GDPR and media monitoring or measurement activities
GDPR and media monitoring or measurement activities
Guest article by Florence Gaullier, Vercken & Gaullier Law Firm, Partner
The General Data Protection Regulation (GDPR) is a European Regulation which will come into application on May 25, 2018. Part of the Digital Single Market strategy of the European Commission, the goal of this regulation is to build identical rules in all European countries concerning personal data protection, with a high level of protection for European citizens, which is also allowing free flows of personal data through European countries.
Before everything, the GDPR is here to protect individuals’ privacy. It is here to ensure the efficiency of this fundamental right and this is essential, because, with open data, big data and artificial intelligence, companies and public bodies can have extremely precise knowledge on individuals’ interests, lives and behaviours. This “super knowledge” brings at the same time “super consequences” for individuals in terms of privacy, discrimination, algorithmic confinement, etc.
On the other hand, European citizens’ datarepresents a big opportunity for EU companies: they represent a potential economic growth of nearly €1 trillion per year by 2020. That is why it so important that individuals can trust companies which are processing their data. Indeed, if companies want to benefit from this value, they need that people are not afraid to let access to their data. They need people’s trust. So, by protecting personal data and applying GDPR, companies will find their own interests.
Furthermore, the risks for companies which do not respect the GDPR are very high: for the infringement of key provisions/key data protection principles, the risk is up to 4% of the total global annual turnover of the group of companies. This is one of the most important changes in the GDPR.But the risks are also a prejudice of image for the company and the loss of trust from consumers and clients, which could also bring to class-actions.
Besides, the GDPR is not only applying to European companies, but also to all non-EU companies that are processing data relating to European citizens.
For all these reasons, GDPR is a very important topic.
Why are media monitoring or measurement activities impacted?
Every business is impacted because every business is processing personal data.
Indeed, personal data means “any information relating to an identified or identifiable natural person”. An identifiable natural person is a person “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number”. Unsurprisingly, it will be for instance names, postal addresses, email addresses, phone numbers, etc. But the definition of personal data does not only cover obvious likely identifiers. It is much broader: It also encompasses IP addresses or cookies as it is possible to identify an individual indirectly through such data. Also, an information taken as such (for instance a postal code) may not be considered as a personal data, but when combined with other information (with age, gender, profession…) becomes personal. Personal data are also all data that a company has about or related to a person (what this person has bought, when, etc.).
It is also important to keep in mind that:
The fact that a data is related to the professional activities of a data subject has no influence on its personal nature.
The fact that the data are public (because they have been posted on social media by the individuals themselves for example) has no influence on their personal nature and their need for protection.
As a result, information that allow media monitoring companies to identify a person are personal data (for instance: the data subject’s name, IP addresses, other online identifiers assigned through a cookie or a tag, combination of information such as the gender, the function occupied and the name of the company of the person). Are also personal data any data related to a person identified or identifiable (for instance, the information that this person likes watching TV shows or that this person was quoted in a press article).
Applied to media intelligence’s activities, various personal data may thus be collected and processed such as:
Journalists and influencers’ names, email addresses, phone numbers, pictures, information on their lifestyles, preferences, habits, political points of view, etc.
Names and other personal information of persons mentioned in articles, TV content or posts on social media
Names, email addresses and professional functions of MMO’s platforms’ users
Online tracking information (online identifier, online activities in particular relating to MMO’s platforms’ users: what they are reading, which device they are using to access to the platforms…)
HR data (like all businesses)
All this is personal data processed by media monitoring or measurement companies. That is why they will have to comply with GDPR.
What does it mean to apply GDPR in the media monitoring or measurement sector?
As a general overview of media monitoring or measurement companies’ obligations as data controllers and their practical implications, we can list the following obligations and implications:
Media monitoring or measurement companies will generally need to appoint a DPO (Data Protection Officer) because their activities can be considered as consisting “of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”.
Before the collection of personal data, media monitoring or measurement companies must precisely define the purpose pursued by the processing. They will then not be able to use the data for another purpose except if this purpose is compatible with the purposes for which the personal data were initially collected. They will then have to anticipate as much as possible for every data processing the purposes that will be pursued. Also, media monitoring or measurement companies will have to review their privacy notices and to specify as far as possible the purposes for which personal data is likely to be used. However, these purposes will need to be real (and not only hypothetical) or to become real in a short term.
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, media monitoring or measurement companies shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a “PIA”).They will especially have to identify during the PIA the measures envisaged to address the risks to the rights and freedoms of data subjects, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR. In our opinion, media monitoring or measurement companies may perhaps need to carry out PIAs for the processing of data collected on social media for instance, especially if they are used to create profiles. Where it appears that a data processing is likely to present particular risks despite the safeguards and security measures envisaged, the data controller must consult the relevant data protection authority (DPA) prior to the implementation of the processing. In our opinion, this obligation should not concern many data processing in the media monitoring or measurement sector.
Media monitoring or measurement companies will need to implement appropriate technical and organizational safeguards designed to integrate data protection principles from the earliest stage of every project entailing personal data’ collection and throughout its lifecycle and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed (“privacy by design” and “privacy by default” principles). In practice, it means that media monitoring or measurement companies may need to:
use techniques such as pseudonymization when practicable;
allow the access to personal data on a need-to-know basis;
minimize the amount of personal data collected;
not store personal data under an identifiable form for longer than required for its activities.
