Data Protection Insider, Issue 157

Data Protection Insider, Issue 157 - DPI Issue 157

Table of Contents: 

  1. CJEU: Narrow Definition of Journalistic Exceptions in the GDPR 
  2. EDPB Releases New Documents 

 

In the present edition, we inform our readers of a CJEU judgment on the balance between data protection and freedom of expression. In addition, we list the newest activities and documents by the EDPB. 

CJEU: Narrow Definition of Journalistic Exceptions in the GDPR

[1] On 9th July, the CJEU ruled on the balance between the rights to data protection and freedom of expression in ND v Legal Newsdesk Sweden AB. As to the facts of the case, the applicant in the main proceedings (ND) was convicted of a criminal offence. The information about his conviction was published by Legal Newsdesk Sweden on its Lexbase database, where information about the criminal proceedings against natural and legal persons is published and which allows searches to be made within the database. ND requested the erasure of the data concerning his conviction, but Legal Newsdesk Sweden erased the data only much later, and not as a response to his request, but on the basis of its internal data storage policies. The dispute resulted in the request for a preliminary ruling around the question on the scope of the journalistic exceptions in Article 85(1) and (2) GDPR and the Member State right to legislate on the balance between the rights to data protection and freedom of expression, including on the available remedies in defamation cases. In its ruling, the CJEU, based on a combined reading of Articles 85(1) and (2) GDPR, first established that when Member States adopt legislative measures under Article 85(1) GDPR to reconcile the two fundamental rights, they may not provide “for exemptions or derogations from that regulation for the processing of personal data for purposes other than journalistic purposes or the purposes of academic, artistic or literary expression”. Second, as to effective remedies, the CJEU examined the question whether domestic legislation may restrict the available remedies in defamation cases to criminal proceedings or claims for damages. The CJEU ruled that Article 85(2) GDPR does not allow derogations from the GDPR provisions on effective remedies and hence that the legal measures adopted by the Member States on the basis of Article 85(1) GDPR may not restrict the available remedies only to “the possibility to bring criminal proceedings for defamation or to bring an action for compensation for the damage suffered as a result of having been defamed.” Finally, as to the question on the scope of the notion of “journalistic purposes” when processing personal data about criminal convictions, the CJEU ruled that “making available to the public on the internet, in return for payment, public documents consisting of criminal convictions cannot be regarded as processing of personal data carried out for ‘journalistic purposes’, within the meaning of that provision, unless it has as its purpose the disclosure to the public of information, opinions or ideas, in compliance with the ethical rules and codes of conduct of the profession of journalist, after editing or adaptation, or at least in accordance with an editorial policy, and after verification of the factual allegations concerned”. 

EDPB releases new documents

[2] In the past two weeks, the EDPB announced that it is drafting Guidelines on respecting data protection in the fight against financial crime together with the Anti-Money Laundering Authority and released the following documents: 

  • Guidelines on anonymisation; 
  • Guidelines on web scraping in the context of generative AI; and 
  • Guidelines on the processing of personal data through blockchain technologies. [3]

 

 More Information:

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62024CJ0199  

[2] https://www.edpb.europa.eu/news/edpb-and-amla-to-develop-joint-guidelines-on-partnerships-for-information-sharing_en 

[3] https://www.edpb.europa.eu/news/edpb-sheds-light-on-anonymisation-and-web-scraping-for-generative-ai-and-adopts-final-version_en 

About

DPI Editorial Team


Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.


Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply