Professor Steve Peers, University of Essex
You’re in the shower, and the doorbell rings. It might be the Amazon delivery you were expecting, with your daughter’s present – and it’s her birthday tomorrow. You leap out of the shower and dash wetly down the stairs to open the door in time. But it’s only a couple of Jehovah’s Witnesses.
After responding to their entreaties in much the same way that Boris Johnson responds to business, you close the door, and think no more about them. Yet they are still thinking about you. In order to focus more effectively on who to bother about God again, they keep a record of each household they visit, with categories of (say) “Believer”, “Unbeliever”, or (if you couldn’t find a towel) “Satanist”.
It’s not just religious enthusiasts who might knock on your door and gather personal data, of course. There are also businesses, charities and political canvassers. For the Brexit Referendum, I joined the local Labour party to knock on doors in the leafy London Borough of Remainey. If I recall correctly, we kept records of voters in the categories of “Remain”, “Leave”, “didn’t say” and “absent”. (It seems the Labour party has stopped using the category of “Bigoted Woman”).
These activities are of interest not just to preachers or spin doctors, but also data protection authorities. But does data protection law apply at all to such door-knocking? The CJEU answered that question yesterday, in a new judgment answering questions raised in a dispute between the Finnish data protection board and Jehovah’s Witnesses.
The Finnish data protection board had ordered the Jehovah’s Witnesses to stop processing personal data unless they complied with Finland’s version of the EU’s data protection Directive (since replaced by the infamous GDPR). The board asserted that both the religious community and its members were “data controllers” with liability for the correct application of data protection law. A lower court agreed with the legal challenge brought by the Jehovah’s Witnesses, but on appeal a court asked the CJEU to interpret the relevant provisions of EU law.
In practise, the Jehovah’s Witnesses take records (names, addresses, religion, family status) of their meetings with householders. There’s also a list (perhaps a rather longer one) of those who would like the Jehovah’s Witnesses never to darken their door again. The dispute concerned the main list: did it fall within the scope of EU law at all, or was it rather outside the scope of that law because of the “household exception” or the non-exhaustive security exception to it, or because the notes were too disorganised to form part of a “filing system”. Furthermore, if the Directive did apply, were both the community and its individual members data controllers?
The CJEU began by asserting that the exception for state security and similar areas did not apply to Jehovah’s Witnesses, as that exception could only apply to acts of the State. Secondly, the household exception did not apply either, because following prior case law on home security cameras (discussed here), that exception did not apply to activity directed outward from the household. While proselytisation was covered by the EU Charter of Rights as an aspect of freedom of religion, that did not mean that door-knocking fell within the household exception.
Next, was the note-taking part of a “filing system”? The Court ruled that the Directive “broadly defined” this notion: the requirement that the data be “structured according to specific criteria” is “simply intended to enable personal data to be easily retrieved” (para 57). No data sheets, specific lists, or other method of processing personal data was necessary to show the existence of a “filing system”. In this case, it was sufficient that the data was structured according to the Jehovah’s Witnesses’ criteria for a “filing system” to be present.
Finally, are there multiple data controllers here? Following its recent judgment on Facebook fan pages (discussed here), the CJEU reiterated a “broad definition” of that concept, although that did not mean that every data controller had equal responsibility, or had to have access to the data to be a controller. In this case, the coordination of its members’ activity by the Jehovah’s Witnesses community made them both responsible for the data processing. This conclusion wasn’t affected by the Treaty provision on the autonomy of religious bodies, following the recent judgment on discrimination law and religious bodies (discussed here). In effect, such autonomy does not grant them a general exemption from EU law. Compliance with that law is, in effect, one more cross for them to bear.
It makes sense that the household exception does not apply to Jehovah’s Witnesses, given that in practice many homeowners either do not open their doors to the eager evangelists, or slam the doors in their faces if they do. It’s also striking that the Court takes a broad definition of “filing systems”. That’s consistent with its broad interpretation of the scope of EU data protection law in many cases, and its interpretation of “data controller” reiterated here; but UK data protection lawers will be aware that it contrasts with the narrower definition of “filing systems” in UK case law. The Court’s emphasis on joint responsibility of data controllers echoes its recent judgment on Facebook and friends, as noted above.
That leads us to the broader implications of the judgment: its potential impact on politics. There’s no reason to doubt that the judgment applies equally to political canvassing, as the collection of data and relationship with householders is similar, and the Charter protection for freedom of expression would by analogy not protect parties from the application of data protection law either. The insistence on joint responsibility of data controllers poses a possible complication for door-knockers of either type: they must be aware not only of the inspiring words of Jesus Christ or Jeremy Corbyn, but also the infinitely drier text of the GDPR, a prospect which surely enthuses not the many, but the (very, very) few.
But while we know that EU data protection law applies to such activities, and that responsibility is shared, we don’t know how to apply the law in such cases, as the Court wasn’t asked. (The earlier ruling on home security cameras similarly leaves such possible questions unanswered). On what grounds can the data be processed? Must homeowners give their consent to the processing for specific reasons? One can imagine that those who are already reluctant to discuss their faith with Jehovah’s Witnesses will be even more reluctant to discuss the minutiae of data protection consent with them too. Can the legitimate interest of evangelists or political canvassers justify the processing of data? Or can a statute validly regulate this issue? (One suspects that politicians will be particularly keen to find time to legislate to justify their own activities, if necessary).
The judgment – combined with the recent Facebook fan page judgment – might also have implications not only at the low-tech end of political canvassing, but at the high-tech end too. Today sees the publication of the UK Information Commissioner’s report into allegations of breaches of data protection law during the Brexit referendum, including also allegations about Facebook’s work with Cambridge Analytica. The ICO also published suggestions on data protection law and the democratic process. (See also the recent publications from the Electoral Commission and an Independent Commission on Referendums). Traditionally it’s been easier to address concern about the fairness of political processes because people wear red or blue rosettes when knocking on the door, or parties identity themselves in political literature or broadcasting. It’s far harder where online political messaging is questionably funded, poorly regulated (particularly as regarding funding limits and foreign funding) and frequently dishonest. Recent judgments and regulatory efforts are baby steps towards addressing these essential concerns.
Photo credit: JW.org