skip to content
 

Edited by Dr David Erdos, Deputy Director, CIPIL File:Flag of Europe.svgEFTA logo2.svgFile:Flag of the United Kingdom.svg

Overview Guide

Section 1:  Introduction

This resource on the CIPIL website explores the specific formal engagement of European data protection laws with freedom of expression and information from the time of data protection’s inception in the 1970s through to the current framework in the 2010s.  Although focused on particular areas, freedom of expression is otherwise conceptualised widely to encompass not only special expression such as journalism but also broad expression such as search engine indexing, the interface with personal exemptions for individual natural persons and finally special frameworks designated to promote knowledge facilitation in areas such as scientific research and archiving.

Most of the content consists of individual National Reports which have been compiled for the 27 current European Union (EU), the three non-EU members of the European Economic Area (EEA) and also the United Kingdom and Switzerland.  The last two jurisdictions continue to have a particularly close relationship with EEA data protection and Switzerland also forms part of the European Free Trade Association (EFTA) alongside the non-EU EEA,

The Reports have been the product of extensive research activity involving multiple individuals (as acknowledged here) and will be added to over time.  It is also recognised that, given their breadth, errors and gaps are inevitable.  Please do, therefore, ensure that any citation to the any of any of this material includes an access date.  Also, please get in touch if you spot errors, omissions or have other suggestions by emailing David Erdos at doe20@cam.ac.uk.

This Overview Report complements these Country Reports by providing further information on their structure and setting them within their pan-European context.  This context involves not only initiatives within the EU and EEA but also the wider Council of Europe which, especially in the early period, has played a hugely influential role.

 

Section 2:  The Core Aims of the National Reports

Each of the National Reports has the following two core aims:

  • To provide a precis of the formal legal provisions adopted.  This information is included in the shaded boxes within the Reports.
  • To set out a summary of relevant parliamentary (and associated policy) debates.  This material is included directly underneath the shaded boxes.

In each case, the material is further subdivided into the chronological period and issue area.  Further details of this structure is provided below.

 

Section 3:  Chronological Periods - The Three Generations of European Data Protection

The Reports are principally divided into three chronological periods covering the generation of data protection in the period (1) 1973-1994, (2) 1995-2016, (3) 2016 onwards.  The rationale for and nature of this periodization is as follows:

3.1 - First Generation (1973-1994)

During this period, data protection at pan-European level was systematically formalized only through the Council of Europe.  The Council of Europe Committee of Ministers adopted three principal instruments in the form of two soft law Resolutions in the 1970s and a Data Protection Convention in 1980s:

  • Resolution (73) 22 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Private Sector (adopted 26 September 1973),
  • Resolution (74) on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector (adopted 20 September 1974),
  • Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) (Data Protection Convention) and Explanatory Report (adopted 28 January 1981 and entered into force for those a party to it on 1 October 1985).

The adoption of data protection legislation at State level began with the Swedish Data Act 1973 and was staggered throughout the 1970s, 1980s and 1990s.  In total eighteen States currently within the EEA as well as Switzerland and the UK adopted data protection legislation during this period.  Given this incomplete adoption, not all Country Reports have material within this section.

3.2 - Second-Generation (1995-2015)

During this period the European Union (EU) first became the dominant pan-European actor within the data protection space as a result of the adoption of Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (the Data Protection Directive (DPD)) on 25 October 1995 (following an initial proposal going back to 27 July 1990).  The Directive required action by EU States by 24 October 1999 (see art. 32(1)) and through Decision 83/1999 of the EEA Joint Committee  was also adopted by the wider EEA with a date for implementation of 26 June 1999 (see art. 4)).  It required that all EEA States enact data protection legislation according to a common template and continued in effect until 25 May 2018.

3.3 - Third-Generation (2016 onwards)

This period began with the coming into force EU Regulation 2016/679 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data and Repealing Directive 95/46/EC (General Data Protection Regulation) on 25 May 2018 across the EU, alongside a specialized Directive which applies in the area of law enforcement (Directive (EU) 2016/680 on the Protection of Natural Persons with regard to the Processing of Personal data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and on the Free Movement of such Data, and repealing Council Framework Decision 2008/977/JHA).  The General Data Protection Regulation (GDPR) is in principle directly applicable in law throughout the EU States although, especially and very importantly vis-à-vis freedom of expression, a number of its provisions require State-level implementation and leave considerable discretion to individual nations.  The GDPR was adopted by the wider EEA through Decision 154/2018 of the EEA Joint Committee and entered into force on 20 July 2018.  Directive 2016/680 was not adopted by the EEA.

