Table of Contents:
In the present edition, we inform our readers of a CJEU judgment on the balance between data protection and freedom of expression. In addition, we list the newest activities and documents by the EDPB.
CJEU: Narrow Definition of Journalistic Exceptions in the GDPR
[1] On 9th July, the CJEU ruled on the balance between the rights to data protection and freedom of expression in ND v Legal Newsdesk Sweden AB. As to the facts of the case, the applicant in the main proceedings (ND) was convicted of a criminal offence. The information about his conviction was published by Legal Newsdesk Sweden on its Lexbase database, where information about the criminal proceedings against natural and legal persons is published and which allows searches to be made within the database. ND requested the erasure of the data concerning his conviction, but Legal Newsdesk Sweden erased the data only much later, and not as a response to his request, but on the basis of its internal data storage policies. The dispute resulted in the request for a preliminary ruling around the question on the scope of the journalistic exceptions in Article 85(1) and (2) GDPR and the Member State right to legislate on the balance between the rights to data protection and freedom of expression, including on the available remedies in defamation cases. In its ruling, the CJEU, based on a combined reading of Articles 85(1) and (2) GDPR, first established that when Member States adopt legislative measures under Article 85(1) GDPR to reconcile the two fundamental rights, they may not provide “for exemptions or derogations from that regulation for the processing of personal data for purposes other than journalistic purposes or the purposes of academic, artistic or literary expression”. Second, as to effective remedies, the CJEU examined the question whether domestic legislation may restrict the available remedies in defamation cases to criminal proceedings or claims for damages. The CJEU ruled that Article 85(2) GDPR does not allow derogations from the GDPR provisions on effective remedies and hence that the legal measures adopted by the Member States on the basis of Article 85(1) GDPR may not restrict the available remedies only to “the possibility to bring criminal proceedings for defamation or to bring an action for compensation for the damage suffered as a result of having been defamed.” Finally, as to the question on the scope of the notion of “journalistic purposes” when processing personal data about criminal convictions, the CJEU ruled that “making available to the public on the internet, in return for payment, public documents consisting of criminal convictions cannot be regarded as processing of personal data carried out for ‘journalistic purposes’, within the meaning of that provision, unless it has as its purpose the disclosure to the public of information, opinions or ideas, in compliance with the ethical rules and codes of conduct of the profession of journalist, after editing or adaptation, or at least in accordance with an editorial policy, and after verification of the factual allegations concerned”.
EDPB releases new documents
[2] In the past two weeks, the EDPB announced that it is drafting Guidelines on respecting data protection in the fight against financial crime together with the Anti-Money Laundering Authority and released the following documents:
- Guidelines on anonymisation;
- Guidelines on web scraping in the context of generative AI; and
- Guidelines on the processing of personal data through blockchain technologies. [3]
More Information:
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62024CJ0199
[2] https://www.edpb.europa.eu/news/edpb-and-amla-to-develop-joint-guidelines-on-partnerships-for-information-sharing_en
[3] https://www.edpb.europa.eu/news/edpb-sheds-light-on-anonymisation-and-web-scraping-for-generative-ai-and-adopts-final-version_en