Media organisations collect a lot of personal data about their audiences. The way this information is handled will undergo its biggest change in two decades, as the new European General Data Protection Regulation will bring the UK’s legislation up to speed.
Jon Baines, data protection adviser at London law firm Mishcon de Reya, says GDPR is more of an evolution of current data protection laws, than a revolution. "The UK's current Data Protection Act dates from 1998," he says, "so in many ways was out of date. But the basic principles of fairness, transparency, accuracy, purpose-limitation, or security, are unchanged for GDPR."
GDPR exemptions for UK journalists
While GDPR applies across Europe, it is up to each member state how to legislate for specific exemptions for journalism. "News organisations, at least when they are practising journalism, as opposed to, for instance, when they are acting as an employer, will continue to have quite a wide exemption from most of the obligations, but they will not be exempt from the requirement to have appropriate security measures in place to prevent data breach," says Baines.
This includes solid cybersecurity, staff training, and contingency plans on how to respond to an information leak or a personal data breach if it occurs, to minimise the damage.
In addition, the media will generally be able to claim an exemption if the personal data they are handling is held 'with a view' to publication, if they believe that publication would be in the public interest and if complying would be incompatible with journalism. "This is potentially very broad," explains Baines, "and has generally been interpreted by the Information Commissioner and the courts as being so".
- Personal data: any information relating to an identified or identifiable living individual. It includes basic information like names, any identification numbers, but also can include less obvious information, particularly information which can be matched with other information to enable identification, such as certain types of location information, or online identifiers such as IP addresses, or a pseudonym.
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, unauthorised disclosure of or access to personal data;
- Controller: broadly, it’s the person or organisation who makes the decision about why and how personal data will be handled;
- Processor: the person or organisation who acts on the controller's instruction. For example, a call centre contracted by a newsroom to provide customer services on its behalf: the former might be a processor, while the utility company would be the controller. Sometimes, though, the distinction can be less clear.
Personal data breach and fines
The aim of GDPR is to prevent a personal data breach which could lead to a potential maximum fine by the Information Commissioner's Office of €20m or 4 per cent of global annual turnover, whichever is higher.
"It is important to note, however, that the Commissioner has made clear that huge fines are not likely to be levied often, and that any fine has to be proportionate, which means the severity of the breach must be taken into account, but also the size and means of the organisation involved," says Baines.
He adds that news organisations should also be aware that there will continue to be a criminal offence of knowingly or recklessly obtaining or disclosing personal data from a data controller without its consent. This could cover obtaining information about someone by deception (blagging), hacking, exploiting poor security, or unauthorised leaks. "Although there is a public interest defence to this offence, there isn't a specific defence just for journalists or journalism," he concludes.
Freelance journalists and b2b publishing
According to Baines, freelance journalists are likely to be data controllers, as they will be deciding how and why personal data will be handled. They will still be able to claim the broad exemption for journalism. This doesn't mean, however, that they are exempt from having security measures in place.
But what about b2b publishers, who generally hold publicly available information on their readership, such as work email, job title or office address? According to GDPR, these are still identifying details. "However,” Baines explains, “one of the key principles under GDPR is that personal data should be treated fairly and that revolves around what people's reasonable expectations are. It may be that someone has different expectations about how their work information is treated compared to similar information in a more private context."
When do journalists need consent?
It is very unlikely that, in general, the media will need to get consent to process personal data as the wide exemption for journalism applies. One circumstance in which the media might need to get consent, however, is when they are sending out electronic marketing, for example, events ticket sales. "This is a separate but related law, the Privacy and Electronic Communications Regulations 2003," says Baines, "which means that you cannot send unsolicited electronic marketing to individuals without their consent, unless you already have a customer relationship with them." He adds that GDPR has brought a sharper focus on these regulations, because it increases the potential sanctions for a breach of them.
In addition, personal data gathered for one purpose should not, as a general rule, be used for another, so the media shouldn't use contact details for marketing purposes when those details were originally gathered for the purposes of a story.
Jon Baines’s top 3 GDPR tips for journalists:
1. A lot of what journalists do is subject to an exemption, but you need to be mindful of the limits of the exemption.
2. Always make sure you have appropriate security in place when handling personal data: full disk encryption on devices, locked cupboards, diligent checking of emails to make sure they're not sent to the wrong person etc..
3. GDPR is an opportunity for those who really understand it to stand out from the crowd, so seize it.
Update: This article has been updated to clarify the extent of the Privacy and Electronic Communications Regulations 2003.