspective of a journalist. This advice incorporates the recommendations made by the Council of Europe in its Guidelines on Safeguarding Privacy in the Media approved jointly in June 2018 by the Steering Committee on Media and Information Society (CDMSI) and the Committee of Convention 108 (Council of Europe Data Protection Convention). These Guidelines comprise a collection of standards of the Council of Europe (the Council/CoE) and the European Court of Human Rights (the Court) concerning the protection of privacy of public figures and private individuals in the media.

Please, keep always in mind that this part of the Handbook is mainly oriented to provide guidance on how to deal with the principles adopted by the GDPR from an ethical perspective. In order to ensure adequate legal compliance, you must follow the regulation produced by the corresponding Member state.

5.2 Lawfulness, fairness and transparency

According to article 5.1 (a) of the GDPR, “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. This principle includes three different requirements:

• Lawfulness. Data processing is only lawful if a basis of legitimacy allows it (see section 3.1). Most of the information that a journalist collects is personal data. Thus, obtaining information often means data processing and, therefore, should follow the principles settled by the GDPR. This means that you need to have a legal basis to process the data and you need to justify the reasons why you collect them.

• Fairness. The concept of fairness is difficult to define. It refers to the fact that processing must be in accordance with the spirit of the GDPR, not only with its literacy. In this way, it allows for the introduction into the application of the RGPD of the provisions of other regulations of particular importance when it comes to defining what is considered as “fair” within the EU and its Member States, such as the EU Charter of Fundamental Rights. In general, however, one could state that fairness involves that you process the information in a way that satisfies the rational expectations of the data subjects. The ICO has stated that fairness means that “wherever possible the media should collect and use information about people fairly and lawfully, and not cause any unjustified harm. Journalists will often be able to collect information without the subject’s knowledge or consent, but it will be unfair to actively mislead people about the journalist’s identity or intentions”. (ICO, 40).

• Transparency. The principle of transparency seeks to ensure that all interested parties are aware of each processing of their personal data and that they can access essential information about its specific content. In general, you should also tell the person you are collecting the information from, and the person the information is about (that is, the data subject), who you are, and what you are doing with their information. If they provide you with the information for a concrete aim, you should not use if for another aim. Sometimes, notifying data subjects about data processing could undermine the journalistic activity. Sometimes, you have to use intrusive covert methods to get a story, such as surveillance. All these circumstances might be acceptable, proven that you had no alternative more respectful with data protection principles and the story is in the public interest. Indeed, this is the key point: you can avoid notifying the data subject about the processing if and only in so far it makes the exercise of journalism impossible. In other words, you must communicate the processing to the data subjects unless you consider that in doing so you would be unable to build the story. Once this no longer applies, you should proceed with the obligations settled by the GDPR. As the ICO stated, “In the context of journalism, we accept that it will not generally be practicable for journalists to make contact with everyone about whom they collect information. It will often be fair to collect information on matters of potential journalistic interest without the subject’s knowledge. However, there will be cases where fairness may require some direct contact with the subject of a major investigation, to offer them the opportunity to put forward their side of the story” (ICO, 40).

5.3 Choosing a legal basis for processing

There are three legal bases for processing that usually apply for journalism. These are consent, public interest and legitimate interest.

5.3.1 Consent

Data can be processed if the people who are the subject of the information have given consent. If the information refers to several people, consent should be given by all of them. Consent must be freely given, specific, and informed. We must highlight that the mere fact that someone has published a personal data in a public site, such as his or her facebook profile does not mean that these data can be used without his o her consent or another legal basis. Consent must cover the purposes of the data processing.

Therefore, if you want to use the data for a purpose other than the purpose originally searched by the data subject, you need a legal basis. There might be exceptions to this rule, especially if the data subject is a public figure but, in such circumstances, you should process the data under the legitimate interest basis, instead of consent. According to the Guidelines on Safeguarding Privacy in the Media, “Journalists should, in principle, secure the consent of the person concerned at the time the picture is taken and not simply if and when it is published. Otherwise an essential attribute of personality (the image) is dependent on third parties and the person concerned has no control over it” (page 20).

5.3.2 Public interest

Data can be processed if it is necessary for the performance of a task carried out in the public interest. Indeed, this is the most recommendable legal basis if you are part of a public institution that is acting as such (if consent is not applicable). If you are a private actor or if you are a public institution that is working as a private actor, the legitimate interest basis is more recommendable. This is due to the fact that public interest cannot legitimate processing if we do not consider the interests of the data subject, since information is not an absolute right or duty. However, if this is the case, legitimate interest and balancing test are concepts that work very well with processing. Thus, it is recommendable to use legitimate interest as a legal basis for processing.

