The application of Directive 95/46/EC and the Data Protection Act 1998 when an individual posts photographs of other individuals online
Claire Bessant 
Cite as Bessant C., "The application of Directive 95/46/EC and the Data Protection Act 1998 when an individual posts photographs of other individuals online", in European Journal of Law and Technology, Vol 6, No 2, 2015.
It has long been the tradition in the United Kingdom for parents to take photographs at school events. Such photographs often capture images of several children. When parental photographs were stored in family albums this was not perceived to be a problem. However, with the internet increasingly being used to share photographs, questions have been raised about whether schools should restrict parental photography or impose conditions upon online dissemination of such photographs, in order to protect children's personal data.
Unfortunately, as the UK data protection regulator (the Information Commissioner) recognised in 2010 it is not entirely clear how data protection legislation applies to individuals who are posting third party personal information online. The first issue that this article seeks to explore, therefore, is how European and domestic regulators have interpreted relevant data protection legislation. It considers the extent to which parents who share photographs of third parties online may be caught by the obligations such legislation imposes.
The European Commission have acknowledged that, with the development of new technologies, current European Union data protection legislation may no longer afford effective protection to individuals' personal information. This article, therefore, also explores the potential impact of the proposed data protection regulation both for individuals sharing third party information online, and for individuals whose information is shared.
Key words: data protection; personal information; privacy; data protection directive; data protection regulation
It is traditional for schools in the United Kingdom to host an annual Christmas play, at which parents take photographs of their children. In the summer these schools also host sports days, where again, parents are invited to attend, and to take a photographic record of their children's achievements. Schools have, traditionally imposed few restrictions upon such photography; in the era when photographs were printed out and stored in family albums few parents had any issue with the fact that another parent might take a photograph of their child. In the age of digital photography, however, questions are increasingly being raised about whether schools should restrict parental photography, or impose conditions upon the use of such photographs.
Consider the following scenario: A parent takes several photographs of their child and his school friends at sports day and subsequently posts those photographs to their Facebook page and to their personal blog. The parent photographer does not ask the children or their parents whether they consent to their photographs being shared online. Indeed the parent who has posted the images perceives no need to do so. As Bennett (1992, p13) notes 'It is not immediately obvious … what harm results from the computerized collection, use and disclosure of personal data'. The other parents do in fact object to their children's images being posted online, and they ask for the offending photographs to be taken down. They make clear that they are not happy for their children's pictures to be disseminated online, and state that if such online dissemination is proposed their consent should be sought. It is arguable that in the situation described, the parents are justified in objecting to online dissemination of their children's photographs without their knowledge or consent. The right to data protection is recognised as a fundamental right (Charter of Fundamental Rights of the European Union, Article 8). The online posting of children's images may also raise child protection issues (NSPCC, 2013).
Whilst the Charter does not define data protection, 'data protection is broadly analogous to the concept "information privacy" (Bennett, 1992, p14). It essentially describes "the claim of individuals, groups or institutions to determine for themselves, when, how and to what extent information about them is communicated to others" (Westin, 1967, p7). On that basis, it is the child, or upon their behalf, their parent's right to determine whether the child's image is shared online, not the photographers.
The principal legislative instrument protecting personal information/personal data in Europe is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data ('the Directive'). Whilst the Directive has been described as 'a milestone in the history of data protection,' (European Commission, 2012a, p2) the unfortunate reality is that in 1990 when theDirective was first proposed the Internet did not exist, indeed even when the Directive was adopted in 1995 the internet had barely begun (per Advocate General Jääskinen in C‑131/12 'Google Spain') and less than 1% of Europeans used the internet (European Commission, 2012b). Few could then have imagined the technological changes that have transformed the way we now disseminate and receive information; online information sharing is part of life for the 250 million individuals across Europe who now use the internet on a daily basis (European Commission, 2012a; European Commission 2012c).
That the internet revolution has brought with it new challenges when it comes to protecting personal information is widely acknowledged. Across Europe, individuals, organisations and data protection authorities alike, seeking to ensure that individuals' personal data are effectively protected, have called for clarification as to how data protection principles apply to new technologies (European Commission, 2010). The Information Commissioner's Office ('the ICO'), charged with implementing data protection rules within the UK, made clear in 2010 that it believed clarification was needed as to how data protection legislation applies when individuals post personal information online (ICO, 2010). A recent survey of UK education authorities provides evidence that professionals who provide advice upon parental photography at school events are similarly unsure how the law applies when individuals take photographs which may subsequently be shared online.
The European Commission has accepted that in the digital age the Directive may no longer be an effective way to ensure the right to personal data protection (European Commission, 2012a). It has accordingly proposed a comprehensive reform of the current data protection rules, with the Directive to be replaced by a new general data protection regulation ('the Regulation'), which will strengthen individuals' rights by enhancing the protection and control they have over their own data (European Commission, 2010b).
The two primary questions that this article seeks to answer, therefore, are: how does data protection legislation currently apply to individuals who share photographs online; and to what extent will the Regulation clarify the position in relation to individuals processing third party personal information online. In order to answer these questions the article explores current domestic and European case law and guidance, seeking to understand how courts and regulators consider the Directive to apply when an individual shares third party personal information, including photographs, online. Drawing upon the author's own research in which freedom of information requests were made to local education authorities seeking information about the guidance that they provide to schools in relation to parental photography, it will consider the difficulties that practitioners apparently face in understanding the application of the Directive. The extent to which the Regulation will clarify the position in relation to individuals processing third party information online will then be reviewed. Whilst a child's right to respect for private life is also undoubtedly affected when a third party disseminates the child's photographs online the protections offered by Article 8 European Convention for the Protection of Human Rights and Fundamental Freedoms ('the European Convention') are not explicitly considered in this article due to word constraints.
2. THE APPLICATION OF THE DIRECTIVE TO ONLINE DISCLOSURES
The Directive is a general framework legislative provision. It 'seeks to establish an equivalent level of protection for personal data in all Member States' (Carey, 2009, p6), detailing certain conditions under which personal data processing may be lawfully undertaken, the rights of individuals whose personal data is processed and certain standards to which those who process data must adhere. The Directive is not directly effective in the domestic law of EU Member States. Member States must thus instead pass national legislation to give effect to the Directive. The UK government ostensibly fulfilled its obligations under the Directive when it implemented the Data Protection Act 1998 ('the DPA'). It is necessary, therefore, to consider the relevant provisions both of the Directive and the DPA when considering the Directive's application within the UK. Whilst the Directive is not directly enforceable within the UK, and any action for infringement of rights to data protection would be brought in accordance with the provisions of the DPA, the DPA must be interpreted in accordance with the Directive. The recent Court of Appeal decision in Google v Vidal-Hall and others  EWHC 13 confirms, further, that, in interpreting the domestic provisions, consideration should also be given to Article 8 of the Charter of the Fundamental Rights of the European Union, 'which makes specific provision for the protection of the fundamental right to the protection of personal data' (Google v Vidal-Hall, paragraph 78).
The Directive states that it applies 'to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system' (Directive Article 3). Where the Directive, and thus in the United Kingdom the DPA applies, certain obligations are imposed upon the data controller; the person who determines the purposes and means of processing of personal data (Directive Article 2; Section 1 DPA).
The phrase 'personal data', a phrase which is essential to an understanding of the European data protection regime, means 'any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity' (Directive Article 2(a)). The leading European case of Lindqvist (ECJ C101/01 ) confirms that 'the act of referring, on an internet page, to various persons and identifying them by name or by other means,… constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46.' Accordingly, the European jurisprudence appears to suggest that when a person posts information about another person online, and this action results in the identification of those individuals, that person is processing data. It is certainly arguable that some photographs taken at school events may when uploaded, and depending also upon any accompanying information, result in the identification of a child. If that is indeed the case then, the photographer is to be treated as a data controller and, as such, they must comply with the obligations detailed within the Directive and thus the DPA.