 

Section 4 – The Four Areas of Specific Interaction with Freedom of Expression and Information

Freedom of expression belies simple definition.  Article 10 of the European Convention on Human Rights simply states that this right

shall include the freedom to hold opinions and to receive and impart information and ideas regardless of frontiers.
 
Data protection law intrinsically restricts the creation, storage, manipulation and flow of personal data and, in doing so, could be understood to be in comprehensive tension with freedom of expression which, as the ECHR definition indicates, also encompasses freedom of information.  Nevertheless, such formalistic rather than purposive conceptualisation of the latter right would collapse the inquiry into a comprehensive analysis of the development of data protection which is not the purpose of these Reports. 

Instead, the Reports adopt a specific purposive approach which focuses on distinct provisions which have accorded sui generis and generally liberalized treatment to certain types of expression within at least some State laws.   Within that context, a wide perspective has been adopted which stretches well beyond the treatment of, for example, journalism.  Indeed, at least four types of provision have located.  These provisions have a different relationship with what has been understood to be the main purposes served by freedom of expression including freedom of information.   Whilst the first two have a clear relationship with freedom of expression, the relationship between this fundamental right and the latter two provisions is more ambiguous.  In general, all of the Reports analyse law adopted and local debates in each of these areas.  However, it is recognised that within the EU, although not necessarily the wider EEA, Switzerland or the UK, the GDPR includes a directly effective personal exemption (article 2(2)(c)) as well as certain directly effective provisions in the area of knowledge facilitation including regarding compatibility (article 5(1)(b)), time limits (article 5(1)(e)) and potentially the need for, and nature of, appropriate safeguards (article 89(1))

4.1 – Special Expression Derogation

The first category covers provisions regulating those types of expression and information exchange which has been understood to directly further ʻcoreʼ public purposes related to exercise of freedom of expression within a free and democratic society.  Especially within first-generation data protection period, this was often conceptualized in institutional terms as referring to the activities of the professional media.  Indeed, at pan-European level, the Explanatory Report of the Data Protection Convention (1981) specifically noted that there may be a particular need to protect the “freedom of the press” (para. 58).   However, increasingly a more directly purposive approach has been adopted which focuses on the precise activities rather than actors which link to these core public purposes.  Journalism has one central instance but generally not the only example set out and the definitions have generally broadened over time to include literary and artistic expression and, post-GDPR, also academic expression.  Thus, Article 9 of the Data Protection Directive instructed EEA States to adopt wide-ranging derogations if (but only if) “necessary to reconcile the right to privacy with the rules governing freedom of expression” for the “processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression”.  Meanwhile, Article 85(2) of the GDPR states that similarly wide-ranging derogations should be adopted if “necessary to reconcile the right to the protection of personal data with the freedom of expression and information” as regards “processing carried out for journalistic purposes or the purpose of academic artistic or literary expression”.  The need for processing to be “solely” for these special purposes is now left to the accompanying provision in the preamble which also clarifies these purposes encompass “news archives and press libraries” (Recital 153).  Even more fundamentally, the addition of “academic” expression is entirely new.  These changes brought special expression into a manifest, even if somewhat ambiguous, interface with the knowledge facilitation framework which is explored below. 

