• Data Protection Law is developing as a significant additional dimension of liability, jeopardy and obligation for journalists and indeed anyone processing data professionally in the digital age where so much private information can be stored and gathered with speed and on smaller hardware digital data processing devices;
• An example of litigation which resulted in a settlement and payment of damages is a report by media lawyer chambers 5RB in November 2022 when Channel 5 television ‘made a statement in open court apologising to Ms Amel Fridhi for featuring her in an edition of the reality show Can’t Pay? We’ll Take it Away!’ Ms Fridhi and her family were evicted from their home. The High Court Enforcement Agents (bailiffs) who carried out the eviction wore bodycams and microphones owned by Brinkworth, the production company engaged by Channel 5 to make Can’t Pay. She believed that the bodycams were only being used for the personal protection of the bailiffs; she had no idea that the video and audio collected in this manner was to be included in a television programme. This was a clear example of misuse of private information using digital processing of information. (See: https://www.5rb.com/news/substantial-damages-for-reality-show-victim/)
• The Information Commissioner’s Office, known as the ICO, regulates the Data Protection Acts, the UK’s General Data Protection Regulation, known as GDPR, and Freedom of Information Act, and is gaining importance and power as an additional statutory regulator of journalistic conduct and content and this is likely to develop with the implementation and regulation of a new statutory code legislated for in the 2018 Data Protection Act coming into force in February 2024. Brexit and the UK’s leaving of the European Union did not abolish UK GDPR as it stood in the EU legal context at the time of enacting the 2018 legislation. UK GDPR replaces EU GDPR.
• Anyone processing digital information about other individuals for journalistic purposes, any employing journalistic publisher, and even individual freelances researching future story/feature publication involving the personal information of others is legally obliged to register with the ICO under the Data Protection Act 2018;
• It is possible to find out any entitlement to exemption by carrying out a registration self-assessment. For most individuals and organisations that qualify as ‘Micro organisations’ the annual registration fee as at 2023 is £40 with discount for those doing so online. It could be argued that this amounts to a back-door method of state licensing and registering of journalists and journalist publishers. The funds raised underwrite the development of the ICO’s regulatory bureaucracy;
• There is now a growing body of case law demonstrating direct regulatory and punitive intervention by the Information Commissioner. This includes a fine imposed on the Daily Telegraph of £30,000 for misusing the data it had collected from its subscribers so that it could send hundreds of thousands of emails on the day of the general election urging readers to vote Conservative. (See: https://www.theguardian.com/media/2015/dec/21/telegraph-fined-email-conservatives);
• From the 25th May 2018, the ICO became responsible for enforcing a new data protection regime in the UK combining GDPR with the new Data Protection Act 2018 (DPA 2018). (See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/);

• On 6th July 2023 the ICO finalised and submitted the ICO Code of Practice on Data Protection and Journalism to the Government and Parliament for approval and implementation by statutory instrument and this came into force from 22nd February 2024. The Code of Practice itself is 41 pages long (See: https://ico.org.uk/media/for-organisations/documents/4025760/data-protection-and-journalism-code-202307.pdf )and the accompanying reference notes or guidance 47 pages long (See: https://ico.org.uk/media/for-organisations/documents/4025761/data-protection-and-journalism-code-reference-notes-202307.pdf – considerably shorter than the drafts provided earlier for consultation. However, it could be said that the completed code and reference guide combines to be nearly the equivalent of the 93 page draft.

The Information Commissioner John Edwards said: ‘The crucial public interest role served by the media and its power is the reason journalism is covered by data protection law. The law includes important provisions that enable journalism, whilst also protecting people by ensuring that personal information is used lawfully.’

He re-affirmed that ‘A free media is at the heart of any healthy democracy – keeping us informed, encouraging debate and opinion, and entertaining us. It is a crucial part of the fundamental right to freedom of expression and information. A free media is also often called the public’s watchdog because of its role in uncovering wrongdoing and holding the powerful to account.’

The significance for all journalists and indeed their media lawyers is that under Section 12 of the Human Rights Act, the ICO Code of Practice for journalists becomes the fifth reference document that UK courts will need to take into account when adjudicating litigation pitching a conflict between Article 10 Freedom of Expression and Article 8 Privacy Rights.