Whilst the position so far seems clear, the difficulty, unfortunately, arises when one recognises that certain exemptions and derogations from the Directive exist. Two potential exemptions or derogations apply when a parent takes and shares a photograph of a school event. If either of these exemptions or derogations applies, that parent is not required to comply with the Directive/the DPA.
3. WHEN THE DIRECTIVE MIGHT NOT APPLY TO AN INDIVIDUAL WHO HAS POSTED PHOTOGRAPHS ONLINE
The second limb of Article 3(2) of the Directive states that the Directive 'shall not apply to the processing of personal data … by a natural person in the course of a purely personal or household activity'. This provision is implemented in UK law through Section 36 DPA, which states that 'Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.' We will return shortly to consider the different terminology which appears in the two provisions. The important thing to note here is that if the parent photographer is considered to fall within the personal/household exemption when posting a photograph to Facebook or their personal/family blog (even a photograph which includes images of third parties) then Article 3(2)/s36 will apply. If Article 3(2)/s36 applies, the parent photographer is under no obligation to tell the child whose photograph she has taken that she intends to post those images online, nor is she required to obtain consent to taking/sharing their images.
Even if Article 3(2)/s36 were not considered relevant (perhaps because the parent photographer's blog is used for both commercial and personal purposes) the photographer might argue that their actions, particularly when compiling their blog, are undertaken in the exercise of their right to freedom of expression. Section 32 DPA (implementing Article 9) specifically provides for an exemption from data protection principles 1-6 and 8 and Sections 7, 10, 12, 12A or 14(1)-(3) of the DPA where a data controller processes personal data (for example by sharing photographs online) for journalistic, literary or artistic purposes, and where that data controller reasonably believes that dissemination is in the public interest.
If either Article 3(2)/s36 or Article 9/s32 were considered to apply the parent photographer would effectively be free to disseminate their photographs online (including photographs of friends, family and acquaintances). Many might agree that this is only right and proper, that it is not the state's role to intervene when an individual uses the internet in such circumstances, and indeed that it is impractical for the state to intervene in all such cases. The consequence of such an approach, however, is to leave third parties with no effective remedy under data protection legislation, and if their complaint would not lead to the possibility of an alternative legal claim (for example under the law of libel), there is effectively nothing they can do to prevent that information being disseminated. That individuals should be left with no effective remedy under the very legislation designed to protect their personal information, indeed to protect their privacy, is no small concern, given the extent of data sharing in Europe. 29% of the Europeans interviewed for a Eurobarometer survey published in 2011 use sharing sites for pictures, videos and/or movies, 34% use social networking sites (European Commission, 2011). Europeans regularly disclose personal information online; '[c]ountry-by-country analysis of social networking or sharing sites reveals that photographs are regularly disclosed by social network users (in the United Kingdom (67%), Denmark, Sweden (64%), and Malta (61%)) (European Commission, 2011 p41). A more recent OFCOM survey suggests that within the UK at least internet use continues to grow, with internet take-up increasing 'from 54% of UK households in 2005 to 79% in 2012' (OFCOM 2013, p14). Of particular relevance to this article, in 2013 64% of adult internet users had their own social network profile (OFCOM, 2013), 17% of these social network users confirmed they were sharing video clips and other content online, and between 2 and 3 out of 10 of those adults with a social networking profile admitted to sharing photographs with people potentially unknown to them (OFCOM, 2013).
As internet usage and online information sharing has increased so has the need to clarify how the Directive applies to such activity. Indeed, in 2010 the ICO made clear that:
'A better understanding is needed of what comes within the scope of purely personal or household activity. This is becoming an acute practical problem given private individuals' capacity to process personal data on the internet and to make it widely available to other individuals, for example through social networking services. There are also questions about how far the current exemption that relates to journalism or the purposes of literary or artistic expression can be applied to the activities of private individuals on the internet. There are also significant practical consequences for data protection authorities in terms of the extent to which any new legislative framework may require them to regulate private individuals' online behaviour' (ICO, 2010, p5).
As our consideration of the European and UK guidance on the matter will demonstrate, however, domestic and European authorities have interpreted the requirements of Article 3(2) and Article 9 very differently; they have reacted in very different ways to the challenge of achieving a balance between data protection on one hand and freedom of expression and freedom from state interference on the other. As a result practitioners are struggling to understand how the law actually applies.
4. THE EUROPEAN POSITION
4.1 LINDQVIST (ECJ C-101/01): THE STARTING POINT
Lindqvist, a case decided more than 10 years ago, remains the leading European case on the application of Articles 3(2) and 9 when an individual shares other people's information on the internet. This relatively unusual case concerned a Swedish lady who worked on a voluntary basis for the Swedish Protestant Church as a catechist and had created a website to provide parishioners with information. This website, which could be directly accessed by members of the public from a link on the website of the Swedish Protestant Church, included personal information about Ms Lindqvist's colleagues, and it was one of those colleagues who, objected to online dissemination of her personal information. The Swedish Government had initially found Ms Lindqvist liable for breach of the Directive, but doubtful as to its interpretation of the law in this area it referred the case to the European Court of Justice ('the ECJ') for a preliminary ruling. The ECJ agreed with the Swedish authorities; Ms Lindqvist was in breach of the Directive.
The first of Ms Lindqvists's arguments to be considered by the ECJ was that, as a private individual, her activities, not being market-related activities, fell "outside the scope of Community law." Had Ms Lindqvist's argument been accepted she would have been exempted from complying with the Directive by virtue of the first limb of Article 3(2). The ECJ were adamant, however, that the Directive was as applicable to Ms Lindqvist and her personal website as to large corporations. Whilst the ECJ might be criticised for the stance it took, it is arguable that the ECJ's interpretation was a realistic or pragmatic one, 'driven not so much by the text as by the spectre of future litigation' (Bignami, 2008, p232). Any other interpretation would undoubtedly have resulted in arguments about the distinction between market-related and other activities (Bignami, 2008, p232).
It is, however, the ECJ's conclusions in relation to the second limb of Article 3(2) that are most relevant to this article. Importantly, the ECJ determined that Article 3(2)
'must … be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people'.
Effectively, therefore, the ECJ closed the door on the use of Article 3(2) when an individual provides unrestricted online access to another person's personal information. If one follows the Lindqvist decision to its logical conclusion, an individual who lives in the UK and who posts photographs of third parties to a blog or website, thus revealing personal information about those individuals, cannot rely upon Article 3(2). They should: register with the ICO; inform those individuals of the purposes of the processing, and to comply with the conditions for processing detailed at Schedule 2 DPA they are likely to need to obtain that individual's consent to processing. Any individual whose information is processed on such a blog will be able to ask the processor what information they are processing and for what purposes (s7 DPA), and if the information being processed causes the individual unwarranted and substantial damage or unwarranted and substantial distress (s10 DPA) require the blogger or website owner to cease processing their information. The individual would potentially have recourse to the court and/or the ICO.
4.2 THE INTERPRETATION OF ARTICLE 3(2) IN LINDQVIST, AND SUBSEQUENTLY
Bignami suggests that whilst the ECJ 'easily found that uploading personal data onto Lindqvist's website constituted "personal data processing" covered by the Directive' it was '[w]ith a bit more difficulty' that 'the Court determined that Lindqvist's website did not qualify for any of the exceptions to the personal data processing covered by the Directive' (Bignami, 2008, p230-1). One of the suggestions that Bignami makes is that in order to reach the conclusion that it did, the ECJ adopted an overly narrow interpretation of the term 'outside the scope of community law,' in doing so departing from the plain meaning of the directive (Bignami, 2008, p231-2). Criticisms might also be made of the narrow interpretation of the personal and household exemption adopted by the ECJ in Lindqvist. It must be recognised, however, that the recent case of Ryneš, appears to offer some support for the ECJ's approach.
