What is this about?
In what at first sight seems an unusual case concerning Jehovah’s Witnesses and personal data the European Court has ruled on a number of significant data protection issues. The case confirms some aspects of data protection law which were the subject of debate and will be helpful for organisations trying to work out their liability under the General Data Protection Regulation (GDPR).
Some technical terms are used in this note which are explained in our glossary here http://bit.ly/gdprwords.
What is the background to the case?
In this case the Jehovah’s Witnesses religious community (“the Jehovah’s Witnesses”) in Finland took notes whilst undertaking door-to-door visits to people they did not know. The personal data involved was names and addresses along with information about religious beliefs and family circumstances. The Jehovah’s Witnesses said that it was collected as a memory aid so that it could be retrieved for subsequent visits. This was done without the knowledge or consent of the individuals involved. Maps were also created from which areas were allocated between the members who engaged in door-to-door activities. Suppression lists were also created of people who had asked not to be called on again.
The Finnish data protection authority (Tietosuojavaltuutetun Toimisto) prohibited the Jehovah’s Witnesses from collecting or processing personal data when it undertook door-to-door preaching by its members unless the relevant requirements of the Finnish data protection legislation were complied with. The Jehovah’s Witnesses challenged the regulator’s decision which went through the Finnish courts and eventually ended up in a reference for a preliminary ruling sent to the European Court on the interpretation of the then existing EU data protection legislation (which has now been replaced by GDPR).
What did the European Court decide?
The European Court ruled that:
- The door-to-door preaching by the Jehovah’s Witnesses was not a purely personal or household activity and the data protection legislation exemption on this (often called the domestic purposes exemption) did not apply; and
- The data was covered by data protection law even in this hardcopy format. EU data protection law applies to manual data processing where data processed in this way forms part of a filing system. This concept of a filing system covers a set of personal data collected in the course of door-to-door preaching consisting of the names and addresses and other information concerning the individuals contacted, if those data are structured according to specific criteria which in practice enable them to be easily retrieved for subsequent use. The court also said that in order for such a set of data to fall within that concept it isn’t necessary that they include data sheets, specific lists or other search methods. The maps were also covered by data protection law because of the notes made on them.
The court therefore ruled that the processing of personal data in connection with door-to-door preaching has to comply with EU data protection rules.
Further, the court also ruled that a religious community can be a data controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the members in the context of door-to-door preaching organised, coordinated and encouraged by that community. It was not necessary that the community has access to the data nor was it necessary to establish that the community had given its members written guidelines or instructions in relation to processing that data.
What are the takeaways?
There are a number of takeaways:
- Hardcopy data is in scope. As mentioned, this ruling concerned the previous EU data protection regime, but it can be reasonably assumed that the same approach would apply under GDPR (e.g. see Article 2(1) and Recital 15 concerning manual processing and filing systems). Whilst this part of the ruling might be obvious it’s a useful reminder of an organisation’s responsibilities under GDPR.
- It is quite easy to become a data controller. We often see that people assume they can’t be a data controller because someone else is. Again whilst this case doesn’t make new law here it’s a useful reminder. A key takeaway here is to not assume that in a given situation an organisation is not a data controller – note also that the European Court made recently made a ruling in this vein about joint controllers in the context of a Facebook fan page that we have written about here: http://www.corderycompliance.com/client-alert-european-court-facebook-fan-page-ruling/).
- The domestic purposes exemption is limited. We’ve often seen people try and rely on the domestic purposes exemption. This exemption is not as wide as some people think it is.
- Organisations need to make sure they have a system in place to deal with hardcopy data. Whilst this case did not concern Subject Access Requests (SARs) we know that there’s a significant increase in the number of SARs made since GDPR came in in May. The one month deadline for dealing with a SAR can be tight and organisations may want to investigate technology to assist in dealing with hardcopy data perhaps using OCR technology to make the data searchable and to ease redaction.
We have more articles on data protection issues, including European Court rulings, here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
Cordery’s GDPR Navigator includes more resources to help deal with SARs including a specimen internal policy for all employees and a guidance note for those handling SARs – for more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/
The judgement in this case can be found here: http://bit.ly/2Lg8ALn
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784