The legal effect of the statutory code once in force is set out in section 127 of the DPA 2018. It includes that in proceedings, a court or tribunal must take the code into account where relevant. In determining a question arising in the proceedings the issue needs to relate to a time when the provision was in force, and the court or tribunal has to be sure that the ICO’s ‘Data protection and journalism code of practice’ is relevant to the question.

Eloise Spensley of the Hold The Front Page Jaffa Media Law Column analysed this development on 25th July 2023 ‘ICO publishes code of practice on data protection and journalists’ (See: https://www.holdthefrontpage.co.uk/2023/news/law-column-ico-publishes-code-of-practice-on-data-protection-and-journalists/ ) and warned: ‘Dry though it is, data protection cannot be ignored, and when breaches of the law are alleged, it’s a painful process to get to the bottom of what happened – and even more painful to try to extricate yourself from the problem. Trust me, I’ve been there!’

The professional challenge for journalists is in meeting the criteria for the exemption code so that the collection and processing of personal information in researching stories and content does not breach Data Protection Law. There is some concern that this is easier said than actually done. The ICO code says:

‘To apply the exemption, you must: use personal information for a journalistic purpose; act with a view to the publication of journalistic material; and reasonably believe both that: publication would be in the public interest; and complying with a specific requirement would be incompatible with your journalistic purpose.’

The potential Achilles Heel here is in failing to fulfil all those criteria in the heat of the growing complaints culture and process of litigation. The other worry is the judgements made about what the journalist considers ‘a reasonable belief’ to be ‘in the public interest’ and a ‘reasonable belief’ that complying would not be compatible with journalistic purpose’ will be made by non-journalists and this could go up the legal chain of precedent.

See below some more detailed analysis of the concern about how Data Protection Law is expected to impact on journalistic freedom and practice.

The highlights in the Code which need to be fully recognised and implemented:

Section 2 of the code says: ‘Demonstrate how you comply‘ and ‘You cannot apply the journalism exemption to the requirement to demonstrate how you comply. However, if you meet the criteria to apply the exemption, you no longer have to comply with the specific requirement to consult us if a Data Protection Impact Assessment (DPIA) reveals a high risk you cannot mitigate.’

The obligations increase and multiply in proportion to the size of the publisher and journalist organisation.

Section 3 of the code says: ‘Keep personal information secure‘ and ‘You cannot apply the journalism exemption to the requirement to keep personal information secure. However, if you meet the criteria to apply the exemption, you no longer have to comply with the specific requirement to tell people affected by a data breach when there is a high risk.’

Section 4 of the code says: ‘Use personal information lawfully‘ and ‘If you meet the criteria to apply the journalism exemption, you can rely on it to make sure your use of personal information is lawful, rather than relying on one of the usual data protection lawful bases, such as legitimate interests or consent. This section of the code sets out what the legislation says and how to comply when you are not applying the exemption.’

Section 5 of the code says: ‘Use personal information fairly‘ and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to use personal information fairly. This section of the code sets out what the legislation says and how to comply when you are not applying the exemption.’

Section 6 of the code says: ‘Use personal information transparently‘ and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to use personal information transparently. This section of the code sets out what the legislation says and how to comply when you are not applying the exemption.’

Section 7 of the code says: ‘Use accurate personal information‘ and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to use accurate personal information. This section of the code sets out what the legislation says and how to comply when you are not applying the exemption.’

Section 8 of the code says: ‘Use personal information for a specified purpose‘ and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to use personal information for a specified purpose. This section of the code sets out what the legislation says and how to comply when you are not applying the exemption.’

Section 9 of the code says: ‘Use only the personal information you need.’ and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to use only the personal information you need. This section of the code sets out what the legislation says and how to comply when you are not applying the journalism exemption.’

Section 10 of the code says: ‘Keep personal information only for as long as you need it‘. and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to keep personal information only for as long as you need it. This section of the code sets out what the legislation says and how to comply when you are not applying the journalism exemption.’

Section 11 of the code says: ‘Be clear about roles and responsibilities‘ and ‘You cannot apply the journalism exemption to the specific requirements in this section. However, if the criteria to meet the exemption is met, you no longer have to comply with the general principles for restricted transfers of personal information.’

