Annals of the University of Craiova for Journalism, Communication and Management, Volume 7, 2021 

109 

## Volume 7, 2021, 109-114 

https://doi.org/10.5281/zenodo.15249208 

## **GDPR RULES AND EXCEPTIONS FOR JOURNALISTS** 

Dan  Valeriu VOINEA , Ph.D., University of Craiova, Romania 

AUCJC 2021 7  – 109 - 114 

## **Abstract** 

This paper examines the impact of the General Data Protection Regulation (GDPR) on journalistic practices and freedom of expression. Implemented in 2018, the GDPR aims to enhance personal data protection while recognizing the need to balance these protections with freedom of expression. The study focuses on key GDPR provisions relevant to journalism, particularly Article 85, which requires Member States to reconcile data protection rights with freedom of expression. It explores the varying implementations of these provisions across EU Member States and discusses the challenges posed by the GDPR to journalistic practices, including issues related to the right to erasure and data protection in investigative reporting. The paper also considers the GDPR's global influence on data protection standards. While the GDPR has set new benchmarks for data protection, its interaction with journalistic activities remains complex and evolving. The research concludes by identifying areas for further investigation, including comparative analyses of national implementations and the long-term impact of GDPR on press freedom. 

_Keywords:_ GDPR, data protection, journalistic exemptions, freedom of expression, privacy rights, public interest, legal compliance. 

## **Introduction** 

The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is a pivotal development in the realm of data protection laws in the European Union (EU) (Bradford et al., 2019). This regulation represents a significant milestone aimed at harmonizing data privacy laws across Europe to safeguard the personal data of all EU citizens in an era increasingly reliant on data (Correia et al., 2021). The GDPR introduces stringent measures to protect personal data and enhances individuals' rights over their information. It is a comprehensive legal instrument that governs the collection and utilization of personal data by private entities, individuals, and governmental bodies (Vanberg, 2020). The GDPR is a landmark regulation that governs data protection and privacy for individuals within the European Union and the European Economic Area. 

The GDPR has had a profound impact on global data protection regimes, emphasizing the significance of protecting personal data. This regulation has been instrumental in advancing personal information protection, especially in the context of genetic data, falling within the GDPR's special category of sensitive data (Hendricks-Sturrup et al., 2020). Furthermore, the GDPR has implications for global data markets, demonstrating how privacy laws intersect with competition and trade policies (Peukert et al., 2021). The GDPR emphasizes the lawful processing and protection of personal data, playing a crucial role in enhancing data security and privacy. It has also influenced the value dynamics for advertisers, publishers, and users in the online advertising market, showcasing the regulation's impact on various stakeholders. The GDPR's influence extends beyond the EU, with the regulation serving as a model for data protection laws globally (Peukert et al., 2021). It has prompted discussions on the alignment of data privacy laws worldwide, highlighting the need for a global convergence in data governance (Scoon & Ko, 2016). The GDPR's emphasis on transparency and privacy has sparked debates on the trade-offs between these two concepts, especially in the context of public administration and corporate governance (Erkkilä, 

Annals of the University of Craiova for Journalism, Communication and Management, Volume 7, 2021 

110 

2020). Moreover, the GDPR has raised awareness about the importance of data privacy and has led to increased scrutiny over corporate data practices and the need for appropriate legislation (Baik, 2020). 

In the context of international data transfers, the GDPR has set standards for data protection, defining adequate levels of data protection and illustrating how EU data protection rights apply to data processing in third countries (Kuner, 2017). The GDPR has also imposed restrictions on the free transfer of personal data to countries lacking adequate data protection measures, emphasizing the need to safeguard personal data across borders (Celeste & Fabbrini, 2020). Additionally, the GDPR has influenced the development of privacy laws in various regions, including Asia, where lessons from the GDPR experience have been considered in shaping data privacy principles (Chen, 2016). 

The GDPR stands as a comprehensive and influential regulation that has reshaped the landscape of data protection and privacy, setting a benchmark for global data governance and emphasizing the fundamental right to personal data protection. Its impact extends beyond the EU, influencing discussions on data privacy, transparency, and the convergence of data protection laws worldwide (Peukert et al., 2021). The GDPR's emphasis on individual rights, stringent data protection measures, and global implications underscore its significance in the evolving digital age, where data privacy and security are paramount considerations. 

