Note added: 21/12/2015 after GDPR Trilog text published:
Article 2b of the consolidated text states that the domestic purpose is processing “by a natural person in the course of a purely personal or household activity”; Recital 15 of that text allows for limited social media use. I therefore expect that Lindqvist and Ryneš rulings to remain relevant to the GDPR
Original posting
The Lindqvist decision of the European Court of Justice (ECJ) in 2003 has always caused problems. In Data Protection Act (DPA) terms, it means that the domestic purposes exemption (in Section 36 of the DPA) does not automatically apply to personal data which are published on the Internet.
This, in turn, means that social media aficionados, who are happy to post personal data about other individuals, have to apply the data protection principles to their postings. In addition, as data controllers, they should pay a £35 notification fee to the Information Commissioner (ICO); since failure to notify is a criminal offence, the Lindqvist decision has had the potential to make criminals of them all.
This helps to explain why the ICO has avoided the implications of Lindqvist like the plague; a position maintained until the “Solicitors from Hell” case in late 2011 (see references). In that case, the ICO’s advice on the domestic purpose exemption was politely but comprehensively trashed; Tugendhat J. concluded that “I do not find it possible to reconcile the views on the law expressed in the Commissioner's letter with authoritative statements of the law” (paragraph 100).
I should add that since 1998, the Government has had the powers to take the processing of personal data for social media purposes out of notification (see section 17(3) of the DPA) and therefore decriminalise social media users. It has failed to do so, thus compounding the ICO’s problems in this regard.
Now with the Regulation in trilog discussions, the Council of Ministers are set upon rewriting data protection history so the impact of Lindqvist (and Ryneš) is expunged. This rewriting is another example where the protection for data subjects is being lowered from that offered by Directive 95/46/EC (see references).
ARTICLE 3(2) OF DIRECTIVE 95/46/EC
The main impact of the Lindqvist and Ryneš judgements is that the ECJ interpreted Article 3(2) of Directive 95/46/EC narrowly. Article 3(2) states that the Directive does not apply “to the processing of personal data …by a natural person in the course of a purely personal or household activity” (my emphasis).
In Lindqvist, the ECJ judgment interprets a “purely personal or household activity” to mean:
“That exception must therefore be interpreted as relating only to activities which are e carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people” (paragraph 47; my emphasis).
In Ryneš, the Court said: “Article 3(2) of Directive 95/46 falls to be narrowly construed as ... the processing is carried out is a ‘purely’ personal or household activity, that is to say, not simply a personal or household activity” (my emphasis; paragraph 30).
Note that it is the word “purely” that narrows the scope of Article 3(2). It is this word that is replaced by the Commission and European Parliament, but removed completely in the Council of Ministers version of the Regulation.
THE VARIOUS FORMS OF ARTICLE 2(d) OF THE DATA PROTECTION REGULATION
The Commission’s revision of Article 3(2) states that the Regulation does not apply to that processing of personal data “…by a natural person without any gainful interest in the course of its own exclusively personal or household activity” (Article 2(d)).
The relevant Recital explains that “This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity”.
Commentary on the Commission’s version. I think the use of “exclusively” and “its own” limits the posting of personal data via social media to a posting by the data subject about himself; it would therefore mean that a posting of personal data of someone else could be subject to the Regulation depending on the circumstances. “Without any gainful interest” excludes any commercial activity.
There is no explicit reference to social networking in the Commission’s text, but I think limited social networking between family members and real “friends” would be OK (e.g. the data subject is sharing personal data about himself with other family members and friends and vice-versa in the context of himself or his household).
The Parliament’s revision of Article 3(2) is close to the Commission’s version and states that the Regulation does not apply to that processing of personal data “by a natural person in the course of an exclusively personal or household activity. This exemption shall also apply to a publication of personal data where it can be reasonably expected that they will be only accessed by a limited number of persons”.
Parliament’s Recital explains that “This Regulation should not apply to processing of personal data by a natural person in the context of a personal or household activity, thus without any connection with a professional or commercial activity. Personal and household activities include social networking and online activity undertaken within the context of such personal and household activities”.
Commentary on the Parliament’s version. The use of “an exclusively personal or household activity” (rather than “its own exclusively personal or household activity” as per Commission) does not limit the posting to the personal data about the posting data subject. It allows limited exchange between the data subject who might be sharing personal data about himself and/or about his friends with his friends (and vice-versa).
In other words, the Parliament’s text slightly broadens the social networking position established by the Commission’s text.