Section 12 of the code says: ‘Help people to use their rights‘ and ‘If you meet the criteria to apply the journalism exemption, you no longer have to comply with the specific rights people can exercise relating to their personal information, except for rights about automated uses of personal information. This section of the code sets out what the legislation says and how to comply when you are not applying the journalism exemption.’

It might be wise to be highly cautious about engaging with Artificial Intelligence technology and processes with personal information data when researching stories since these could be intepreted as ‘automated uses of personal information.’

Section 13 of the code covers the application of the journalism exemption across pages 37 to 40.

These pages need to be studied and evaluated with great care and anticipation.

This is because they state the parameters and boundaries about what the ICO views as the methodology of determining ‘public interest’ and ‘reasonable belief.’

These are the key jurisprudential qualifiers in meeting the criteria for the journalism exemption.

At 13.11 and 13.12 the code explains:

‘13.11 However, journalism is not limited to professional journalists and media organisations. For example, members of the public may carry out journalism, typically online. This is sometimes known as “citizen journalism”.
13.12 The exemption can also apply when you use personal information for journalism, as well as another purpose. For example, a campaign group can use personal information for both journalism and campaigning.’

Section 14 ‘Complaints, enforcement and investigations’ informs journalists and their publishers: ‘People have the right to complain to you, us, and the courts about how you have used their personal information’ and at 14.8 the ICO last sentence of the code concludes rather bleakly: ‘We can also investigate and prosecute criminal offences when we consider it is in the public interest.’

The code’s accompanying reference document requires the same care and attention.

In particular the guidance for compliance with the journalism exemption code across pages 34 to 36 provides great detail and scale of referencing to case law.

Case example 13 – Freedom of Information Act 2000 (FOIA) – definition of journalism (paragraph 13.9 of the code) UK Supreme Court Sugar (Deceased) v BBC and another [2012] UKSC 4

Case example 14 – DPA 1998 – definition of journalism (paragraph 13.9 of the code) High Court NT1 & NT2 v Google LLC and ICO [2018] EWHC 799 (QB)

Case example 15 – Data Protection Directive 95/46 – definition of journalism (paragraph 13.9 of the code) ECJ Satamedia (Case C-73/07)

Case example 16 – Data Protection Directive 95/46/EC – definition of journalism (paragraph 13.9 of the code) ECJ Buivids (C-345/17)

Case example 17 – DPA 1998 – meaning of “acting with a view to publication” (paragraph 13.13 of the code) Court of Appeal Campbell v MGN Limited [2002] EWCA Civ 1373

Case example 18 – DPA 1998 – meaning of “reasonable belief” (paragraph 13.15 of the code) High Court NT1 & NT2 v Google LLC and ICO [2018] EWHC 799 (QB)

Case example 19 – DPA 1998, Misuse of Private information – editorial discretion (paragraph 13.16 of the code) House of Lords Campbell v MGN [2004] UKHL 22

Case example 20 – Misuse of private information – editorial discretion and evidence to demonstrate decision-making (paragraph 13.16 and 13.17 of the code) High Court Sicri v Associated Newspapers Ltd [2020] EWHC 35 41 (QB)

Case example 21 – DPA 1998. Misuse of private information – public interest and proportionality (paragraph 13.18 of the code) House of Lords Campbell v MGN Ltd [2004] UKHL 22

Case example 22 – ECHR – Importance of the right to freedom of expression and information, and the role of the press (paragraph 13.20 of the code) Sunday Times v UK (No.2) 26 November 1991

Case example 23 – DPA 1998 and Misuse of Private information – Importance of right to privacy (paragraph 13.22 of the code) House of Lords Campbell v MGN [2004] UKHL 22

Case example 24 – ECHR and HRA 1998 – balancing Article 8 and Article 10 rights (paragraph 13.22 of the code) House of Lords In re S (A Child) [2004] UKHL 47

Case example 25 – DPA 1998 – meaning of “incompatible with a journalistic purpose”(paragraph 13.26 of the code) First-Tier Tribunal True Vision Productions (TVP) v ICO (EA 2019 0170)

To list 13 precedents as guidance on the application of the journalism exemption might be considered as a useful indicator of any future framework for the ICO’s position in future litigation. Does it help or obfuscate, does it simplify or overcomplicate? These questions are a matter of open debate. The journalism industry and their legions of media lawyers may be justified in thinking the future road for journalism in data protection law is going to be hard, rocky and not so secure.