The General Data Protection Regulation (GDPR) addresses the delicate balance between protecting individual privacy and upholding the fundamental right to freedom of expression, particularly in the context of journalistic activities. Article 85 of the GDPR specifically provides derogations and exemptions to reconcile data protection with freedom of expression and information, recognizing the vital role of journalism in a democratic society (Reventlow, 2020). The GDPR's provisions aim to safeguard both individual privacy rights and freedom of expression, acknowledging the importance of journalistic activities in promoting transparency and public discourse. By establishing clear guidelines and exemptions, the GDPR seeks to strike a balance that allows journalists to fulfill their essential role in society while ensuring responsible handling of personal data and compliance with data protection regulations (Reventlow, 2020). 

## **GDPR Provisions Relevant to Journalism** 

The General Data Protection Regulation (GDPR) aims to harmonize data protection laws across Europe, enhancing the protection of personal data and empowering individuals with control over their data. Despite its rigorous safeguards, the GDPR acknowledges the importance of balancing data protection with other fundamental rights, particularly freedom of expression and information. This balance is crucial for journalistic activities, which often require processing personal data to inform the public and hold those in power accountable. Several articles within the GDPR are particularly relevant to journalism, providing necessary exemptions and derogations to ensure that data protection does not unduly hinder journalistic activities. 

The underlying justification for these exemptions is the public interest in ensuring that journalism can operate freely and effectively. Journalism serves as a watchdog for democracy, holding those in power accountable and providing the public with necessary information. Without these exemptions, the stringent requirements of the GDPR could hinder the ability of journalists to collect, process, and disseminate information that is essential for public discourse and the functioning of a democratic society. 

The personal scope of the exemptions under Article 85 includes individuals and entities engaged in journalistic activities. This broadly encompasses traditional journalists, media organizations, freelance journalists, and possibly bloggers and citizen journalists, depending on national interpretations. The key criterion is the intention and activity of disseminating information to the public. 

The material scope of the exemptions covers a wide range of activities essential to journalism. These include: Collecting personal data for the purpose of reporting news; Investigating and researching 

Annals of the University of Craiova for Journalism, Communication and Management, Volume 7, 2021 

111 

stories; Storing and processing information relevant to journalistic content; Publishing and disseminating journalistic material. Exemptions are typically applied to principles such as data minimization, data subject rights (e.g., access, rectification, erasure), and obligations related to data processing (e.g., impact assessments, consent requirements). 

Article 85 explicitly addresses the need to balance data protection with freedom of expression and information  (Limba, 2021). It mandates that Member States must reconcile these rights by law, especially in the context of journalistic activities. " _Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression_ " (GDPR, Article 85). Furthermore, Article 85 requires Member States to provide exemptions or derogations from several chapters of the GDPR for journalistic purposes if necessary to balance these rights.  Journalism often involves the processing of personal data for reporting purpose and article 85 provides a framework for this delicate balance, ensuring that journalistic activities are not unduly restricted by data protection requirements (Mekovec & Peras, 2020). All these responsabilities also come with risks and costs, causing even a possible segmentation of the global media sphere. (Smolenskiy & Levshin, 2021) 

Article 86 allows personal data in official documents held by public authorities to be disclosed in accordance with Union or Member State law, balancing public access to information with data protection rights. " _Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation_ " (GDPR, Article 86). 

Article 89 ensures that processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes includes appropriate safeguards to protect data subjects’ rights and freedoms. It also provides for possible derogations from certain data subject rights under specific conditions. 

" _Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation_ " (GDPR, Article 89). 

Price et al. (2019) discusses the GDPR's requirement for appropriate safeguards to protect individual privacy rights, including in Article 89, concerning research exceptions. This highlights the need for safeguards even in research contexts, which could be relevant to journalism when conducting investigative reporting that involves data processing. Journalists often engage in investigative reporting that may involve processing personal data, and understanding the need for safeguards to protect individuals' privacy rights is crucial. 