The use of “exclusively” and “limited number of persons” also reinforce the idea that the personal data are not widely distributed. The Recital, unlike the Commission’s text, clearly extends the exception to “social networking and online activity undertaken within the context of such personal and household activities”; its intent is clearly to ensure that limited social networking between a small number of friends and family members is exempt from the Regulation.
The Council of Ministers’ text states that the Regulation does not apply to that processing of personal data “by a natural person in the course of a personal or household activity”; the Recital is exactly the same as the Parliament and includes “social networking and on-line activity undertaken within the context of such personal and household activities”.
Commentary on the Council of Ministers’ version. Compared with the Parliament’s text, the key differences are the absence of the words “exclusively” and “limited number of persons”. The removal of these constraints implies the Council of Ministers seek a broad “personal use” category involving an unknown (perhaps unlimited) number of persons.
Note that the Council of Ministers’ text directly undermines Ryneš. In Ryneš, the Court said: “Article 3(2) of Directive 95/46 falls to be narrowly construed as ... the processing is carried out is a ‘purely’ personal or household activity, that is to say, not simply a personal or household activity” (paragraph 30).
The mere absence of the word “purely” in the Council of Ministers’ version of the Regulation text changes the conclusions in Ryneš, as the Ministers’ proposed text does indeed refer to “simply a personal or household activity”.
Thus, if the Council of Ministers version of the text prevails, the ECJ ruling in Ryneš is likely to be overturned. Someone who attaches a camera that undertakes surveillance of the public space outside his house in order to protect a household is likely to be successful in the argument that such processing is in the course of “simply a household activity”.
There is also an issue with the absence of the word “limited” (which appears in the Parliament’s text). For instance, FaceBook has a maximum number of 5000 friends; more than 5000 then you have to have a “fan page” (of which I have several anonymous ones). The Council of Ministers’ text opens up an argument that a posting to say 500 friends is “personal” (because it is “limited” to well below the 5000 maximum).
In other words, if one school student posts Third Party personal data to a limited number of students in the same year at school in order to bully or get “revenge”, then this could easily be a “personal activity”; after all getting revenge and bullying is often a very personal pursuit. If this is the case, there will be little the Regulation could do to protect the data subject (except by the Right to be forgotten, perhaps).
Conclusion: what should happen?
The use of the Internet often throws up difficult questions in the context of freedom of speech versus privacy; the domestic purpose exemption is just another of those difficult questions. However, because the question is difficult, does not mean that it should be avoided or exempted from a data protection response.
My preference is to keep the construction of Directive 95/46/EC; this means that Lindqvist and Ryneš rulings are maintained. However, I would add to the list of “Codes of Conduct” the requirement to produce European wide data protection advice on the “personal or household activity” exclusion, so that it is clear the extent of this exemption from the data protection rules.
This guidance would also identify therefore when the Regulation could be enforced; it is relevant to note that the UK’s Information Commission has published guidance on the domestic purpose exemption under the UK Act (see references).
Instead the Council of Ministers have proposed an exemption that is likely to exclude important data protection considerations, neuters the role of data protection authorities, and undermines the balance established under the Directive. It clearly weakens the protection for data subjects below that of the Directive.
Obviously, there is a balance between privacy and the use of social media when expressing oneself. However, instead of engaging with notions of balance, the Council of Ministers intend to throw away the scales.
References
Our next half day workshop on the Data Protection Regulation is on: 28th September in London: http://www.amberhawk.com/bookevents3.asp
Why the Data Protection Regulation is likely to provide a lower level protection than Directive 95/46/EC: http://amberhawk.typepad.com/amberhawk/2015/02/why-the-data-protection-regulation-is-likely-to-provide-a-lower-level-protection-than-directive-9546.html
Lindqvist summary and implications: http://www.out-law.com/page-4051 and http://www.out-law.com/page-8401
Ryneš summary and implications: http://amberhawk.typepad.com/amberhawk/2015/01/ecj-ryne%C5%A1-ruling-implies-ip-addresses-are-personal-data-in-themselves.html
Ryneš and Lindqvist Case references: European Court of Justice (ECJ) Judgment in Case C-212/13 (Ryneš) and Case C-101/01 (Lindqvist)
ICO Guidance on social media and the domestic purpose exemption: https://ico.org.uk/media/for-organisations/documents/1600/social-networking-and-online-forums-dpa-guidance.pdf
Solicitors from Hell case; Law society & Ors v Kordowski [2011] EWHC 3185 (QB) http://www.bailii.org/ew/cases/EWHC/QB/2011/3185.html