In Ryneš the court states explicitly that 'the exception provided for in the second indent of Article 3(2) … must be narrowly construed' in order to protect the right to privacy, and to ensure respect for the fundamental rights set out in the European Union Charter of Fundamental Rights (Ryneš C-212/13, paragraph 29). The facts of the Ryneš case were very different to those in Lindqvist; Mr Ryneš had installed a camera system on his home to protect his home and family and this camera also monitored the public footpath and entrance to a house opposite. What Ryneš might be considered to signal, however, is that the CJEU is not currently inclined to review the approach to the personal and household exemption that it first adopted in Lindqvist. This is notwithstanding the fact that concerns have been raised about whether, in the digital age, the premises which inform Article 3(2), and its interpretation in Lindqvist 'can be insisted upon … considering the central role private individuals are assuming in the processing of data' (Warso, 2013, p495).
A key difficulty with Lindqvist, of course, is that it reflects an assumption that 'if something happens online, it is accessed by an unrestricted number of people' (Warso, 2013, p495-6). The CJEU's position therefore is that consequently an online disclosure 'must be "public", and therefore the application of the personal/household exemption is out of question.' At the time of the Lindqvist decision websites such as Twitter, Facebook, Instagram and Flickr had yet to be created; the extent to which individuals would use the internet to share information could not be foreseen. The fact that individuals could choose whether to share information online with a select group, or the public generally, was simply not relevant in Lindqvist. Yet it is now undoubtedly the case that when an individual shares photographs on a social networking or photo sharing site they may, if they know how, take steps to ensure that only 'friends' or 'followers' can view those photos. Indeed across Europe, but particularly in the UK, many individuals do take steps to change their privacy profiles in order to limit access (European Commission, 2011).
The ECJ cannot perhaps be blamed for not anticipating the technological changes that would ensue over the next ten years, and thus for not foreseeing the wider implications of its decision. Indeed, none of the governments submitting remarks, nor the Commission thought that Art 3(2) should apply. The Advocate General, similarly, did not consider that activity with a 'strong social connotation' could be purely personal or household activity, and indeed this was perhaps at the time a logical stance to have taken. The decision, nonetheless, does pose challenges 10 years on. It is presumably for this very reason that the Article 29 Data Protection Working Party ('the Working Party') have offered their opinion on how Article 3(2) should apply in the online context, specifically when individuals share information using social media. In doing so they are undoubtedly proposing a relaxation of the constraints resulting from Lindqvist.
The Working Party pragmatically recognises the need to accept that the personal/household exemption applies to some online activities. Whether or not Article 3(2) does apply to online information sharing, will, however, according to the Working Party be essentially a matter of judgment in each case. Crucially, the Working Party acknowledges that many social network users change their privacy settings to limit access to material posted. The Working Party thus introduces the concept of 'access restriction' (Warso, 2013, p496). Effectively in determining whether Article 3(2) applies it is necessary to consider whether the user took steps to limit accessibility of the information to self-selected contacts or allowed it to be made available either to all members of a social network, or to be publically available and indexable by search engine. It is the Working Party's submission, therefore, that '[a] high number of contacts could be an indication that the household exception does not apply' or, alternatively, that if a user takes an informed decision to extend access beyond self-selected 'friends' they then acquire data controller responsibilities and are subject to the same legal regime as applies to any person who publishes personal data on the web' (Working Party, 2009, p6). Similarly, if a social network user 'acts on behalf of a company or association, or uses the SNS mainly as a platform to advance commercial, political or charitable goals, the exception does not apply' (Working Party, 2009, p6).
There is certainly much to be recommended in the Working Party's opinion, which now answers a key question that Lindqvist failed to, indeed had no need to answer; how does the second limb of Article 3(2) apply when an individual is sharing information online, but only with a limited number of friends or contacts? It still, however, undoubtedly, leaves questions to be answered about how far the 'personal' and 'household' sphere actually extends (Korff, 2010). Furthermore, as Warso notes (2013, p496) the 'approach where the onus is placed on the user to restrict access to their pages to a defined group is based on the dichotomy of "private" and "public". The criterion used by the [Working Party] may … however, prove incompatible with reality as daily experience shows that the borders of the private and public spheres are often blurry, and that the notions of private and public rather than constituting a binary opposition, form a continuum. Also in the online context, various types of content are positioned at different points within this continuum. At one end are data published seeking broad dissemination, at the other, that, which although in the open and public space of the Internet, are not intended for mass communication (or mass communication in aggregate).'
These are not, however, the only concerns that must be raised about the European interpretation of the personal and household exemption. The Working Party make an interesting comment, in suggesting that an individual who shares information online but cannot rely on Article 3(2) due to the extent of dissemination, may be considered to have 'taken on some of the responsibilities of a data controller'. In reality, however, the outcome of the Lindqvist decision is that the same regulatory scheme applies to all online entities, irrespective of their legal status or the purpose of their posts. Whether this is what the drafters of the Directive would have intended is debatable. Pragmatically, is it feasible for Member States to ensure that every individual who makes third party personal information available online complies with the Directive? An obvious alternative might be to grant a full exemption from data protection requirements to anyone who uploads materials to the Internet as a private individual. The problem with this, however, would be to fundamentally undermine data protection. 'The question - the challenge - is then perhaps whether a middle way be found?' (Korff, 2010, p8)
In France, where the national data protection authority has applied Article 3(2) strictly, and restrictively, 'to really purely personal distribution of personal information only', one possible middle way has already been found. Whilst the French data protection law applies to blogs, bloggers are exempt from notification, a technicality which would otherwise potentially pose a significant administrative burden (Korff, 2010, p9). The Commission clearly recognised the onerous nature of many of the obligations imposed upon data controllers by European data protection legislation, suggesting that under the new regulation where the data controller is a micro, small or medium enterprise some relaxing of the rules may be appropriate (Recital to the Regulation as originally drafted). The Council of Ministers' proposed revisions to Chapter IV of the Regulation and their proposed risk-based approach to data protection regulation, similarly recognises that not all data controllers need necessarily to be subject to the same onerous requirements. There is an argument that if relaxations from obligations are appropriate for SMEs, there is a still greater need to relax the rules which apply to individuals processing personal information, particularly when individuals are disseminating information not to the world at large but only to 'friends'. The idea that the law should apply appropriate legal penalties according not merely to the nature of the information disclosed but also taking account of who has disclosed that information has been suggested elsewhere in the context of the regulation of free speech, with a recommendation made that;
'the casual amateur speaker with limited resources or legal advice should be held to lower standards than professional journalists. ..,any regulations should be suited to the digital context, and the procedure and sanctions should be proportionate not only to the harm, but to the level of responsibility expected from the speaker.' (Rowbottom, 2012)
Whilst Rowbottom's suggestion may make sense also in the data protection context, until or unless 'special rules' are introduced specifically for individuals who share information online, individuals who wish to make third party information (including photographs) widely available online may need to consider an alternative route, Article 9, if they wish to 'escape' the Directive's obligations.
4.3 ARTICLE 9 AND THE RIGHT TO FREEDOM OF EXPRESSION
It is to Lindqvist that we must again turn to understand the European position in relation to Article 9. The Swedish Government, the ECJ and those making submissions to the ECJ were all alive to the possibility that Ms Lindqvist might be said to be exercising her right to freedom of expression. The Swedish Government accepted, for example, that Article 3(2) 'might cover cases in which a natural person publishes personal data on an internet page solely in the exercise of his freedom of expression and without any connection with a professional or commercial activity' (Lindqvist, para 31). The European Commission submitted alternatively 'that an internet page such as that at issue in the main proceedings cannot be considered to fall outside the scope of Directive 95/46 by virtue of Article 3(2) thereof, but constitutes, given the purpose of the internet page at issue in the main proceedings, an artistic and literary creation within the meaning of Article 9 of that Directive' (Lindqvist ).