Article 17 of the General Data Protection Regulation (GDPR) pertains to the right to erasure, also known as the right to be forgotten, whereas retaining personal data is necessary for exercising freedom of expression and information. " _Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information_ " (GDPR, Article 17). This right allows individuals to request the deletion or removal of personal data when there is no compelling reason for its continued processing. In journalism, the right to erasure under Article 17 of the GDPR may 

Annals of the University of Craiova for Journalism, Communication and Management, Volume 7, 2021 

112 

intersect with the publication of news articles or reports that contain personal data. Journalists need to be aware of individuals' rights to request the removal of their personal data from journalistic content under certain circumstances. This right to erasure can pose challenges for journalists in balancing the public's right to information with individuals' rights to data protection and privacy. Journalistic organizations must establish protocols for handling requests for data erasure in compliance with the GDPR. While freedom of the press is a fundamental right, journalists must navigate the requirements of data protection regulations, including the right to erasure, to ensure ethical and legal reporting practices. By understanding and respecting individuals' rights under Article 17 of the GDPR, journalists can uphold professional standards while safeguarding individuals' privacy rights. 

## **Further research** 

Understanding the implementation of Article 85 and its purpose across different EU Member States is crucial. Future research should explore how various countries have legislated to balance the right to data protection with freedom of expression. This includes examining national laws and regulations that provide the legal basis for these exemptions and their justification in the context of public interest. A comprehensive analysis of the public interest rationale in the context of journalism could also be essential. Research should investigate how public interest is defined and applied in different jurisdictions and its impact on journalistic activities. This could include case studies of significant journalistic investigations and the role of public interest in justifying the processing of personal data. A detailed comparative analysis of how different EU Member States implement GDPR exemptions for journalism is also needed. 

This includes examining national laws, regulatory guidelines, and enforcement practices. Case studies from countries like the UK, Austria, Romania, and Bulgaria can illustrate the diversity in implementation and highlight best practices. Research could also explore the criteria for the public interest test required to justify journalistic exemptions. This includes defining what constitutes public interest in journalism and providing examples of how this test is applied in practice. Comparative studies can reveal differences in standards and practices across Member States. 

## **Conclusions** 

The General Data Protection Regulation (GDPR) represents a landmark in data protection laws within the European Union, setting stringent measures to safeguard personal data and enhance individual rights in a data-driven era. Its comprehensive scope governs the collection and utilization of personal data across various sectors, ensuring robust protection for EU citizens. While the GDPR's stringent requirements mark a significant step forward in data privacy, its implications extend beyond the EU, influencing global data protection standards and sparking discussions on the convergence of data privacy laws worldwide. 

A critical aspect of the GDPR is its balance between data protection and freedom of expression, particularly in the realm of journalism. Articles such as 85, 86, 89, and 17 provide specific exemptions and derogations to ensure that the regulation does not unduly hinder journalistic activities essential for democratic transparency and public accountability. These provisions underscore the GDPR’s acknowledgment of the vital role of journalism in a democratic society, balancing the need to protect personal data with the imperative of freedom of expression. 

The national implementations of these journalistic exemptions vary across EU Member States, reflecting diverse legal traditions and priorities. Countries like the UK, Austria, Romania, and Bulgaria provide 

Annals of the University of Craiova for Journalism, Communication and Management, Volume 7, 2021 

113 

illustrative examples of how these exemptions are integrated into national laws, offering insights into best practices and challenges in balancing data protection with journalistic freedom. 

Further research is necessary to explore the nuances of these national implementations, particularly how different jurisdictions define and apply the public interest rationale in journalism. Comparative studies can shed light on the standards and practices across Member States, enhancing our understanding of the criteria for justifying journalistic exemptions. Additionally, examining case studies of significant journalistic investigations can provide practical insights into the role of public interest in processing personal data. 

Overall, the GDPR's influence extends beyond data protection, shaping global discussions on data privacy, transparency, and governance. By understanding and respecting individual privacy rights while accommodating the essential functions of journalism, the GDPR sets a benchmark for ethical and legal practices in the evolving digital age. Future research will continue to inform the development of balanced data protection frameworks that uphold both privacy and freedom of expression, ensuring a robust and accountable information landscape. 