PDF file of the media law guide on the ICO Data Protection and Journalism Code of Prctice

Background history to Information Commissioner’s engagement with journalists and their publications.

• The Information Commissioner provided a guide in 2014 for journalist/media bodies setting out their legal duties as data controllers. (See: https://ico.org.uk/media/for-organisations/documents/1552/data-protection-and-journalism-media-guidance.pdf) In particular, journalists have to make sure any of their working personal data, particularly of contacts and sources, is kept securely and that usually requires the encryption of information being transported on USB keys/memory sticks that are easily lost and misplaced and operation of smartphones and computer hardware devices;
• Particular care is needed in email and social media communications to avoid accidental copying in of email addresses and batch email lists (the reply all facility) which unlawfully distributes private information to more than a single intended recipient or limited and closed confidential group;
• GDPR is now a recurrent adjunct to privacy litigation in media law which is evident in High Court rulings in this area of the law where there will be claims for compensation pursuant to Article 82 of the General Data Protection Regulation (EU) 2016/679 for the unlawful processing of a claimant’s personal data. This additional frontier and dimension of media law will inevitably engage an increasing level of professional media law instruction and protection for professional journalists and their employing/commissioner publishers;
• The greater involvement of the ICO in journalism conduct and publication is a result of the Leveson Inquiry which reported in 2012. The ICO’s media guidance published in 2014 acknowledges this when saying ‘In the report of the Leveson Inquiry into the culture, practices and ethics of the press, Lord Justice Leveson recommended that the ICO: “should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data.”’
• The 2018 House of Commons briefing paper ‘Press regulation after Leveson’ published in 2018 (See: https://researchbriefings.files.parliament.uk/documents/CBP-7576/CBP-7576.pdf) clearly indicates that Parliament supported this development through the 2018 Data Protection Act and the ICO’s Journalism Code is a statutory obligation arising from the legislation. (See Section 124 Data protection and journalism code https://www.legislation.gov.uk/ukpga/2018/12/section/124/enacted);
• The journalism industry and its editors are concerned that the statutory code is going to elaborate and increase a double or even triple jeopardy for privacy related litigation in journalism practice of all kinds as this new form of statutory regulation could overlap with the regulation of licenced broadcasters by Ofcom, journalism publishers by IPSO and self regulation by the BBC. Some degree of overlapping may also take place with the Press Charter recognised regulator IMPRESS. (See: ‘New privacy code will endanger Press freedom, editors say’ https://www.dailymail.co.uk/news/article-11556341/New-privacy-code-endanger-Press-freedom-editors-say.html and the Information Commissioner’s response at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/12/blog-commissioner-responds-to-misdirected-criticism-of-journalism-code/);
• The ICO has undertaken two periods of consultation during 2021 and 2022 over the draft code which has been published in its full form of 93 pages (See: https://ico.org.uk/media/about-the-ico/documents/4018647/journalism-code-draft-202110.pdf) and an ‘at a glance’ draft briefing consisting of 6 pages (See: https://ico.org.uk/media/about-the-ico/consultations/4021554/ico-draft-journalism-code-at-a-glance.pdf) The latter in style and layout bears some resemblance to the UK Editors Code of Practice;
• The key aspect of the ICO’s Journalism Code and engagement of journalists in data protection law is the effectiveness of the ‘journalism exemption’ in protecting legitimate and public interest practice from liability to subject requests, litigation and statutory regulatory intervention and discipline;
• Under the Data Protection Act 2018, journalists are exempted from compliance with certain requirements providing they can satisfy the two-step test of: the processing being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and the data controller at the publisher reasonably believes that the publication of the material would be in the public interest. (See Part 5 Exemptions etc based on Article 85(2) for reasons of freedom of expression and information https://www.legislation.gov.uk/ukpga/2018/12/schedule/2/enacted);
• The exemption applies if: journalists use personal data for journalism; act with the intention or hope of publishing journalistic material; reasonably believe publication is in the public interest; and reasonably believe that complying with a specific part of data protection law is incompatible with journalism. Journalists and their publishers are going to need to provide proof that these criteria were complied with if legally challenged. The exemption cannot apply to anything that is not an integral part of the newsgathering and editorial process.
• The major test of the fairness of the code and the evaluation of exemption compliance will be how the courts and the ICO evaluate and adjudicate journalists’ ‘reasonable belief publication is in the public interest.’ The ICO draft ‘at a glance’ guide advised: ‘A reasonable belief is one you are able to justify in a reasonable way. Deciding what is “in the public interest” involves considering the circumstances, balancing arguments for and against, and judging how the public interest is best served overall. The exemption applies if you reasonably believe that a specific part of data protection law must or should be set aside because complying with it disproportionately restricts your journalistic activity.’
• In practice journalists and journalism publishers would be wise to retain documentation and a data/record trail which demonstrates evidentially the consideration of the public interest. It would need to strike an appropriate balance between freedom of expression and privacy rights (reasonable expectation of privacy) and take into account the general public interest in freedom of expression, any specific public interest in the subject matter, the level of intrusion into an individual’s private life, including whether the story could be pursued and published in a less intrusive manner and the potential harm that could be caused to individuals.
• Specific evidence of assessing the relative proportionality in balancing freedom of expression and privacy rights would be helpful. it cannot be in the public interest to disproportionately or unthinkingly interfere with an individual’s fundamental privacy and data protection rights;
• The ICO draft code recognised that when someone is charged with a crime, the open justice principle means there is generally an expectation of transparency, although this data may become private with the passage of time. But the draft code advised: ‘You should make sure you can justify your decision to use any personal data in view of the risk of harm and publish data that is proportionate to the public interest.
• The draft code stated that when photographs or filming may be particularly intrusive by their nature: ‘You must consider whether it is fair to use the data, even if the person is in a public place.’ The draft code accepted ‘Using covert surveillance, subterfuge or similar intrusive methods may be justified in the context of journalism but you are likely to need to use the journalism exemption and if the criteria applies, the journalism exemption can remove the usual requirement to use personal data fairly.’

• An example of a news publisher’s compliance notice and policy in respect of Data Protection Law is set out for the Isle of Man Examiner‘s website Isle of Man Today at https://www.iomtoday.co.im/service/privacy-and-cookies-510941 The newspaper is owned by Tindle Newspapers Ltd and the notice explains how the paper and its website will collect, use, share, disclose or otherwise process the personal data of its readers. The policy publishes online how data will be used for journalistic purposes in the context of the GDPR exemption: ‘…data will be used for the researching, compiling and publishing of articles in print and online. Such information will need to be retained for legal reasons, for follow-up articles, for a paper trail for correspondence, for points of contact, and for other reasons associated with the running of a newspaper and its associated website.’ The newspaper explains that on: ‘Accuracy: For journalistic work, we follow the IPSO Code of Conduct to ensure compliance with the GDPA.’
• Clear evidence of data protection law being present in UK privacy litigation emerged in the case of Paul Weller on behalf of his children v Mail Online (Associated Newspapers) in 2014. The ruling by Mr Justice Dingemans was seen as a significant development of UK privacy media law in barring the interference of privacy rights of children photographed in a public place, anywhere in the world.
• The judge said: ‘It is common ground that the claim for infringement of the Data Protection Act stands or falls with the claim for wrongful misuse of private information. In the light of my finding above I find that the claims for breach of the Data Protection Act are established’. He concluded: ‘I find that there was a misuse of private information in the publication, from 21 to 22 October 2012, by Mail Online of photographs showing the faces of the Claimants on a family outing with their father. There was also a breach of the Data Protection Act.’ (See https://www.bailii.org/cgi-bin/format.cgi?doc=/ew/cases/EWHC/QB/2014/1163.html);
• In 2016 Press Gazette carried an article by the leading media lawyer Hugh Tomlinson KC who analysed data protection law in respect of the Sun newspaper illustrating its front page report on the England football team’s humiliating defeat at the hands of Iceland with a photograph of Wayne Rooney’s six-year-old son, Kai, in tears. Several other pictures of Kai at the match appeared in the Sun Online. He argued a data controller who ‘processes a photograph showing a crying child cannot reasonably believe that publication of this photograph would be in the public interest’ and consequently ‘if Mr and Mrs Rooney wished to take action over the Sun’s front page, they would have a strong claim under the DPA. If the photograph has had an impact on Kai himself he would be entitled to damages for distress.’ (See: https://pressgazette.co.uk/media_law/top-media-law-qc-says-sun-could-face-action-under-data-protection-act-over-front-page-pic-of-six-year-old-kai-rooney/)
• Where the journalist is working as part of an organisation it is the belief of the data controller that counts, not the individual journalist. The data controller must be able to demonstrate that it had a belief about the public interest, i.e. that the issue of public interest was actually considered. It should be able to show, too, that it was considered at the time of the relevant processing of personal data and not just after the event.