5.3.3 Legitimate interest

The processing is necessary for ‘legitimate interests’, provided that it will not cause unwarranted harm to the person concerned. “Legitimate interests will include a media organisation’s commercial and journalistic interests in gathering and publishing material, as well as the public interest in freedom of expression and the right to know”. Thus, it is a wide legal basis, that comprises public interest but not only public interest. In order to balance all interest involved, you should follow a procedure able to ensure that the legitimate interest serves as a legal basis processing includes three main phases (Detrekői):

• First, you must identify a legitimate interest test (why the story serves the public interest).

• Second, you must perform a necessity test (how the publication of names and personal data is needed to make the article informative).

• Finally, you need to carry a balancing test aimed at demonstrating that the interest of the public to know about the topic covered in the story exceeds the individual’s interest to keep its personal data hidden from the public eye. The greater the information value for the public, the more the interest of a person in being protected against the publication has to yield, and viceversa. (Guidelines on Safeguarding Privacy in the Media, 11).

An extensive description of a balancing test is included in Annex I of this document. The jurisprudence of the ECtHR is quite extensive on the balance between public interest and privacy. (See Right to the protection of One’s Image). An excellent summary of its position was included in the Kaboğlu and Oran V. Turkey Case: “In several of its judgments the Court has summarised the relevant criteria for balancing the right to respect for private life and the right to freedom of expression as follows: contribution to a public-interest debate, whether the person concerned is well-known, the subject of the report, the prior conduct of the person concerned, the content, form and consequences of the publication, as well as, if appropriate, the circumstances of the case (see Von Hannover (no. 2) [GC], cited above, §§ 108-113, and Axel Springer AG, cited above, §§ 89-95; see also Couderc and Hachette Filipacchi Associés, cited above, § 93). If the two rights in question have been balanced in a manner consistent with the criteria established by the Court’s case-law, the Court would require strong reasons to substitute its view for that of the domestic courts (see Palomo Sánchez and Others v. Spain [GC], nos. 28955/06, 28957/06, 28959/06 and 28964/06, § 57, ECHR 2011).”

5.4 Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. By virtue of this, the data can only be processed for certain purposes, which must be explicitly stated when justifying the processing. Therefore, you should always keep in mind, for instance, that you cannot use the data that you keep in your records for purposes others than those that justified their processing, unless you have a basis that serves as a ground for the new processing.

5.5 Data minimisaton

Personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This principle involves that “you must have enough information to do the job, but shouldn’t have anything you really don’t need. Note that this principle takes account of your purpose. As the nature of journalism requires the collection and cross-referencing of large volumes of information, we accept that information without immediate relevance to a current story can be justifiably retained for future use if it relates to a person or subject of more general journalistic interest.” (ICO, 25)

5.6 Accuracy

According to article 5.1(d), “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”.

Accuracy is both an essential principle of the GDPR and a key value of journalism. Therefore, journalist should pay special attention to ensure that the information published is accurate. To this purpose, you must check the facts. It can be argued that only accurate information works well with the idea of promoting public interest. Therefore, the article 85 exemptions and derogations will only apply if the information is accurate. “However, the exemption may be available if, for example, the story is urgently in the public interest and the short deadline makes a complete accuracy check very difficult. As with any use of the exemption, you will still need to show that proper thought was given by someone at an appropriate level to what checks might be possible, whether publication could be delayed for further checks, the nature of the public interest at stake and that the decision to publish was, therefore, reasonable” (ICO, 14).

Furthermore, accuracy involves that very reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay. This is essential, since published information might seriously compromise someone’s public image or private life. According to the Article 29 WP, “The right to reply and the possibility to have false information corrected, the professional obligations of journalists and the special self-regulatory procedures attached to them, together with the law protecting honour (criminal and civil provisions concerning libel) must be taken into consideration when evaluating how privacy is protected in relation to the media” (A29WP, p. 7).

Therefore, journalists must be particularly attentive and change the information if it is shown that it does not faithfully reflect reality. This, of course, must be especially considered if the people requesting the rectification are the data subjects, in accordance with their right to rectification. Finally, you should always declare whether you are expressing an opinion or informing about a fact. This is crucial for the audience not to misinterpret the information.

5.7 Storage limitation

The principle of storage limitation means that “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (art. 5 GDPR). In the context of journalism, this means that, once you have your information, you have to make some decisions regarding on whether you would like to storage it and for how long. Data are very valuable assets for journalist, since they could often serve as background materials Contact details are also a very important resource and journalist are usually willing to keep them. In principle, you can keep these data for long periods or indefinitely. The GDPR does not impose a time limit on how long you can retain personal data. The ‘storage limitation’ principle only imposes that there is a good reason to keep the data. Assuming this is the case, they can be kept indefinitely.

However, as the ICO states (ICO, 12), “you should review your retained information from time to time to ensure that the details are still up to date, relevant and not excessive for your needs, and you should delete any details which you no longer need (eg if a contact has changed their number). Furthermore, you the way in with you retain the information or how you review it should be set out in organisational policies.