The ECJ ultimately accepted neither of these interpretations, choosing instead to return the question of the application of Article 9 to the national authorities, and stating that it is 'at the stage of the application at national level of the legislation implementing Directive 95/46 in individual cases that a balance must be found between the rights and interests involved' (Lindqvist ). Whilst recognising that Ms Lindqvist's situation did highlight tensions between data protection/privacy and freedom of expression the ECJ thus effectively abdicated responsibility to the national authorities to balance these competing rights.
In support of the decision, Bignami comments that in 'sending the fundamental rights question back to the Swedish court, the Court of Justice both avoided a difficult issue and allowed for considerable national discretion. The fundamental-rights balance between privacy and speech is by no means a precise science and by holding the Swedish court responsible for the balancing, the Court acknowledged that the outcome would be distinctive to Swedish law.' Accordingly, in deferring to the Member State to consider the privacy-speech balance the ECJ Court in Luxembourg 'both affirmed a European commitment to privacy and free expression and made a room for diverse moral orderings of public life at the national level'. The ECJ's decision can thus be seen as demonstrating tolerance for constitutional diversity (Bignami, 2008, p243-4)
In stark contrast to Bignami's plaudits come criticisms that the judgement leads almost inevitably to a too narrow interpretation of freedom of expression across the Member States. This is particularly the case when one recognises that Article 9 does not recognise the right to freedom of expression per se (as the similar provision in Article 10 of the European Convention does) but provides only for exemptions or derogations 'for journalistic purposes or the purpose of artistic or literary expression,' and then 'only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.' The CJEU inTietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy CJEU C-73/07 (Satamedia) has recently recognised that the term 'journalistic purposes' is a wide one, that does not necessarily mean activity undertaken by a media organisation. It suggests it is a term which might also encompass the online processing of personal information by an individual, if their object is to disclose information, opinion or ideas to the public. Nonetheless under the Directive individuals are still afforded only a limited right to freedom of expression, and only when those individuals are exercising their right to freedom of expression for specified limited purposes. There has been no sign from the CJEU that it believes that a more expansive interpretation of freedom of expression is appropriate. Indeed the 2014 judgement in Google Spain and Google Inc v Mario Costeja Gonzalez (C-131/12, paragraphs 69 and 85) suggests the contrary.
The second major criticism that can be made of the Lindqvist decision in relation to the Article 9 issue, is that it can arguably be seen as the root cause of an inconsistent approach to the privacy-free speech issue; across Europe marked divergences in approach to the implementation of Article 9 can be seen. Whilst the most liberal states, Denmark and Sweden, have extended the exception related to freedom of expression to everyone, not just journalists, artists and artistic writers, recognising that everyone should be able to effectively exercise their freedom to seek, receive or impart information, at the other extreme one finds Spain, which makes no reference to freedom of expression at all in Spanish law (Korff, 2010). In between numerous countries, including the UK, adhere strictly to the letter of Article 9, with exemptions or exceptions applying only to press, to journalists, or for journalist, artistic or literary purposes. The extent to which an individual who has posted photographs online in the exercise of their right to freedom of expression may rely upon Article 9, and thus receive relief from the Directive's strict obligations is therefore an issue that cannot be established from consideration of European law alone. It is necessary also to consider the applicable domestic law. It is thus that we turn to the UK law, and the guidance issued by the UK regulator to determine how, in practice Article 3(2) and Article 9 are being applied to UK individuals who share images of third parties online.
5. THE UK POSITION
The UK Information Commissioner is charged both with promoting good practice and ensuring observance of the DPA, in particular through the dissemination of appropriate information and advice (Section 51 Data Protection Act 1998). If ever there were an area in which guidance were needed it would seem to be in relation to the DPA's application in the online sphere. Whilst the Information Commissioner's Office ('the ICO') has undoubtedly recognised this, publishing guidance on the DPA, social networking and online forums (ICO, 2014a) and guidance on data protection and journalism (ICO, 2014b), unfortunately these pieces of guidance do not address all questions which this article has raised.
Whilst the guidance relating to Section 32 (which implements Article 9 in UK law) does acknowledge the need to broadly interpret the notion of journalism (as per Satamedia), little consideration is given to how the Section 32 exemption applies to individuals. Of greater concern, the UK/ICO's interpretation of Section 36, the personal/household exemption, seems to be at direct odds with the European approach, an issue which understandably causes problems for practitioners.
5.1 SECTION 36, THE PERSONAL/HOUSEHOLD EXEMPTION
The first thing to be said about Section 36 is that its wording is noticeably different to that used in Article 3(2). Whilst Article 3(2) refers to processing 'in the course of a purely personal or household activity', section 36 refers instead to processing 'only for the purposes of that individual's personal, family or household affairs (including recreational purposes)'. The potential scope of s36 is therefore significantly wider; the phrase 'recreational' potentially including any activity undertaken for one's own personal enjoyment or relaxation. A key distinction needs also to be made between the word 'activities' (which signifies something that an individual does) with the word 'purposes' (signifying the reason for which something is done). Although these might appear to be only minor differences in wording, the outcome, when one compares the UK interpretation of s36 with the European interpretation of Article 3(2), is a significant divergence in approach.
Whilst Lindqvist focuses upon whether the online processing of personal information might be construed as an action falling within the personal/household sphere (a term which in Lindqvist is narrowly construed), the ICO guidance instead emphasises the 'purposes' for which information is shared online. The ICO thus suggests that if an individual is sharing information online, in a personal capacity, and purely for their own domestic or recreational purposes (ICO, 2014) the exemption will apply, irrespective of the nature of the data being shared, what that data reveals, or indeed the number of people to whom that information is revealed. Accordingly the ICO suggests that the s36 exemption applies whenever individuals, post personal data on social networking sites to keep in touch with friends, when they publish blogs or online diaries sharing information about their daily life, and when they use online forums to 'rant' about neighbours or political figures (ICO, 2011). The ICO suggests further that even when a group of friends share information, for example, if a group of friends meet on holiday and subsequently set up a social networking page to share photographs, the online sharing of such photographs will fall within the exemption, because it will be processing undertaken for 'recreational purposes' (ICO, 2014a).
The ICO's 2014 guidance, indicates that it conceives of few, if any situations, when an individual who is posting information online for purely personal, family, household or recreational purposes would not be able to rely upon the s36 exemption. It is only when an individual shares information online for non-personal purposes, for example for business or charitable purposes that the ICO consider the exemption would not apply to that individual. Accordingly, the ICO has made clear that it 'will not consider complaints made against individuals who have posted personal data whilst acting in a personal capacity, no matter how unfair, derogatory or distressing the posts may be' (ICO, 2014a, p15). Firstly, the ICO has made clear that it believes that it is the right of individuals to use the online space to express their own personal views, in accordance with Article 10 of the European Convention, and that the protection afforded by Article 10 is reflected in both s36 and s32 (ICO, 2011; The Law Society and others v Rick Kordowski  EWHC 3185 (QB)  ('Kordowski')). This is in stark contrast to the views of the CJEU in Google Spain, in which the court (C-131/12, para 69) emphasised not the right to freedom of expression but the right to respect for private life and right to protection of personal data. Secondly, the ICO has argued that the DPA is simply not equipped to deal with such a situation, and that it is impossible for the ICO to regulate what one individual wishes to say about another when exercising their right to freedom of expression (Kordowski). Whilst the ICO's position is perhaps understandable given the resources available to it, it is undoubtedly problematic, for several reasons.