• Data Protection Law and the future enforcement of the ICO’s Journalism Code most likely requires journalists and their publications to qualify for the statutory exemption by proving a reasonable belief that publication was in the public interest. This can be achieved if the organisation or freelance journalist has: clear policies and procedures on public interest decisions; can show that those policies were followed; can provide a cogent argument about the public interest; and has complied with any relevant industry codes. It can be argued that this requires a considerable systematisation and legal compliance check-list record in the everyday practice of journalism.
• in May 2014 the European Union Court of Justice asserted the ‘right to be forgotten’ allowing individuals to force removal of links to web articles. The EU court had ‘direct effect’ in UK media law and represented a sobering reminder that British publishers are increasingly becoming subject to European developments in media law and regulation, particularly with regard to privacy, data protection and data processing. The case involved a Spanish lawyer who objected to Google linking to old information about an unpaid debt. The ruling opened the floodgates for people demanding that links to old news about them online should be deleted. It does not mean that news publishers will be under a duty to remove archived articles. It applies specifically to Google in terms of it being seen as a ‘data processor’ rather than publisher. (For the full text of the ECJ ruling in Google Spain and Google see: Mario Costeja Gonzalez v Google Spain and Google (Judgment of the Court) [2014] EUECJ C-131/12 (13 May 2014) http://bailii.org/eu/cases/EUECJ/2014/C13112.htm);
• Google were compelled to set up a system of receiving and deciding requests. By July 2014 Google was having to deal with 1,000 demands every day. In September 2014 Press Gazette reported that more than 80 stories across the national press and BBC websites had been subject to ‘right to be forgotten’ removals. (See: http://www.pressgazette.co.uk/more-80-stories-across-national-press-and-bbc-have-right-be-forgotten)
• At present the right to be forgotten does not extend to any legal duty for journalistic publishers to remove online articles even from their archives. However, the implications of the ruling are that individual online users would find it harder to access information about people they were carrying out ‘searches’ on. The EJC ruling does not apply to Google’s search engine operations outside the European Union.
• By 2015 the Information Commissioner’s Office was taking a more pro-active and interventionist approach to applying Data Protection law when it was judged that a continuing online media publication that had been de-linked from the Google search engine still needed a public interest justification. Mr Justice Warby (as he then was) produced a ruling in 2018 which applied the implications of Gonzales into English data protection law jurisprudence in NT 1 & NT2 v Google (https://www.bailii.org/ew/cases/EWHC/QB/2018/799.html). Journalists may argue that this development of data protection law will have the effect of disassembling the online index of public record of journalistic coverage of past criminal convictions.
• As explored in Chapters 3 and 11, there have been developments in ECtHR law at Strasbourg which underlines the potential legal duty of journalistic online publishers to remove private data tags in html coding after receiving a right to be forgotten data protection request (See Biancardi v Italy 2021 https://www.bailii.org/eu/cases/ECHR/2021/972.html ), and the Grand Chamber in the case of Hurbain v Belgium supported the earlier ECtHR court ruling that a journalist publisher, Le Soir newspaper, was obliged to anonymize the name of a convicted criminal in an archived crime report. (See: Hurbain v Belgium https://hudoc.echr.coe.int/eng#{%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-225814%22]} and 3rd Section ruling in 2021 https://www.bailii.org/cgi-bin/format.cgi?doc=/eu/cases/ECHR/2021/544.html);