Data processing can only be lawful if it relies upon one of the basis listed in the GDPR, such as, subject to some conditions:
the consent of the data subject (which is generally not the most adequate basis in the media monitoring or measurement sector);
the contract to which the data subject is party;
the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject)
the compliance with a legal obligation.
Media monitoring or measurement companies will need to check which legal basis is applicable for each data processing.
They will also have to ascertain an adequate retention period for each type of data and put in place technical and organizational measures to ensure that, at the expiration of each period, the data are either erased or anonymized.
Media monitoring or measurement companies shall also provide the data subject with several information (13 or 14 points are required) such as:
the purposes of the data processing;
the recipients of the data;
the retention period of the data;
the data subjects’ rights,
They shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons. In some cases, Media monitoring or measurement companies may need to:
encrypt the data and use secured channels for data transmission;
ensure that strong and frequently renewed passwords are used;
regularly test, assess and evaluate the effectiveness of the measures taken to ensure the data security.
Media monitoring or measurement companies shall only appoint processors that provide sufficient guarantees to meet the requirements of the GDPR, ensure that the contracts with the processor stipulate several obligations and provisions listed in the GDPR and regularly audit processors to verify the compliance with GDPR.
They will also need to facilitate the exercise of the data subjects rights (rights of access, to rectification, to erasure, to restriction of processing, to data portability and to object)and provide information or take action as a rule within one month of receipt of the request.
In the event of a data breach (an unauthorized person accesses to the users’ ID and passwords for instance), the media monitoring or measurement companies must:
report the breach to the data protection authority without undue delay and, where feasible, not late than 72 hours after having become aware of it;
in some cases, report it to every affected individual without undue delay.
They shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR (accountability). It means that they will need to document the implementation and the compliance of every data processing in order to be able to demonstrate at any time their compliance with the GDPR. For instance, internal documents relating to the decision-making process on the enforcement or not of a particular obligation only needed in some circumstances will have to be established to justify the final decision made
What are the very specific issues by the implementation of all these obligations in the media monitoring or measurement sector?
In my opinion, the most specific issues for media monitoring and measurement companies are the questions relating (i) to the scope of the journalism exception, (ii) to the legal basis and (iii) to the data subjects’ information in relation to media monitoring or measurement companies’ processing of media content.
(i) Indeed, by offering media monitoring or measurement services, media monitoring and measurement companies have developed their own data processing which are separate from the publishers’, TV broadcaster’s or social media platforms’ processing. In other words, the fact that data collected by media monitoring companies are extracted from publishers’, TV broadcasters’ or social media’s own processing (which, for some of them can be covered by the journalism exception of article 85 of GDPR) does not exempt MMO’s from respecting data protection rules for their own processing, which are autonomous. One of the issue in the GDPR implementation in this sector is then to consider if media monitoring and measurement processing could be covered by article 85 of GDPR which states:
“1.Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
2. For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor),Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.”
It could be claimed that media monitoring and measurement companies are intermediaries between media environment and final clients who cannot monitor and analyse by themselves all the news. Then their role is central, and it could be supported that there are no freedom of expression or freedom of information without companies which monitor, analyse and spread the news. In this perspective, we can mention the ECJ case law. Indeed, in the Satamedia case (December 2008, 16 - C-73/07) the ECJ held that processing of personal data must be considered as "solely for journalistic purposes" if the sole object of those activities is the disclosure of information, opinions or ideas to the public, and that also personal data files which contain solely, and in unaltered form, material that has already been published in the media, fall within the scope of application of the Directive (which contained the same exemption possibility for journalistic purposes as in GDPR).Recital 153 of the GDPR goes in the same direction and states that “in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.”
But, as the European Commission noticed in its impact assessment accompanying its proposal of GDPR in 2012 each Member State has a different interpretation of this exemption, and GDPR seems not to change this situation…`
Media monitoring and measurement companies shall then be very vigilant and check the scope of the journalistic exemption in the countries where they are acting. Indeed, when the journalistic exemption is applicable, many GDPR obligations are not applicable to the processing.
(ii) Regarding the legal basis of the processing, the main question is to know whether media monitoring or measurement processing can rely on the legitimate interest basis or must, in certain cases, be based on the consent of data subjects.
(iii) Regarding the information of data subjects, one of the question is to know if data subjects must be individually informed on media monitoring or measurement processing or if media monitoring or measurement companies could rely on article 14.5 (b) which states that data subjects’ information will not apply if “the provision of such information proves impossible or would involve a disproportionate effort, (…). In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available”.
As always in legal matters, answers are not black or white, and there is a large margin of interpretation, which is also a matter of risks assessment.
Florence Gaullier, partner at Vercken & Gaullier Law Firm, is specialised in copyright in all traditional sectors (Press and book publishing, Radio, TV, Music, etc.) but also in the digital sector and in IT law (e-commerce, data protection, etc.) at French and European level. She has a very specific knowledge in the collective management of rights and in the media monitoring sector. She is also in particular in charge of data protection compliance audits and assists clients during audits of the French Data Protection Authority (CNIL). She advises and assists several clients in their lobbying actions in France and in the EU, especially AMEC and FIBEP, in all these fields. Her Firm is ranked in the most recognised international law firms rankings for many years (Legal 500, Chambers and Partners, Managing IP, Media Law International, etc.). In 2018, for the second consecutive year, the firm won the Award of “French Copyright Firm of the Year” from Managing Intellectual Property.