The GDPR’s Journalistic Exemption and its Side Effects

On 25 May 2023, we mark the fifth anniversary of the General Data Protection Regulation’s (GDPR) full application in the European Union (EU). While the Regulation is primarily known for its impact on business, it also fostered significant changes to data processing by media outlets, which are often overlooked in discussions about data protection. The GDPR recognizes that data protection is not an absolute right. However, over the past five years, different regulatory approaches have emerged to reconcile two fundamental rights: the right to data protection and freedom of expression, particularly when applying the new data protection rules to journalism. This blog post analyzes what is commonly called the ”journalistic exemption” under Article 85 of the GDPR that requires Member States to regulate the extent to which GDPR applies to journalists and others writing in the public interest. Further, this contribution reflects on how exactly that journalistic exemption is implemented across the Member States, and considers the problematic consequences of the GDPR’s uneven application to the media sector, including instrumentalization of GDPR in the strategic litigation (SLAPPs) against journalists.

Without a unified European direciton in this area, it seems inevitable that we will face an increasing number of legal challenges similar to the ones outlined below and continious fragmentation of approaches within this domain. The current state of affairs poses a significant disadvantage to the interests of journalists and individuals striving to exercise their fundamental rights, while also placing a burden on data protection authorities entrusted with upholding the law.

Unpacking journalistic exemption under GDPR

The GDPR, which was adopted on 25 May 2016, establishes comprehensive regulatory requirements for the processing of personal data. These requirements cover various aspects, including the collection, analysis, storage, and other processing activities. The GDPR imposes obligations on organizations to identify a lawful basis for processing personal data, adhere to specified retention periods for personal data, conduct various assessments, facilitate individual rights, maintain a documented record of processing activities, and report data breaches, among other obligations. Failure to comply with the GDPR can lead to sanctions imposed by national data protection authorities that can range from a reprimand to substantial fines, depending on the severity and nature of the non-compliance.

Two primary objectives of the GDPR strengthen individuals’ rights in the digital age and harmonize data protection rules across the EU. Nonetheless, Member States retain discretion to independently determine how to regulate certain areas, taking into account social, cultural, and historical differences. These areas include employment, religious association, archiving and research purposes, and, crucially, processing personal data for journalistic purposes.

The journalistic exemption is not a new concept in EU data protection law. The EU Data Protection Directive 95/46 (DPD), the predecessor to the GDPR, also included a similar provision, which the Regulation subsequently replicated in Article 85, albeit with minor changes. Specifically, Article 85 of the GDPR places an obligation on the Member States to reconcile the right to data protection with freedom of expression and information, particularly when personal data is processed for journalistic purposes. Member States can exempt those who exercise their freedom of speech for journalistic purposes from specific GDPR rules and obligations, meaning that they would not need to comply with these rules.

The application of the journalistic exemption does not immediately preclude the entire Regulation from applying to data processing by media outlets. Each Member State has the power to define the scope of its derogations. In principle, almost all critical GDPR rules (e.g., data processing principles, individual rights, obligations of data controllers and processors) could be inapplicable to those who process data for journalistic purposes if the Member State chooses such a regulatory approach (for more detailed analysis see Bitiukova, 2020).

Although the GDPR does not provide a definition for the term “journalistic purposes” or “journalism,” certain direction can be inferred from the case law of the Court of Justice of the European Union (CJEU). In Buivids, the CJEU adopted a functional approach to the concept of journalism, which essentially means that even individuals who are not recognized as journalists under national law can still qualify for the exemption if their sole purpose in processing data is to disclose information, opinions, or comments to the public. In Satamedia, the CJEU determined that activities related to the collection and dissemination of tax data, even if carried out by non-media organizations for profit-making purposes, could be considered “journalistic” if their objective was to disclose information, opinions, or ideas to the public. Although both cases were decided under the DPD, the GDPR did not significantly depart from the DPD’s approach, the CJEU jurisprudence remains relevant today.

National approaches to balancing fundamental rights

Naturally, the vague wording of Article 85 has led to a wide margin of discretion for Member States, resulting in a mosaic of regulatory approaches across the EU (for an extensive analysis see Erdos, 2019). The main differences can be observed across three dimensions:

• who can rely on the exemption or, in other words, what is its personal scope;
• what activities are exempted or what is the material scope;
• which rules do not apply as a result of the exemption or the nature of the derogations.

Personal scope

Although the majority of the EU Member States do not define in their data protection law what constitutes journalism or journalistic purposes, national courts have tended to adopt a broad interpretation of these terms. For instance, the High Court (UK) recognized in 2014 that the processing of personal data by a non-profit entity could fall within the scope of the journalistic exemption, when interpreting the DPD and national law. In October 2022, the Court of Appeals of Amsterdam also endorsed a broad interpretation of the term, finding that the journalistic exemption could apply even if a journalist had a personal motive in addition to the journalistic purpose, as long as the overall purpose of publication was to inform the public about data subject’s fraudulent activities.

Some countries, however, decided to narrow the scope of subjects who can benefit from the journalistic exemption. For instance, Austria provides an exemption from data protection rules specifically to “media undertakings, media services and their employees” while Italy limits the scope to professional journalists (including freelance journalists included in the official register) and only when they exercise their “journalistic profession”. These more restrictive approaches seem to be at odds with the CJEU’s broad interpretation of journalistic purposes discussed above.