Media Briefing PDF file on ECtHR Grand Chamber ruling in Hurbain v Le Soir July 2023

• The very nature of journalistic practice involves communications and gathering of information from confidential sources and from individuals who have a reasonable expectation of the protection of that confidentiality in the context of privacy law. This means it is likely ICO regulation of the future Journalism Code may lead to investigations and potential penalties for journalists and their organisations who fail to honour promises and the professional obligation to protect sources. This is where Data Protection duties to protect personal data have failed and its loss led to the risk of harm to people exposed.
• Data protection law requires journalists and their publishers keep personal data secure; protecting personal data against unauthorised or unlawful use and accidental loss, destruction or damage, maintain organisational security measures and physical security; be able to restore personal data if there is a security incident and review and keep security measures up-to-date;
• The most serious recent investigation by the ICO of a media organisation’s compliance with the journalism exemption in Data Protection Law was the case of True Vision Productions v ICO. TVP filmed the documentary called ‘Child of Mine’ in 2017, an observational programme about the experience and aftermath of stillbirths. The TVP team recorded visual and audio CCTV of expectant mothers having medical consultations when they were concerned about the health of their babies. The ICO fined the production company £120,000 under 1998 Data Protection Act legislation (See: https://ico.org.uk/media/action-weve-taken/mpns/2614746/true-visions-productions-20190408.pdf). The Tribunal found that the purpose of the recording was to capture the moment when the mother was informed that her baby had died. TVP did not ask for the consent of the mothers prior to recording the consultations because to receive informed and effective consent, the mothers would have needed to be told that there was a prospect that their babies had died.
• TVP lost the case because it was judged that the production had ‘failed on the issue of transparency.’ The Tribunal ruled that hand-held cameras could have been used instead of CCTV, and this would have made the mothers aware that they were being recorded. This would have ‘prevented the collection and retention of data without the mother being aware it was taking place.’ The ICO Monetary Penalty Notice for £120,000 was reduced to £20,000 by the Tribunal because the breach was deemed to be non-deliberate, TVP had considered privacy rights prior to filming, and the breach did not warrant putting a company out of business. (See https://holdthefrontpage.co.uk/2021/news/law-column-data-protection-and-the-journalism-exemption-in-practice and https://www.5rb.com/wp-content/uploads/2021/02/True-Vision-Productions-v-Information-Commissioner-2021-UKFTT-2019-0170-GRC-08-January-2021.pdf);
• The media lawyer specialist chambers 5RB said one of the lessons of this case is that ‘journalists must consider what can be done to maximise fairness’, even if it is reasonable to believe that full compliance with sensitive data protection cannot be achieved. 5RB also explained ‘This was the first and only occasion on which the ICO imposed an MPN on a media organisation under the DPA 1998. Under the DPA 2018, the ICO requires the permission of the Court before an MPN can be imposed in respect of processing for the special purposes.’ (See: http://5rb.com/case/true-vision-productions-ltd-v-information-commissioner/);
• The Data Protection Act 2018 sets out a criminal offence under section 170 for the ‘Unlawful obtaining of personal data’ (See: https://www.legislation.gov.uk/ukpga/2018/12/section/170/enacted) Journalists have the following potential defences where the unlawful obtaining of personal data: was necessary for the purposes of preventing or detecting crime; in the particular circumstances, was justified as being in the public interest; the person acted (ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and (iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest. All of these criteria appear to be required.
• Section 171 of DPA 2018 has created a new offence of re-identification of de-identified personal data. This takes place where personal data that has been anonymised by a data controller is later amended to reveal the data without consent. This could affect journalists and researchers who use software to remove the redaction on documents. To use such software, without consent, would be a criminal offence. (See: https://www.legislation.gov.uk/ukpga/2018/12/section/171/enacted);
• There are no custodial sentences in respect of offences under DPA 2018 and no powers of arrest; all offences are punishable only by a fine. From 2017, the maximum cap of £5,000 for fines in the Magistrates Court for summary offences was lifted in order to apply the principle that the ‘punishment fits the offender.’