Whilst the ICO does recognise that individuals often use the internet to make both commercial and personal postings, and makes clear that those posts which are made for commercial purposes would be required to comply with the DPA (ICO, 2014a), the ICO arguably fails to recognise the fact that parents are increasingly making postings which are neither clearly personal nor clearly for business purposes, and where the line between the personal/private and public/business sphere is increasingly blurred. Consider, for example, when parents use blogs both to share the minutiae of their family lives and to publicise well-known brands (see www.tots100.co.uk for an illustration of the way in which brands work with parent bloggers).
The ICO's interpretation of the personal/household exemption flies in the face of the European jurisprudence and the Working Party opinion. (Whilst neither of these are mentioned in the 2014 guidance, internal guidance (ICO, 2011) makes clear that the ICO is certainly aware of Lindqvist, but simply disagrees with that decision). It should also be noted that the ICO's approach has failed to find favour in the domestic courts. Although expressing sympathy with the practical difficulties that the ICO would undoubtedly face if s36 were not deemed to apply when individuals posted third parties' personal information online, Mr Justice Tugendhat made clear that he did not consider the Information Commissioner's approach to be sustainable. Whilst acknowledging that 'the DPA was not designed to deal with the way in which the internet now works' (Kordowski ), Mr Justice Tugendhat made clear that he did believe that
'the DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, … The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.'
The ICO's refusal to follow the European line undoubtedly poses problems in practice. Most individuals based in the UK who wish to complain about online postings effectively have no remedy. The ICO, to whom a complaint about breach of the DPA would ordinarily lie, has made clear that the ICO is unlikely to take action in response to a complaint that one individual has posted information online about another individual. This is notwithstanding that, under European law the aggrieved individual would have a potential remedy under the Directive, provided at least that the information has been disseminated to an unlimited number of individuals. It is only if an individual were minded to, and had the money to bring a claim before the domestic courts, for example under Section 10 (the right to prevent processing likely to cause damage or distress) or Section 13 (relating to compensation for failure to comply with the DPA) that such an individual might obtain a remedy. It seems that before the courts an interpretation more in line with the European position would be likely. Certainly the cases of Hegglin and another v Google inc  EWHC 2808 and Google v Vidal-Hall  EWHC 13 both suggest that the courts may be willing to use the Data Protection Act to afford a claimant a remedy in damages if their personal data is used in such a way that they are caused damage (whether of a pecuniary or non-pecuniary nature) and/or distress. At present, however, the area is a potential minefield for practitioners tasked with advising upon and implementing the DPA.
5.2 SECTION 32
If the ICO interpretation of s36 is problematic, the position in relation to s32 is little better.
In 2011 Mr Justice Tugendhat dealt explicitly with the application of Section 32, and the interaction between Articles 8 and 10, commenting that:
'Those who drafted the directive and the DPA omitted to address generally the relationship between the Art 8 rights which the Directive sought to implement, and the Art 10 rights which must also be respected, in accordance with both EU and English law. If there is a provision of the DPA which would give effect to Art 10 rights …, it would be s.32 (journalism, literature and art). Journalism that is protected by s.32 involves communication of information or ideas to the public at large in the public interest. Today anyone with access to the internet can engage in journalism at no cost' (Kordowski ).
It is clear, therefore, that, in line with Satamedia, the domestic courts clearly recognise the potential application of s32 to ordinary individuals. The ICO similarly acknowledges in its social networking guidance that s32 might apply to an individual who has posted personal data online if such information has been posted for one of the special purposes of journalism, art and literature, in the reasonable belief both that publication would be in the public interest and that compliance with the DPA would be incompatible with the special purposes (ICO, 2014a). The problem for individuals, unfortunately, is that the ICO has yet to publish guidance which explains clearly when s32 would be considered to apply to an individual. The one brief reference to individuals in the ICO's recent guidance (ICO, 2014a) is not particularly helpful;
'We accept that individuals may be able to invoke the journalism exemption if they are posting information or ideas for public consumption online, even if they are not professional journalists and are not paid to do so. … Of course, this doesn't mean that every blog or comment posted online will be journalism. In many cases, people will simply intend to take part in normal social interaction or other recreational internet use.'
What can be gleaned from the guidance that has been issued to the media (ICO, 2014b) however, is that if individuals do wish to rely upon Section 32, they must demonstrate that their actions in making information public are in the 'public interest'. It is establishing the necessary public interest that many individuals who share information online are likely to struggle with.
Although there is, unfortunately, no definitive public interest test to which an individual can turn, the ICO does provide some 'pointers' for the media, which would appear to be equally relevant to individuals. Crucially, the ICO makes clear that the public interest is not the same as what is interesting to the public. He confirms also that to be in the public interest, any online publication of third party personal information must be in the best interests of society as a whole. These comments might suggest that few, if any, online posts by individuals will be deemed to be in the public interest. It is important to recognise, however, that there is a general public interest in freedom of expression itself, and that the ICO has made clear that it 'will always consider the importance of freedom of expression' in its interpretation of the DPA and when it decides whether to exercise its powers (ICO, 2014b, p19). What this means, therefore, is that, in principle, online postings relating to another individual might be deemed to fall within the s32 exemption - although the fact that information has been posted online in the exercise of one's freedom of expression is decidedly not the end of the matter.
The ICO has also made clear that consideration must always still be given to the impact that a publication will have on the individual whose information is disseminated. One should not automatically assume that an individual's private life is the subject of legitimate public interest (ICO, 2014b, p34) and indeed the ICO makes clear that
'it cannot be in the public interest to disproportionately or unthinkingly interfere with an individual's fundamental privacy and data protection rights. If … the details … published are particularly intrusive or damaging to an individual a stronger and more case-specific public interest argument will be required to justify [disclosure] over and above the general public interest in freedom of expression.'
It is where a publication is of an intrusive nature that an individual may struggle to demonstrate that their publication is in the public interest. The type of case-specific justification for/public interest in publication that the ICO envisages here, includes for example, a publication that exposes crime or anti-social behaviour, a publication which will prevent people from being misled by a statement made by an individual or organisation, or a publication which serves to disseminate information that will help people understand matters of public importance (ICO, 2014b).
What can, as a minimum, be concluded from the guidance, therefore, is the fact that an amateur blogger is acting in the exercise of their right to freedom of expression, or that they claim their purpose to be journalism (or art or literature), will not always be sufficient justification for interference with another person's privacy. Certainly, whilst online dissemination via a blog might satisfy the general public interest in freedom of expression, the topics covered in personal blogs, websites and on social media posts are rarely of the type to satisfy more specific public interests. For this reason, it is perhaps safest for individuals to assume that their blogs and online comments may not be considered to fall within the 'special purposes'. This certainly seems to be the implication in the ICO's media guidance (referred to above). Given that there appear to be few situations when the ICO would not allow an individual posting information online to rely upon the s36 exemption there is probably little need for an individual to seek recourse to s32 in any event.
6. THE PARENT PHOTOGRAPHER REVISITED
This article began with an illustration of a specific situation in which a parent takes a photograph at a school event, captures images of her own and other people's children and subsequently shares that photograph online. It has now been established that if such photographs identify the children then, unless the parent photographer can rely upon one of the exceptions to the DPA the parent will be treated as a data controller, and must therefore comply with the obligations detailed within that Act. The primary difficulty, as this article has illustrated, is in establishing whether any exceptions to the DPA apply in this specific situation.
Various articles published in the press between 2009 and 2012 (Appleton (2012); Clark (2009); Shoesmith (2010)) certainly suggest that schools are struggling to understand how the law applies to parent photographers. These articles indicate that many schools have either imposed stringent restrictions on parental photography or banned it entirely because they believe that the law requires such actions to be taken.
