Professor Steve Peers, University of Essex
You’re in the shower, and the
doorbell rings. It might be the Amazon delivery you were expecting, with your
daughter’s present – and it’s her birthday tomorrow. You leap out of the shower
and dash wetly down the stairs to open the door in time. But it’s only a couple
of Jehovah’s Witnesses.
After responding to their
entreaties in much the same way that Boris Johnson responds to business, you
close the door, and think no more about them. Yet they are still thinking about
you. In order to focus more
effectively on who to bother about God again, they keep a record of each
household they visit, with categories of (say) “Believer”, “Unbeliever”, or (if
you couldn’t find a towel) “Satanist”.
It’s not just religious
enthusiasts who might knock on your door and gather personal data, of course.
There are also businesses, charities and political canvassers. For the Brexit
Referendum, I joined the local Labour party to knock on doors in the leafy
London Borough of Remainey. If I recall correctly, we kept records of voters in
the categories of “Remain”, “Leave”, “didn’t say” and “absent”. (It seems the
Labour party has stopped using the category of “Bigoted Woman”).
These activities are of interest
not just to preachers or spin doctors, but also data protection authorities.
But does data protection law apply at all to such door-knocking? The CJEU
answered that question yesterday, in a new judgment
answering questions raised in a dispute between the Finnish data protection
board and Jehovah’s Witnesses.
Facts
The Finnish data protection board
had ordered the Jehovah’s Witnesses to stop processing personal data unless
they complied with Finland’s version of the EU’s data
protection Directive (since replaced by the infamous
GDPR). The board asserted that both the religious community and its members
were “data controllers” with liability for the correct application of data
protection law. A lower court agreed with the legal challenge brought by the
Jehovah’s Witnesses, but on appeal a court asked the CJEU to interpret the
relevant provisions of EU law.
In practise, the Jehovah’s
Witnesses take records (names, addresses, religion, family status) of their
meetings with householders. There’s also a list (perhaps a rather longer one)
of those who would like the Jehovah’s Witnesses never to darken their door
again. The dispute concerned the main list: did it fall within the scope of EU
law at all, or was it rather outside the scope of that law because of the
“household exception” or the non-exhaustive security exception to it, or
because the notes were too disorganised to form part of a “filing system”.
Furthermore, if the Directive did apply, were both the community and its
individual members data controllers?
Judgment
The CJEU began by asserting that
the exception for state security and similar areas did not apply to Jehovah’s
Witnesses, as that exception could only apply to acts of the State. Secondly,
the household exception did not apply either, because following prior case law
on home security cameras (discussed here),
that exception did not apply to activity directed outward from the household.
While proselytisation was covered by the EU Charter of Rights as an aspect of
freedom of religion, that did not mean that door-knocking fell within the
household exception.
Next, was the note-taking part of
a “filing system”? The Court ruled that the Directive “broadly defined” this
notion: the requirement that the data be “structured according to specific
criteria” is “simply intended to enable personal data to be easily retrieved”
(para 57). No data sheets, specific lists, or other method of processing
personal data was necessary to show the existence of a “filing system”. In this
case, it was sufficient that the data was structured according to the Jehovah’s
Witnesses’ criteria for a “filing system” to be present.
Finally, are there multiple data
controllers here? Following its recent judgment on Facebook fan pages
(discussed here),
the CJEU reiterated a “broad definition” of that concept, although that did not
mean that every data controller had equal responsibility, or had to have access
to the data to be a controller. In this case, the coordination of its members’
activity by the Jehovah’s Witnesses community made them both responsible for
the data processing. This conclusion wasn’t affected by the Treaty provision on
the autonomy of religious bodies, following the recent judgment on
discrimination law and religious bodies (discussed here). In effect, such autonomy does not grant them
a general exemption from EU law. Compliance with that law is, in effect, one
more cross for them to bear.
Comments
It makes sense that the household
exception does not apply to Jehovah’s Witnesses, given that in practice many
homeowners either do not open their doors to the eager evangelists, or slam the
doors in their faces if they do. It’s also striking that the Court takes a
broad definition of “filing systems”. That’s consistent with its broad
interpretation of the scope of EU data protection law in many cases, and its
interpretation of “data controller” reiterated here; but UK data protection
lawers will be aware that it contrasts with the narrower definition of “filing
systems” in UK
case law. The Court’s emphasis on joint responsibility of data controllers
echoes its recent judgment on Facebook and friends, as noted above.
That leads us to the broader
implications of the judgment: its potential impact on politics. There’s no
reason to doubt that the judgment applies equally to political canvassing, as
the collection of data and relationship with householders is similar, and the
Charter protection for freedom of expression would by analogy not protect
parties from the application of data protection law either. The insistence on
joint responsibility of data controllers poses a possible complication for
door-knockers of either type: they must be aware not only of the inspiring
words of Jesus Christ or Jeremy Corbyn, but also the infinitely drier text of
the GDPR, a prospect which surely enthuses not the many, but the (very, very)
few.
But while we know that EU data
protection law applies to such activities, and that responsibility is shared,
we don’t know how to apply the law in such cases, as the Court wasn’t asked.
(The earlier ruling on home security cameras similarly leaves such possible
questions unanswered). On what grounds can the data be processed? Must
homeowners give their consent to the processing for specific reasons? One can
imagine that those who are already reluctant to discuss their faith with
Jehovah’s Witnesses will be even more reluctant to discuss the minutiae of data
protection consent with them too. Can the legitimate interest of evangelists or
political canvassers justify the processing of data? Or can a statute validly
regulate this issue? (One suspects that politicians will be particularly keen
to find time to legislate to justify their own activities, if necessary).
The judgment – combined with the
recent Facebook fan page judgment – might also have implications not only at
the low-tech end of political canvassing, but at the high-tech end too. Today
sees the publication
of the UK Information Commissioner’s report into allegations of breaches of
data protection law during the Brexit referendum, including also allegations
about Facebook’s work with Cambridge Analytica. The ICO also published
suggestions on data protection law and the democratic process. (See also the
recent publications from the Electoral
Commission and an Independent
Commission on Referendums). Traditionally it’s been easier to address
concern about the fairness of political processes because people wear red or
blue rosettes when knocking on the door, or parties identity themselves in
political literature or broadcasting. It’s far harder where online political
messaging is questionably funded, poorly regulated (particularly as regarding
funding limits and foreign funding) and frequently dishonest. Recent judgments and regulatory efforts are
baby steps towards addressing these essential concerns.
Photo credit: JW.org