4.2 - Broad Expression Derogation 

Even if expansively interpreted, the special expression regime does not encompass all forms of expression and information exchange that have particular value within a free and democratic society.  Other examples include activities which facilitate the disclosure of information to members of the public (e.g. search engines) and also those with instantiate self-expression not primarily directed towards a collective public debate (e.g. many forms of expression on social networking sites).  This second category encompasses provisions which have been enacted at national law within this wider area and which are clearly intended to vindicate freedom of expression and information.  (It should, however, be noted that self-expression also overlaps with the personal exemption which is examined as a separate category below.)  Broad expression provisions have generally been phrased in an open-textured fashion but can also be more granular.  For example, Section 7 of the Swedish Data Protection Act 1998 categorically excluded activity protected by the Swedish Fundamental Law on Freedom of Expression. Subject to compliance with certain formalities concerning the need for and transparency of a responsible editor, this law regulated the communication of “information on any subject whatsoever” including through “public playback of material from a database” and the procuring of information “for such communication or publication”.  A database was simply defined as “a collection of information stored for automatic data processing” (art. 1).  Whilst this law did not cover all forms of particularly valuable expression, it clearly extended beyond special expression. Meanwhile, the Danish Act on the Processing of Personal Data 2000 combined clause on special expression with a general provision stating that statutory data protection “shall not apply where this will be in violation of freedom of information and expression, cf. Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms” (s. 2(2)).  Looking at the transnational context of these provisions, the Data Protection Convention (1981) provided for optional general derogations where this was provided within State Party law and constituted a “necessary measure in a democratic society in the interests of” inter alia protecting “rights and freedoms” (art. 9(2)).  Although freedom of expression was not directly mentioned, the provision was of very wide scope covering all of the Convention’s substantive provisions.  The Data Protection Directive included broadly cognate provisions (art. 13(1)(g)), but separately specified that derogations from the special data rules depended on reasons of “substantial public interest” and “suitable safeguards” (art. 8(4)) or in the case of criminal-related data “suitable specific safeguards” (art. 8(5)).  It also still mandated that the processing still fall within a specified legitimating ground for processing (art. 7).  The General Data Protection Regulation further tightens these over-arching provisions, establishing a tighter test for derogations generally (art. 23) and in particular as regards non-criminal related special data (art. 9(2)(g)) and excluding derogation from the data protection principles themselves (see art. 5) except insofar as these correspond to the detailed transparency and control rights set out elsewhere (art. 23(1)).  At the same time, it specifically provides that States “shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression” including but not limited to special expression (art. 85(1)).  The relationship between this general freedom of expression provision and the over-arching rights-based derogatory clauses set out elsewhere in the instrument remains unclear.  This specific reference to freedom of expression outside of special expression helps explain the increased presence of broad expression provisions in State-level statutory law, although they remain very much the exception rather than rule.

4.3 – Personal Exemption

A great deal of both special and broad expression especially online now originates not from professional actors but rather from natural persons operating within a purely amateur context.  This development can be traced back to the birth of home computers in the very late 1970s and to their subsequent networking especially from the 1990s onwards.  From the time when personal computers emerged, many argued that it would be inappropriate to apply general data protection provisions to all personal data processing carried out by natural persons for personal purposes.  At least initially, however, the focus was not on freedom of expression itself but rather on a general danger of disproportionality and potentially also an invasion of personal privacy.  Nevertheless, the potential for a far-reaching derogation or exemption here to encompass some expressive activity was present from the start.  This third category, therefore, focuses on the special provisions or exemptions shielding certain forms of processing undertaken by natural persons acting in a personal capacity.  Whilst this issue was not addressed in the Data Protection Convention, States began adopting such provisions at national level from the early 1980s.  The Data Protection Directive set out a full but restrictively worded exemption for processing “by a natural person in the course of a purely personal or household activity” (art. 3(2)) with the preamble specifying the relatively narrow examples of “correspondence and the holding of records of addresses” (recital 12).  All EEA States transposed this provision in some fashion, although a number sought to explicitly exclude its application where data was or might be widely disseminated.  The Court of Justice of the EU also adopted a narrow construction of this exemption stressing, in particular, that it “clearly” could not cover processing “consisting in publication on the internet so that those data are made accessible to an indefinite number of people” (C-101/01 Lindqvist (2003) at [47]).  The General Data Protection Regulation has adopted a personal exemption with the same wording as the Directive previously (art. 2(2)(c)) but with a new preamble which suggests both that exempt activities should have “no connection to a professional or commercial activity” and that they “could include” “social networking activity” undertaken within the context of “personal or household activities” (recital 18).  The GDPR’s personal exemption is directly applicable within the EU and so, as previously noted, is not examined separately within any of the EU State reports.  It remains to be seen how it will be construed going forward.  However, given its tight wording and previous case law, it is clear that some (and perhaps most impactful) expression of amateur natural persons will not be exempt.  Such expression may continue to fall within the provisions for special expression, broad expression or indeed knowledge facilitation which have been discussed above.