In order to determine what advice schools actually receive about parental photography, and the relevant law, in December 2013 Freedom of information requests were sent to all 206 local education authorities in England, Scotland and Wales. Each authority was asked whether it had produced any guidance or policy documents or had provided advice to schools in their area in relation to parental photography at school events. 198 authorities responded; 74 of these authorities did not provide any guidance, 28 stated that they refer schools exclusively to guidance produced by the ICO, 96 provide their own guidance (18 of those providing guidance also refer schools to the ICO guidance).
Reading through the guidance it was clear that there was significant disagreement between authorities as to whether parents should be allowed to take photographs at school events, or alternatively whether parents who take photographs at school events should be permitted to upload those photographs. 36 authorities (37% of the 98 authorities who provide guidance and 18% of the authorities who responded) explicitly state that posting online is not permitted, distinguishing clearly between the situation when parents keep photos for close family and friends to view (when they consider s36 will apply) and the situation when photos are shared online/more widely (when potentially s36 may not apply). Only 6 of these 36 authorities explicitly state, however, that online sharing may contravene the DPA. By contrast, 46 authorities (24% of respondents) explicitly refer schools to guidance published by the ICO, guidance which asserts that the DPA imposes no restriction on parental photography at school events. This ICO guidance, which was first published in 2005 and has been regularly republished in a variety of forms since that date (ICO, 2005, 2007, 2010b, 2010c, 2010c, 2012b, 2014c and undated) is premised upon the belief that s36 applies to parents taking photographs at school 'for personal or domestic use'. (No reference is made to the s32 exemption but given the ICO's advice that s32 is unlikely to apply when people are simply taking part in normal social interaction or other recreational internet use (ICO, 2014b) this is understandable).
As discussed above, the ICO has interpreted s36 widely. The ICO has made clear that in most instances, when parents post information online in their personal capacity and either for purely personal or recreational purposes then s36 will apply. Strangely, however, the ICO guidance on parental photography makes no reference to parents taking digital photographs to share photographs online. Although the examples that the ICO includes in his guidance (of parents storing photographs in a family album and taking a video for family viewing) hark back to before the digital era, one cannot imagine that the ICO is not aware that parents might share photographs of school events online. Certainly, many education authorities seem to be aware, not only of the possibility that parents will wish to share photographs online, but also of the risks involved when they do so (disclosure of the whereabouts of vulnerable children whose identity and whereabouts should not be revealed, identification and possible grooming of children, misuse of images, breach of privacy).
In the absence of explicit guidance on how s36 applies to a parent who wishes to post photographs online, it is perhaps inevitable that some confusion about the application of the DPA continues to exist. It may, of course, be the case, that as discussed above, the ICO holds a firm conviction that the s36 exemption will apply when a parent takes a photograph at a school event, whether or not that photograph will subsequently be placed in the family album, stored on a computer or shared online. If this is the case then it would be helpful for the ICO to update its parental photography guidance to clarify this. Even if the ICO were to do so, however, questions must be asked about whether this would in reality resolve the issue once and for all.
The divergence between the ICO's interpretation and the European interpretation are likely to cause continuing confusion for education authorities and thus also for parents. At present, depending upon which school a child attends/which local education authority a child lives in, a parent may, or may not, be permitted to take photographs, and may or may not be told that they must not share those photographs online. Can we expect the position to improve if and when the Directive is replaced by the Regulation?
7. UPDATING THE LAW TO ENSURE IT REMAINS FIT FOR THE 21ST CENTURY
In a communication to the European Parliament in 2010 the European Commission spelt out clearly its belief that a new data protection framework is needed, both 'to clarify and specify the application of data protection principles to new technologies' (European Commission, 2010a, p3) and to address 'divergences between the national laws implementing the Directive,' divergences which create 'legal uncertainty not only for data controllers but also for data subjects, creating the risk of distorting the equivalent level of protection that the Directive is supposed to achieve and ensure.' (European Commission, 2010a, p10). The Commission's comments certainly seem to be well founded given the differing approaches to Article 9 (the freedom of expression exemption) and to the personal/household exemption highlighted above. Whether the Commission's ambitions are realisable, however, have yet to be seen.
Certainly the ICO has recognised a need for comprehensive updating to address the challenges posed by new technologies, and, given 'the pan-European nature of the problem' accepts the need for either a Regulation or new Directive (ICO, 2012a, p2). It is clear, however, that the ICO is not wholly convinced that the Regulation will achieve all that the Commission suggests. The more detailed, prescriptive approach detailed in the regulation, an approach which the ICO suggests may not necessarily result in better data protection, is questioned (ICO, 2012a). The ICO further queries whether complete harmonisation is possible or even desirable (noting that key concepts in the law such as fairness depend on factors which necessarily vary from one member state to another). Given the current lack of harmony of interpretation both of Article 3(2) and Article 9, the issue of harmonisation is a key issue to be considered in the analysis of the new personal/household provision (Article 2(2)(d)) and the new provision authorising derogations from the directive in the interest of freedom of expression (Article 80).
7.1 THE REVISED PERSONAL/HOUSEHOLD EXEMPTION
The wording of Article 2(2)(d) (and of the related Recital 15) have proved to be a subject of some contention for those involved in the process of agreeing the new regulation. This is to be expected given current divergences in approach to the personal/household exemption. Article 2(2)(d), as originally drafted by the Commission stated simply that the Regulation 'does not apply to the processing of personal data … (d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity.' In its earliest iteration Recital 15 stated similarly that the Regulation 'should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.'
The application of the exemption to the online sphere was thus not explicitly addressed by the Commission in the initial version of the Regulation (at best it is hinted at in the final sentence of the recital). The undoubted problem with this first iteration of the Regulation, therefore, was that it quite simply left wide open the question of whether Article 2(2)(d) never applies within the online sphere (as Lindqvist suggests), instead applies to all individuals processing information online in the course of personal activities (the ICO approach) or alternatively applies only to certain individuals (as the Working Party suggests). Surprisingly, however, it was the phrase 'without any gainful interest', which seemed initially to cause most offence both to the European Parliament (European Parliament, 2012), and to the ICO (ICO, 2012a), both of whom recognised that a natural person who processes personal data for private and household purposes may sometimes have a gainful interest in doing so (e.g. when selling private belongings to other private persons) but that such a person should still fall outside the Regulation provided there is no connection to a professional or commercial activity.
The amended version of Article 2(2) and Recital 15, approved by the European Parliament in March 2014 made no reference to 'gainful interest.' Indeed the European Parliament's version of Article 2(2)(d) revealed little difference to the original Article 3(2). The most important changes, were that the revised draft provision referred to 'processing … by a natural person in the course of its own exclusively personal or household activity' as opposed to processing 'in the course of a 'purely personal or household activity'. The Parliament also suggested that the exemption should only apply where it could be reasonably expected that the publication of data would only be accessed by a limited number of persons. Importantly, the European Parliament also made significant changes to the Recital to address the vital need to clarify how, and whether the exemption applied to the online sphere (European Parliament, 2012). Taking the Parliament's wording of Article 3(2) and Recital 15 together, therefore, the personal/household exemption, undoubtedly moved much closer to the interpretation of Article 3(2) that is currently found in UK law, which sees s36 being used as a vehicle by which to recognise individuals' rights to freedom of expression. At the same time, however, it sensibly also recognised the logic of the Working Party opinion, the need to recognise that widespread online sharing, by definition, may not always be 'personal'. It thus specifically addressed one of the key concerns raised by the ICO when the Regulation was first published, that the Regulation should explicitly consider whether the activities of individuals processing personal data online, about themselves and others, should fall within the personal/household exemption.