5.8 Integrity and Confidentiality

Data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (art. 5 GDPR). This principle is aimed at avoiding unauthorized or unlawful processing and accidental loss, destruction or damage of the data.

The data you are storing is sensitive material. Therefore, you must do your best to avoid their being lost, stolen or misused. Try to keep them safe by paying attention to the procedures and security protocols stablished by your organization. Indeed, all employees of a media company should be aware of, and follow, the organisations policies and procedures. Information should be locked, password protected and encrypted where possible. You must be particularly aware of security when out of the office with documents, phones or laptops containing personal data.

The range of security needed is not fixed. In principle, security measures might be appropriate to ensure that no unlawful access happens or to avoid accidental loss, destruction or damage. They should consider how sensitive or confidential the information they hold is, the harm that might result from its loss or improper use, the technology available, and the costs involved. They don’t have to have state-of-the-art security, but it should fit the level of risk. Organizations need to consider technical (electronic) and physical security measures, policies and procedures, and staff training and supervision. These should cover staff working both in and outside of the office. In any case, organizations should be able to justify the level of security adopted (ICO, 43).

5.9 Accountability

According to article 5.2 of the GDPR, “The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1”. This clause rules that the data controller IS not only responsible for compliance with the GDPR, but should also be able to demonstrate this compliance. Therefore, the controller carries the burden of proof for the compliance with the GDPR. In the case of journalism, it might happen that, in fact, an exemption to the subject’s rights has been implemented. In such cases, organizations or journalist should be able to explain why complying with the relevant provisions was not compatible with the purposes of journalism. To this purpose, they should often demonstrate that they have performed a balancing test, considering the different interest at stake. Stating that compliance is not standard industry practice would not be enough in any case. Keeping an audit trail in cases that are controversial or particularly likely to prove contentious could be an appropriate tool to demonstrate accountability.

As Biriukova stated, “Firstly, the media undertaking, a journalist or essentially anyone who would like to rely on the exemption would need to establish the public interest of the intended publication, and, secondly, to understand which data protection obligations would, in that case, conflict with the journalistic purposes. Perhaps, when it comes to a journalistic investigation into the governmental corruption a refusal to disclose information source could be easily defended, however, other, less black and white scenarios (e.g., breach notifications), may create compliance conundrums. At the same time, it is difficult to conceive that, e.g. a citizen journalist would a prior carry out such a balancing exercise. Unless more detailed guidance, codes of practices or conduct are provided, such a nuanced approach is at risk of remaining largely theoretical and non-operational.” (Biriukova, 22).

We should also keep always in mind that, in general, the data controller is not in general an isolated journalist, but the organization he or she works in. therefore, it is the organization who is responsible for implementing organizational measures and policies about data processing and responsibility. Indeed, it is the organization who must be able to prove that the processing of the data was the final result of a decision-making process that considered all issues at stake. Procedures might vary considerably, depending on the type of organization and information, but there should be a kind of structured procedure in each organization. Furthermore, it would be good to develop some codes of conducts in the framework of the journalist profession in every Member state. Indeed, the Article 29 Working Party stated that “evaluating whether exemptions or derogations are proportionate, attention must be paid to the existing ethic and professional obligations of journalists as well as to the self regulatory forms of supervision provided by the profession” (A29WP, p. 8).

As the ICO states, “in many day-to-day stories it may well be appropriate for the journalist to use his or her own judgement, but more high-profile, intrusive or damaging stories are likely to require more editorial involvement and a more formal consideration of the public interest. Organizational policies should be used to explain when greater editorial involvement is required. Our view is that it is the belief at the time of the processing that is important. The data controller must be able to demonstrate that it had a belief about the public interest, ie that the issue of public interest was actually considered. It should be able to show too that it was considered at the time of the relevant processing of personal data and not just after the event. If a journalist initially considers that a story will be in the public interest, but in the end the organization decides not to publish, the exemption can still cover all journalistic activities undertaken up to that point.

Secondly, the exemption requires only a reasonable belief. This gives much more leeway than other exemptions and reflects the importance of a free and independent media.” (ICO, 35). The following table shows some measures included in the Guidelines on Safeguarding Privacy in the Media that might serve well to organizations willing to ensure compliance with data protection.

Media outlets: Measures to ensure compliance with data protection

According with the Guidelines on Safeguarding Privacy in the Media, the media outlets “should take all the necessary measures to ensure compliance with data protection requirements and demonstrate this compliance”. One may mention for instance the usefulness of the following “accountability” tools:

- appointment of a data protection officer;

- establishment of a register of data protection processing activities;

- elaboration of a privacy policy;

- internal procedures to consider the data protection implications at key stages of a journalistic activity and to adopt swift decisions in cases of ethical difficulties;

- internal procedures to draft information notices, to handle complaints of individuals, to alert the management of the organisation, to contact the data protection authority, to deal with cases of security breaches, etc.;