• The UK Supreme Court ruled in the case of Lloyd v Google in November 2021 that section 13 of the DPA 1998 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention. Google successfully defended a group action for a large data breach andit it is seen as a favourable ruling for data controllers which is likely to act as a brake against any deluge of opt-out claims for mass infringements of data protection law. This and other first instance cases indicate that the UK courts courts are not prepared to permit data privacy laws to be used in speculative or legally misconceived actions. (See https://www.bailii.org/uk/cases/UKSC/2021/50.html and https://www.supremecourt.uk/cases/uksc-2019-0213.html);
• There is increasing concern in 2023 about the ICO’s interventions on Data Protection Law and how it relates to journalistic conduct and practice. Journalism industry bodies fear this will have a negative impact on open justice and freedom of expression custom and practice. This became evident when it emerged that College of Policing plans to give the green light to police forces wishing to keep names of suspects accused of many serious offences secret was the result of advice from the Information Commissioner on data protection law. The College of Policing proposed guidance that forces no longer ‘should’ name those charged with crimes including indecent exposure, domestic violence or child sexual abuse, instead advising that individuals ‘can be named’. This plan was U-turned after considerable public outcry from journalist publishers.
• The College of Policing’s head of communications Matt Peck said that amendments had been proposed by the Information Commissioner’s Office to take account of evolving data protection law. The current APP (Authorised Professional Practice) on Media Relations is set out at https://www.college.police.uk/app/engagement-and-communication/media-relations. The public row over the proposed changes is effectively summarized in the article published by Police Professional “No changes to police media relations guidance without consultation, says college after ‘deep concerns’ raised.” (See: Hold The Front Page ‘New police guidance would making naming of suspects optional.’ Press Gazette ‘Police could keep names secret after charge under new draft guidelines. The proposed guidance states that forces “can” name charged suspects. The current advice is they “should.”‘ Rebecca Camber wrote for Mail Online: ‘Secret justice and how the Nicola Bulley fiasco is driving the police to make another catastrophic error. Mike Sullivan wrote for the Sun: ‘Cop plans to stop public knowing who has been charged with crime could let rapists like David Carrick carry on attacking.’)
• The Information Commissioner fined the social media platform TikTok 12.7 million pounds 4th April 2023 for misusing children’s data. The ICO found that more than one million UK children under 13 estimated by the ICO to be on TikTok in 2020, contrary to its terms of service. Personal data belonging to children under 13 had been used without parental consent and TikTok “did not do enough” to check who was using their platform and take sufficient action to remove the underage children that were. See: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/04/ico-fines-tiktok-127-million-for-misusing-children-s-data/ The initial fine had been set at £27 million. See: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/ico-could-impose-multi-million-pound-fine-on-tiktok-for-failing-to-protect-children-s-privacy/ Taking into consideration the representations from TikTok, the regulator decided not to pursue the provisional finding related to the unlawful use of special category data. Special category data includes: ethnic and racial origin, political opinions, religious beliefs, sexual orientation, Trade union membership, genetic and biometric data or health data.
• UK data protection law says that organisations that use personal data when offering information society services to children under 13 must have consent from their parents or carers. Companies who breach the UK GDPR and/or the Data Protection Act can be fined up to £17.5 million or 4% of the company’s annual global turnover, whichever is higher. Information Commissioner, John Edwards said: ‘I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary. In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.’ See ICO’s Children’s code at: https://ico.org.uk/childrenscode
• This is just one of several setbacks in state regulation of TikTok across the global sphere. See Arab News ‘TikTok hit with UK fine, Australia government ban’ at: https://www.arabnews.com/node/2281316/media Italy’s competition watchdog had opened an investigation into TikTok for failing to enforce its own rules on removing “dangerous content” related to suicide and self-harm. Australia joined a list of Western nations banning the Chinese-owned apps from government devices. The United States has been urging TikTok to split from its Chinese parent company, Bytedance. See the Guardian’s analysis by Kevin Rawlinson: “How TikTok’s algorithm ‘exploits the vulnerability’ of children.” See: https://www.theguardian.com/technology/2023/apr/04/how-tiktoks-algorithm-exploits-the-vulnerability-of-children