## **References** 

Baik, J. (Sophia). (2020). Data Privacy and Political Distrust: Corporate ‘Pro Liars,’ ‘Gridlocked Congress,’ 

and the Twitter Issue Public Around the US Privacy Legislation. Information Communication & Society. https://doi.org/10.1080/1369118x.2020.1850839 

Bitiukova, N. (n.d.). JOURNALISTIC EXEMPTION UNDER THE EUROPEAN DATA PROTECTION L AW. 

Bradford, A., Chilton, A. S., Linos, K., & Weaver, A. (2019). The Global Dominance of European Competition 

Law Over American Antitrust Law. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3339626 

Celeste, E., & Fabbrini, F. (2020). Competing Jurisdictions: Data Privacy Across the Borders. https://doi.org/10.1007/978-3-030-54660-1_3 

Chen, J. (2016). Book Review: Asian Data Privacy Laws: Trade and Human Rights Perspectives. Script-Ed. https://doi.org/10.2966/script.130116.105 

Correia, M., Rêgo, G., & Nunes, R. (2021). Gender Transition: Is There a Right to Be Forgotten? Health Care Analysis. https://doi.org/10.1007/s10728-021-00433-1 

Erkkilä, T. (2020). Transparency in Public Administration. https://doi.org/10.1093/acrefore/9780190228637.013.1404 

Hendricks-Sturrup, R., Cerminara, K. L., & Lu, C. Y. (2020). A Qualitative Study to Develop a Privacy and Nondiscrimination Best Practice Framework for Personalized Wellness Programs. Journal of Personalized Medicine. https://doi.org/10.3390/jpm10040264 

Kuner, C. (2017). Reality and Illusion in EU Data Transfer Regulation Post<i>Schrems</I>. German Law Journal. https://doi.org/10.1017/s2071832200022197 

Mekovec, R., & Peras, D. (2020). Implementation of the General Data Protection Regulation: Case of 

Higher Education Institution. International Journal of E-Education, e-Business, e-Management and e-Learning, 10(1), 104–113. https://doi.org/10.17706/ijeeee.2020.10.1.104-113 

Peukert, C., Bechtold, S., Batikas, M., & Kretschmer, T. (2021). European Privacy Law and Global Markets 

for Data. Academy of Management Proceedings. https://doi.org/10.5465/ambpp.2021.12506abstract Price, W. N., Kaminski, M. E., Minssen, T., & Spector-Bagdady, K. (2019). Shadow health records meet new data privacy laws. Science (New York, N.Y.), 363(6426), 448–450. https://doi.org/10.1126/science.aav5133 

Regulation—2016/679—EN - gdpr—EUR-Lex. (n.d.). Retrieved July 24, 2024, from https://eurlex.europa.eu/eli/reg/2016/679/oj 

Annals of the University of Craiova for Journalism, Communication and Management, Volume 7, 2021 

114 

Reventlow, N. J. (2020). Can the GDPR and Freedom of Expression Coexist? Ajil Unbound. https://doi.org/10.1017/aju.2019.77 

- Scoon, C., & L. Ko, R. K. (2016). The Data Privacy Matrix Project: Towards a Global Alignment of Data Privacy Laws. https://doi.org/10.1109/trustcom.2016.0305 

- Šidlauskas, A. (2021). The Role and Significance of the Data Protection Officer in the Organization. Socialiniai Tyrimai, 44(1), Article 1. https://doi.org/10.15388/Soctyr.44.1.1 

- Smolenskiy, M., & Levshin, N. (2021). GDPR implementation as the main reason for the regional fragmentation in the online mediasphere. E3S Web of Conferences, 273, 08099. https://doi.org/10.1051/e3sconf/202127308099 

- Vanberg, A. D. (2020). Informational Privacy Post GDPR – End of the Road or the Start of a Long Journey? The International Journal of Human Rights. https://doi.org/10.1080/13642987.2020.1789109