Material scope

The material scope of the derogation has not been extensively defined in the Member States, with many national laws simply repeating the wording of Article 85 of the GDPR without additional explanation. However, some countries have taken different approaches, such as Romania, the UK, and Bulgaria. In Bulgaria, Article 25z of the Personal Data Protection Act 2019 originally defined the material scope for the exemption, setting out ten criteria for balancing freedom of expression and the right to personal data. These criteria included factors such as the impact of public data disclosure on the data subject’s rights, the nature and characteristics of the statements, and the role of the data subject in public life. If the processing was deemed to be carried out for “journalistic purposes” based on the outcome of these criteria, the journalist in such case would be exempted from certain GDPR rules.

However, in November 2019, the Bulgarian Constitutional Court declared Article 25z unconstitutional. The court found that the exhaustive list of criteria amounted to state interference with freedom of expression and was contrary to the case law of the ECtHR and the CJEU, which require a case-by-case balancing act whenever there is a real conflict between the two rights. The court argued that the law created uncertainty, unpredictability, and disproportionate restrictions on the right to freedom of expression and information in the context of journalistic expression.

Nature of derogations

Once again, there are significant differences in how Member States have determined which GDPR rules do not apply to journalistic expression. Some Member States, such as Lithuania and Sweden, have taken a granular approach and listed specific GDPR provisions that do not apply to journalistic expression. Others, such as Austria, have chosen to fully exempt those exercising their freedom of speech for journalistic purposes from national data protection law, meaning that such laws do not apply to journalists at all. However, this approach was recently challenged on constitutional grounds.

In January 2023, the Austrian Constitutional Court found the blanket exemption under Article 9(1) of the Austrian Data Protection Act (DPA) to be unconstitutional pursuant to Article 1 of the DPA – a constitutional provision which guarantees a fundamental right to data protection (”right to secrecy of the personal data”).The Court held that the fundamental right to data protection does not allow the legislator to categorically exclude the applicability of all data protection regulations of a substantive and procedural nature in their entirety under media privilege. As a result, as of 1 July 2024 more media companies in Austria will be subject to the oversight of the national data protection authority, which previously rejected GDPR complaints against them based on the exemption.

Unintended regulatory consequences

When it comes to applying the journalistic exemption, the ultimate criterion for determining whether data processing should be exempted from some or all of the GDPR rules is the purpose of processing. As a general guideline, if personal data is processed to serve the public interest (referred to as “journalistic purposes”), it is likely that these processing operations, including data collection, analysis, and publication, will be exempt from certain GDPR rules. Conversely, if a media organization processes personal data for other reasons, such as targeted advertising for commercial purposes, the GDPR will fully apply.

However, as demonstrated above, understanding which specific rules do not apply to journalists when they act in their professional capacity can be a challenging task. This creates significant compliance challenges for both journalists and individuals seeking to exercise their fundamental rights, as well as for data protection authorities responsible for enforcing the law. On a theoretical level, this approach seems to contradict the primary goal of the GDPR, which aims to establish a more coherent data protection framework within the Union.

Leaving the “journalistic exemption” to be regulated by national authorities carries inherent risks. Given the varying state of the rule of law in Europe, such a broad margin of appreciation may allow less democratic regimes to interpret the right to data protection in an excessively broad manner, thereby creating barriers for public watchdogs to operate. Some Member States have implemented very narrow exemption regimes or have not exempted journalistic activities from the application of the GDPR at all. The ambiguity of the GDPR language combined with restrictive national implementations has led to legal proceedings against media organizations for alleged GDPR violations. Two notable examples are the Forbes Hungary case and the RISE Project case in Romania. Both cases demonstrate how Member States, having wide discretion under Article 85 of the GDPR, can exploit and instrumentalize the Regulation against its original purpose, to the detriment of free expression (for more information, see Rucz, 2022).

In a 2021 resolution, the European Parliament acknowledged for the first time that the GDPR is being used in litigation and administrative proceedings as a form of strategic litigation against public participation (SLAPP) targeting journalists (for more information, see Rucz, 2022). Eventually, in 2022, the European Commission’s Explanatory Memorandum to the Anti-SLAPP Directive proposal also addressed this issue.

No significant regulatory changes on the horizon

In its June 2020 Communication presenting the GDPR implementation report, the European Commission acknowledged the challenge to balance the right to freedom of expression and data protection. It went further to state that the “(data protection rules (as well as their interpretation and application) should not affect the exercise of freedom of expression and information, for instance by creating a chilling effect or putting pressure on journalists to disclose their sources” and promised to continue its assessment of the national legislation. However, even after five years of GDPR implementation, no specific regulatory or policy initiatives, apart from those addressing SLAPPs, have been proposed in this area. For instance, the only EU-wide guidelines in this field were issued by Working Party 29, a predecessor to the European Data Protection Board (EPDB), back in 1997. The EDPB work programme for 2023-2024 does not include any plans to issue new recommendations in this area. Consequently, in the absence of a harmonized European direction, we are likely to witness a growing number of constitutional challenges and the proliferation of divergent national regulatory approaches in this field.