What the final version of Article 2(2) and Recital 15 will look like is as yet unclear. The Council of Ministers is in apparent agreement with the European Parliament that the application of the personal and household exemption to the online sphere needed clarifying. The most recent version of the regulation proposed by the Council thus retains the following sentence in Recital 15; 'Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.' The Parliament's wording of Article 2(2) has, however, been changed by the Council of Ministers. The wording of the personal and household exemption proposed by the Ministers now states that 'the Regulation does not apply to the processing of personal data … by a natural person in the course of a personal or household activity.'
Potentially significant changes have thus been made to the Parliament's version. The Parliament's version of Article 2(2) using the word " exclusively" and making specific reference to disclosures being to a "limited number of persons," reinforced the idea that personal data should not be widely distributed. Both of these constraints have been removed. It has been suggested that this implies that 'the Council of Ministers seek a broad "personal use" category involving an unknown (perhaps unlimited) number of persons' (Pounder, 2015). Perhaps more importantly Chris Pounder has suggested that the Council of Ministers' text directly undermines the CJEU's conclusions in Ryneš (Pounder, 2015). In Ryneš the CJEU made clear that the personal and household exemption was 'to be narrowly construed' recognising that Article 3(") refers to processing carried out as a ''purely' personal or household activity … not simply a personal or household activity"' (Ryneš, paragraph 30). The absence of the words 'purely' or 'exclusively' in the Council of Ministers' version of the Regulation text means that the personal and household exemption proposed by the Council of Ministers now does refer simply to 'a personal or household activity'. This is not, however, the only problem that has been identified with the Council's new wording. It has been suggested that;
'[t]here is also an issue with the absence of the word "limited" (which appears in the Parliament's text). For instance, Facebook has a maximum number of 5000 friends; more than 5000 then you have to have a "fan page" ... The Council of Ministers' text opens up an argument that a posting to say 500 friends is "personal" (because it is "limited" to well below the 5000 maximum) (Pounder, 2015).
Let us consider again the scenario posed at the beginning of this article, when a parent takes a photograph capturing images of her child and their friends at a school sports day and posts the images to Facebook. It seems relatively easy to see how this could be construed as a "personal activity." If so, the effect of the Council's revisions to Article 2(2) is that the Regulation will do little to protect the children whose images have been shared. This is of concern given that the rights of third parties whose information is processed by individuals subject to the exemption seem to have been largely neglected. The Article 29 Working Party/Working Party on Police and Justice noted in 2009 (p18) that 'thought should be given to the question whether data subjects should be given more means to execute their rights on the internet, including the protection of rights of third parties whose personal data may be object of processing (eg social networks).' If many online activities will fall outside the Regulation, as is proposed, the rights of third parties whose personal data is processed will presumably be commensurately more limited. Despite assertions by the Commission that the Regulation will strengthen individuals' rights (European Commission, 2010b), it is arguable that for third parties whose information is processed online the opposite may be the case. Clarity, harmonisation and a renewed emphasis on individuals' rights to freedom of expression through the personal/household exemption may arguably in future be improved, but this appears to be at the expense of other individuals' right to data protection.
7.2 ARTICLE 80 OF THE REGULATION
Although Article 2(2)(d) may expand the sphere in which individuals can exercise their rights of freedom of expression to the online world, there is undoubtedly still room for a further derogation or exemption for freedom of expression, one that applies to organisations, the media, and individuals whose activities do not fall wholly within the personal sphere. This is certainly recognised by the Commission in their inclusion of Article 80.
The explanatory memorandum which accompanies the Regulation states simply that 'Article 80 obliges Member States to adopt exemptions and derogations from specific provisions of the Regulation where necessary to reconcile the right to the protection of personal data with the right of freedom of expression. It is based on Article 9 of Directive 95/46/EC, as interpreted by the Court of Justice of the EU' (in Satamedia).
Despite the memorandum's comments, which suggest that Article 80 is little different to Article 9, in its first iteration, as drafted by the Commission, two key differences in wording could be identified. Where Article 9 allows for exemptions or derogations 'only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression' Article 80, as originally drafted, provided for such derogations 'in order to reconcile the right to the protection of personal data with the rules governing freedom of expression'. Article 80 thus removed the need for derogations to be 'necessary' replacing it with the weaker wording 'in order to'. A more subtle change to the wording is also introduced in its reference to the balance to be achieved between data protection and freedom of expression rather than privacy and freedom of expression (such a reference to data protection in place of privacy is a theme throughout the regulation, perhaps in acknowledgement that the Article 8 of Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the functioning of the European Union now explicitly recognise a free-standing right to data protection). These changes in wording were, however, only minor when compared with the later changes introduced by the Parliament. The Commission's position was to effectively clarify and reiterate the existing position, as interpreted by the CJEU. The exemption continued to apply only for the limited specific purposes of journalism, literature and art (albeit that journalistic purposes was to be interpreted widely to apply to anyone (Recital 121 to the Regulation).
Interestingly, however, the European Parliament in its review of Recital 121 and Article 80 clearly considered that the Commission had not gone far enough. Article 80, as revised by the Parliament, referred explicitly to Member States providing exemptions or derogations 'whenever this is necessary in order to reconcile the right to the protection of personal data with the rules governing freedom of expression in accordance with the Charter of Fundamental Rights of the European Union.' The Parliament thus took a significant step forward, going beyond the court's interpretation of the directive, an interpretation which had been restricted by the need to pigeonhole data processing activities into journalistic, artistic or literary purposes. If a version of Article 80 akin to that drafted by the Parliament were ultimately accepted, one might anticipate a significantly different approach to the freedom of expression/privacy/data protection balancing act within the UK, adopting a much wider notion of freedom of expression in line with that which is seen in Denmark and Sweden, and which more clearly reflects the approach of the European Court of Human Rights (Warso, 2013). The Council's version of Article 80, however, has much more in common with the Commission's more narrow exemption. Article 80(1) states that '[t]he national law of the Member States shall reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including the processing of personal data for journalistic purposes and the purposes of artistic or literary expression.' This might perhaps be interpreted expansively, to allow for the balancing of privacy/data protection and freedom of expression in all cases, including but not limited to situations where personal data is processed for journalistic purposes. Article 80(2) however refers very clearly to member states providing exemptions and derogations '[f]or the processing of personal data carried out for journalistic purposes or the purpose of academic artistic or literary expression.' This suggests that the Council's intention is to maintain the status quo.
Warso suggests that the fact that Art 9 is restrictive (far more so than Art 10 ECHR), the fact that the ECJ in Lindqvist has shown a willingness to defer to national authorities to undertake the privacy-free speech balancing exercise, and the fact that the ECJ's chose to interpret Art 3(2) narrowly 'shows that EU law "tilts" towards the protection of privacy … at the expense of other fundamental rights.' Warso argues further that '[i]n light of the human rights standards established by the ECtHR, this puts into question whether the Directive 95/46/EC fulfils the task of balancing all fundamental values involve. Perhaps, most importantly she contends that 'the standard set by CJEU in Lindqvist, which still constitutes the main point of reference with regard to the application of the personal/household exemption online, fails to keep up with the rapid development of new communication technologies and ignores the complex fabric of the Web' (Warso, 2013, p496)
These criticisms are certainly understandable when one considers the approach that the ECJ/CJEU have taken to the issue of individuals sharing personal information online. The European court's approach currently prevents individuals from sharing personal information online (unless they accept the substantial obligations which lie upon them, as data controllers (and which are likely to continue even once the regulation becomes law, no specific provision being included in the Regulation to relieve an individual of the full burden of data controller obligations). Whilst the Working Party opinion undoubtedly lessens the full effect of the Lindqvist judgment, it remains the case that individuals who do not choose to limit who has access to online postings should only post information online if they are prepared to accept their obligations under the Directive.
