The Journalism Exemption: New Official Guidance from the ICO

For the first time ever, the Information Commissioner’s Office (the “ICO”) has issued an official Code of Practice for journalists with statutory force under the GDPR (the “Code”). That should make journalists (and their lawyers) sit up and take notice because – alongside a number of other interesting clarifications – it sets out some clear red lines about future reliance on ‘journalistic purposes’ exemption that is so often invoked to cover news-gathering, publishing and archiving activity.

First, what is the guidance and why does it matter? Anyone familiar with the ICO’s website knows that there are reams of guidance available there already, so why is this document particularly exciting? The answer is because it isn’t just mere ‘guidance’, but rather it is an official code of practice that has been laid down by the ICO under the powers invested in it. In practical terms that means that,  while the new code does not amend UK legislation or create any new rules, its contents can be cited before a Court and will bear evidential weight in disputes over whether the existing rules have been followed.

That matters because the Code gives us both a clear insight into how the ICO will interpret the parts of the GDPR that apply specifically to journalism where it investigates alleged GDPR breaches and considers whether to hand out fines, but also a clear view as to how the civil courts are likely to feel they should read those same sections where aggrieved subjects of journalism bring claims for breach of the GDPR against news organisations (which they now frequently do in addition to bringing defamation claims).

There are a number of interesting points to pick up on in the Code (and some less scintillating points in which the ICO reminds organisations of the official policy documents that they are obliged to put into place) but the bits that are most likely to draw the eye are the insights that we gain into the way that the Journalism Exemption is likely to work in disputes going forwards.

To remind readers, the ‘Journalism Exemption’ is a special carve-out from the usual rules of the GDPR which allows journalists to set aside the usual rules in specific circumstances. To paraphrase the GDPR, they may do so where:

• they intend to use personal information for a journalistic purpose;
• that use is done “with a view” to the publication of journalistic material; and
• they reasonably believe that:
  • publication would be in the public interest; AND
  • complying with all of the GDPR’s usual requirements would stop them from effectively carrying out that journalistic purpose.’

It is fair to say that journalists in the UK are often enthusiastic in relying on the Journalism Exemption, seeing it as a wide-ranging exemption that can be invoked to excuse them from complying with (perhaps even thinking about) the GDPR as they go about their work. But two things in the ICO’s recent guidance stand out.

First, the bad news, the ICO has made a point in the Code of saying that the Journalism Exemption can only be called on where it is being applied to a specific “journalistic activity”, and that journalists calling on it should be able to demonstrate why they reasonably believe that there is both a “public interest in publication” of the work in question, as well as a reasonable belief that full compliance would be “incompatible” with the journalism in question.

What that means for journalists, and news organisations more broadly, is that there is no room whatsoever for ‘scope creep’ in their use of the exemption. The Code is very specific in clarifying that the exemption covers only core ‘journalistic activity’, which means news-gathering and news-publishing activity only.

That should serve as a warning to organisations that might be prone to calling on the exemption overenthusiastically. There is no longer any room to suggest that the exemption might be applied to other processes that take place at news organisations, including investigations into the conduct of individual journalists, activity that relates to the advertising/promotion of news, or decisions about how subscribers to news publications are managed. Again, that isn’t new law, but it’s a clear statement that makes it more explicit than ever that the Journalism Exemption is a narrow one that cannot be stretched to cover activity which is not ‘journalistic’ at its core.

But, the Code also contains some more welcome news about the scope of the exemption. Specifically, it clarifies what the ICO thinks the phrase “with a view to publication” means. Helpfully, the ICO has set out in writing (with statutory force, remember) that the phrase should be read as covering all journalistic activity “both before and after publication and regardless of whether you actually publish [the personal data in question]”. It is no longer open to individuals to argue that ‘with a view’ is a forward-facing statement that means the exemption only applies to pre-publication activity.

That clarification is enormously helpful to news organisations, as it allows them to call on the Journalism Exemption not only to justify decisions taken about how they go about gathering and publishing news but also decisions about whether they should continue to make published news articles available to the public where the contents of stories are challenged by aggrieved third parties.

To give some colour to that, prior to the Code’s publication there was often a difficult decision to be made by news publishers where data subjects sought to use their ‘Right To Be Forgotten’ (available to them under the GDPR) to have stories about them ‘taken down’ and removed from public view, especially where those stories contained details about their Health, Sexuality, or Political Views (all of which were ‘sensitive’ personal data, per GDPR). The Code makes that decision much easier for publishers, as it takes away any doubt about whether the Journalism Exemption can be called on post-publication.

News Organisations should probably use the publication of the Code as an opportunity to revisit and reconsider their GDPR compliance processes. Ideally, that would mean a review of their existing suite of policy documents but at the very least the ICO’s clarification of the extent of the Journalism Exemption should cause them to consider whether they have adequately trained their staff on its applicability and scope, and whether they are applying it consistently in a way that reflects the new guidance.