4.4 – Knowledge Facilitation Framework

From the beginning of European data protection, special provisions were adopted to ensure that this new regime interfaced appropriately with knowledge production or, in other words, the ability to assemble and become conversant with a body of facts, principles or methods.  Special provisions were generally justified on the utilitarian grounds that knowledge production furthered important public and also private interests and that this could generally be facilitated and structured in a manner which preserved the core of data protection including personal privacy.  The latter understanding arose from a partially erroneous belief that it was general group-level rather than specific individual-level knowledge which was usually valuable and of interest.  Notwithstanding the language of mere interests, these provisions did regulate activities which instantiated particularly valuable forms of expressive activity including that which implicated the freedom of the arts and sciences (see EU Charter of Fundamental Rights, art. 13).  Although the steady expansion of special expression and potentially also the inclusion of broad expression provisions should limit such direct regulation in the future, an interface will remain.  This fourth category, therefore, focuses on any special provisions adopted within data protection in order to facilitate and structure knowledge facilitation.  Examining this from a transnational perspective, the very early explanatory material accompanying the Council of Europe Resolutions addressed this area by acknowledging that the “release of statistical information” was “one of the most prevalent uses of databanks” and that information might also be released “for scientific or research purposes” but “should be reduced to a level where it [was] impossible to identify the individuals” (Resolution (74) 29 Explanatory Report at [32]).  Resolution (74) 29 also recognized that personal data could be conserved for “an indefinite duration” where required for “statistical, scientific or historical purposes” but then “precautions should be taken to ensure that the privacy of individuals concerned will not be prejudiced” (Resolution (74) 29 Annex, Principle 4).  The only specific provision in the later Data Protection Convention (1981) enabled State Parties to provide by law for restrictions on data subject access and control rights “with respect to automated personal data files used for statistics or for scientific research purposes” but “only “when there [was] obviously no risk of an infringement of the privacy of the data subjects” (art. 9(3)).  Its explanatory report more generally stressed that the Convention should not be interpreted as a means “to restrain the exchange of scientific and cultural information” (para 25).  More extensive provisions were included within the Data Protection Directive.  In sum, this instrument contained a patchwork of sometimes confusing provisions which:

  • As regards processing for “historic, statistical or scientific” purposes or use, required States to provide safeguarded derogation from the purpose and time limitation principles (art. 6(b) and 6(e)),
  • Signaled that as regards processing “for statistical purposes or for the purposes of historical or scientific research”, it may well be unduly disproportionate or even impossible to proactively notify data subjects where personal data was obtained other than directly from them (art. 11(2)),
  • Explicitly enabled States to legislatively restrict rights of subject access, rectification, erasure and blocking as regards data processing “solely of the purposes of scientific research” or kept only as long as necessary “for the sole purpose of creating statistics” but only where “there is clearly no risk of breaching the privacy of the data subjects” and “adequate legal safeguards” applied including “in particular that the data are not used for taking measures or decisions regarding any particular individual” (art. 13(2)).
  • Indicated that as regards “scientific research and government statistics” it would sometimes be permissible to adopt a derogation from the special data rules using the overarching substantial public interest derogatory clause (recital 34),
  • Provided that data already being stored prior to the law coming to force could be exempted from the data principles, legitimating grounds and special/sensitive data rules but only where such data was “kept” (rather than further processed) “for the sole purpose of historical research” and was “subject to suitable safeguards” (art. 32(3)).

Turning finally to the General Data Protection Regulation, the knowledge facilitation provisions are more consistently collated and described as “scientific or historical research purposes”, “statistical purposes” and “archiving purposes in the public interest” (GDPR, art. 89).  A common requirement states that processing falling under this regime “be subject to appropriate safeguards” including measures “to ensure respect for the principle of data minimisation” (art. 89).  Otherwise, however, the provisions remain somewhat diffuse and variegated.  In sum, it is established that:

  • These purposes benefit from a derogation from purpose compatibility restrictions and, so long as processing is solely for these purposes, also time limitation (art. 5(1)(b) and 5(1)(e)),
  • It may well be unduly disproportionate or even impossible to proactively notify data subjects where personal data was obtained other than directly from them but the controller must then take “appropriate measures to protect the data subject’s right and freedoms and legitimate interests, including making the information publicly available” (art. 14(4)(b)),
  • The right to erasure and to be forgotten does not apply so long as processing is necessary for these purposes and application of the rights would at least “seriously impair the achievement of the objectives of that processing” (art. 17(3)(d)),
  • State (or indeed EU) law can provide derogation from the rights of subject access, to object to processing and to demand its restriction (and as regards archiving purposes only also related notification obligations and the right to data portability) but only “in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes” (art. 89(2) and 89(3)),
  • Derogation can also be made from the non-criminal related special data rules so long as this is based on State (or Union) law which should be “proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject” (GDPR, art. 9(2)(g)).

As previously stated the provisions on compatibility (article 5(1)(b)), time limits (article 5(1)(e)) and potentially also appropriate safeguards (article 89(1)) are directly effective within the EU.  Other provisions, however, require some form of legal implementation at State-level even within the EU.  In crafting their provisions, EU and EEA States also remain free to make use of the optional general derogations set out in article 10 and 23 of the GDPR.