Within the UK, however, very different criticisms can be made. With the ICO having effectively chosen to ignore the decision in Lindqvist, it is apparent that UK individuals who share information online, including information and images of third parties, are free to do so, in the exercise of their right to freedom of expression. This is subject only to the proviso that their actions are undertaken for personal, domestic or recreational purposes. The ICO has chosen to define such terms widely, and it is entirely possible that even when a parent receives economic benefits such as free merchandise or free or reduced entrance fees as a result of blogging about the lives, likes and activities of their family and friends they will still benefit from the s36 exemption. Such individuals thus effectively have little or no need to rely upon the s32 exemption introduced into UK law to ensure that in appropriate cases (specifically for the special purposes of journalism, art and literature) individuals' rights to freedom of expression are not entirely disregarded in favour of the right to privacy/data protection. The effect of the ICO position, however, is that individuals whose information is shared online by others have seen an erosion of their rights to privacy and data protection, with no remedy afforded to them under the DPA, and no real ability to prevent online processing of their information by others.
The clear divergence between the European and UK problems and the uncertainty that it causes for organisations and individuals can be illustrated by reference to a scenario where a parent takes a photograph at a school event with the intention of posting that photograph online. Whether the parent is allowed to take that photograph and post it online appears to largely depend upon whether the school believes that s36 DPA does or not apply to the parent. If the school accepts the ICO position then no restriction upon parental photography is required (at least for DPA purposes). By contrast if the school adopts the approach advocated in Lindqvist the school is likely, as a minimum, to ask parents not to share photographs online.
If the European Parliament's revisions to the Regulation are accepted it is arguable that the current uncertainties will be removed. Recital 15 to the Regulation goes a long way to clarifying how, throughout the Member States, the personal/household exemption should be applied. In many cases where individuals are sharing information only with a defined number (friends or family only) the Parliament has signalled clearly that it believes that the personal/household exemption should apply. Its revisions to Recital 121 also open the door to individuals being able to rely upon Article 80 as an alternative to Article 2(2)(d) when information is disseminated to the public at large. For individuals who wish to share personal information online, including third party information, the position is therefore improved; it seems clear that in many cases the data protection framework will not apply. For the individuals whose information is being shared by others, however, the position is not so much improved as clarified. It seems likely that their rights to object to the online processing of their information by other individuals are effectively disappearing.
Appleton, Josie, (2012) 'Why do schools really stop parents taking photographs of their children?' The Guardian 23 June 2012 http://www.theguardian.com/lifeandstyle/2012/jun/23/photos-children-school-ban
Article 29 Data Protection Working Party (2009), 'Opinion 5/2009 on online social networking' 00189/09/EN WP 163, adopted 12 June 2009
Article 29 Working Party/Working Party on Police and Justice (2009) 'The Future of Privacy: Joint contribution to the consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data' 02356/09/EN WP 168, adopted 1 Dec 2009
Bennett, Colin (1992) 'Regulating privacy: Data protection and public policy in Europe and the United States' (Ithaca: Cornell University Press)
Bignami, Francesca (2008) 'The case for tolerant constitutional patriotism: The right to privacy before the European courts', Cornell International Law Journal 41(2) 230-231
Carey, Peter (2009) 'Data Protection: A Practical Guide to UK and EU Law' (Oxford: OUP Oxford) 3rd Edition
Clark, Laura (2009) 'Parents banned from taking photos of their own children at school sports day' The Daily Mail, 17 June 2009) http://www.dailymail.co.uk/news/article-1193697/Parents-banned-taking-photos-children-school-sports-day.html
Costa, Luis and Poullet, Yves (2012) 'Privacy and the Regulation of 2012' Computer Law & Security Review 28, 254-262
Council of the European Union (2014) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Data Protection Act 1998
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
European Commission (2010a), Communication from the Commission to the European Parliament, the Council, the Economic and social committee and the committee of the regions: A comprehensive approach on personal data protection in the European Union COM (2010) 609 final 4.11.2010
European Commission (2010b), Data Protection Reform Frequently Asked Question Memo/10/542 04/11/2010
European Commission (2011) Special Eurobarometer 359: Attitudes on Data Protection and Electronic Identity in the European Union
European Commission, (2012a) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century (COM (2012) 9 Final) 25.12.12
European Commission (2012b)- Press Release 'Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses IP/12/46 25/01/12 http://europa.eu/rapid/press-release_IP-12-46_en.htm
European Commission (2012c) How does the data protection reform strengthen citizens' rights? http://ec.europa.eu/justice/data-protection/document/index_en.htm
European Parliament (2012) Draft report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012)0011 - C7-0025/2012 - 2012/0011 (COD))
Google v Vidal-Hall and others  EWHC 13
Google Spain and Google Inc v Mario Costeja Gonzalez C-131/12
Hegglin and another v Google inc  EWHC 2808
ICO (2005) Data Protection Good Practice Note Taking Photographs in Schools
ICO (2007) Data Protection Good Practice Note Taking Photographs in Schools
ICO (2010a) The Information Commissioner's response to the Ministry of Justice's call for evidence on the current data protection legislative framework
ICO (2010b) Data Protection Good Practice Note Taking Photographs in Schools
ICO (2010c) Parents can snap away at this year's sports day
ICO (2010d) Parents can snap away this Christmas
ICO (2011), Line to take - Dealing with complaints about information published online
ICO (2012a) Information Commissioner's Office: initial analysis of the European Commission's proposals a revised data protection legislative framework
ICO (2012b) Report on the data protection guidance we gave schools in 2012
ICO (2013) Proposed new EU general data protection regulation: Article-by-article analysis paper
ICO (2014a) Social networking and online forums - when does the DPA apply? V1.1
ICO (2014b) Data protection and journalism: a guide for the media
ICO 2014c) Data Protection Good Practice Note Taking Photographs in Schools
ICO (undated) Does the Data Protection Act stop me taking photos of my children at school?
Korff, Douwe (2002) EC study on implementation of data protection directive (Study Contract ETD/2001/B5-3001/A/49) Comparative summary of national laws
Korff, Douwe, (2010) Comparative Study on Different Approaches to new privacy challenges, in particular in the light of technological developments. Working paper no 2: Data protection laws in the EU: The difficulties in meeting the challenges posed by global social and technical developments
Lindqvist ECJ C-101/01
NSPCC (2013) 'Using photographs of children for publication: NSPCC factsheet' http://www.nspcc.org.uk/Inform/research/briefings/Photographing-children_wda96007.html
OFCOM (2013) Adults Media Use and Attitudes Report
Opinion of Advocate General Jääskinen delivered on 25 June 2013 in Case C‑131/12 Google Spain SL Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González
Pounder, Chris (2015) 'Council of Ministers' Regulation text negates ECJ rulings in Linqvist and Ryneš http://amberhawk.typepad.com/amberhawk/2015/07/council-of-ministers-regulation-text-negates-ecj-rulings-in-lindqvist-and-ryne%C5%A1.html
Rowbottom, Jacob 'To Rant, Vent and Converse: Protecting Low Level Digital Speech' (2012) 71 Cambridge Law Journal 355
Ryneš CJEU C-212/13
Shoesmith, Ian 'When can't you take photos of a nativity play?' BBC News UK, 8 December 2010) http://www.bbc.co.uk/news/uk-11947374
The Law Society and others v Rick Kordowski  EWHC 3185 (QB)
Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy CJEU C-73/07
Warso, Zuzanna, (2013) 'There's more to it than data protection - Fundamental rights, privacy and the personal/household exemption in the digital age', Computer Law & Security Review (29) 491-500
Westin, A. (1967) Privacy and Freedom (New York: Atheneum)