To what extent is an individual potentially on the hook, in terms of data protection liabilities, for material they post on their personal social media accounts, such as video clips on YouTube? The CJEU’s ruling in Sergejs Buivids (Case C–345/17) is the most recent addition to the line of authorities about the intersection between personal use of online networks, potential journalistic purposes and data protection duties.
Mr Buivids was giving a statement in a Latvian police station, as part of proceedings being brought against him. He was not very happy about all this. He took a video clip in the police station and uploaded it to YouTube because, he said, he considered the police to be behaving unlawfully, and he wanted to draw attention to this. On the video clip, officers could be seen and heard going about their duties. Data protection not being at the forefront of his mind at the time, Mr B failed to provide the police officers with privacy notices and suchlike. The Latvian National Data Protection Agency told Mr B to take down his video because it contravened Latvia’s legislation implementing Directive 95/46/EC. Mr B, doubtless fortified in his dim view of Latvian authorities, challenged that order.
This prompted a reference to the CJEU under the old Directive. The Court’s answers – while not groundbreaking – will continue to inform debate about the parameters of data protection duties under the GDPR.
First, the no-brainers: the video clip plainly contained the personal data of identifiable officers; uploading it to Youtube was plainly an act of processing, and Mr B had no real chance of bringing his activity within the Directive’s carve-out for “processing operations which concern public security, defence, State security and the activities of the State in areas of criminal law”.
Secondly, what about the other carve-out? The Directive did not apply to processing by a natural persons in the context of a ‘purely personal or household activity’ (the same is true of the GDPR: see Article 2(2)(c)). Isn’t that what Mr B was up to here? After all, unlike poor Mrs Linqvist – who unwittingly processed personal data on a website for her parish church – Mr B was a one-man band venting his outrage about his personal treatment. Couldn’t he benefit from the ‘purely personal or household activity’ carve-out?
No, said the CJEU. Carve-outs and exemptions must be construed restrictively. Since Mr B “published the video in question on a video website on which users can send, watch and share videos, without restricting access to that video, thereby permitting access to personal data to an indefinite number of people, the processing of personal data at issue in the main proceedings does not come within the context of purely personal or household activities” [43].
I’ve underlined some potentially interesting wording: does it follow that if an individual makes content on their social media page available only to certain people (friends, registered users?), they could potentially benefit from the personal/domestic carve-out? Possibly, especially given the nod in Recital 18 to the potential for social networking activities to avoid data protection duties.
Another interesting aspect of this personal/domestic issue is highlighted by David Erdos in this excellent blogpost. In its DPA 1998 guidance entitled “Social networking and online forums – when does the DPA apply?”, the ICO said that it would not investigate “complaints made against individuals who have posted personal data whilst acting in a personal capacity, no matter how unfair, derogatory or distressing the posts may be”. How does that sit with Mr B’s case?
Thirdly, Mr B’s fallback here was to the journalism exemption, i.e. he argued that his processing was ‘solely for journalistic purposes’. Admittedly, this argument doesn’t sit easily with his reliance on the personal/domestic carve-out, but what about it? After all, Mr B’s stated aim was to expose what he saw as official wrongdoing.
This argument had more traction. ‘Journalism’ needs to be construed broadly: “‘journalistic activities’ are those which have as their purpose the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them” [53]. You don’t need to be a professional journalist, and you can still rely on this exemption when using websites like YouTube, which are not exclusively (or even primarily) journalistic platforms. The case law is clear as to the “criteria which must be taken into account, inter alia, contribution to a debate of public interest, the degree of notoriety of the person affected, the subject of the news report, the prior conduct of the person concerned, the content, form and consequences of the publication, and the manner and circumstances in which the information was obtained and its veracity” [66].
So how did Mr B fare on this point? We don’t know, as this is a matter for the referring court to decide. But the CJEU thought his activities could potentially come within the journalism exemption, “in so far as it is apparent from that video that the sole object of that recording and publication thereof is the disclosure of information, opinions or ideas to the public” [69]. Again, I’ve underlined words that strike me as interesting: the implication appears to be that you need to be able to tell from published material that its sole object is journalistic. What about contextual information about the purposes of the clip?
Moreover, as David Erdos’ post discusses, what do we mean by “the public” here? Do we mean anyone, or do we mean “the body politic”, such that the processing must be geared towards some sort of public-interest debate or issue?
So, as is often the case with CJEU judgments, this one raises as many questions as it answers. And the referring court is left to decide not only whether the journalism exemption could apply on the facts here, but – if so – how to balance the competing rights to privacy and free expression. On that fundamental point, this judgment doesn’t take us very far, except to reiterate, lest we forget, that any ducking of a data protection duty (via a carve-out on scope, or via an exemption) must be limited to what is “strictly necessary”. That point will certainly continue to resonate under the GDPR.
Robin Hopkins @hopkinsrobin