21 November 2018

How GDPR hobbles investigative journalism


The story of James Goldsmith versus Private Eye is the classic tale of how one rich individual can use a volley of legislation to stifle investigative reporting. “Attacking the distributors was designed to put the Eye out of business, not to redress the libels,” is how the magazine’s QC Geoffrey Bindman described the 60 different writs issued against those who sold the magazine, not just those who had written it.

Ironically, considering Goldsmith’s original campaigning for a referendum on the UK’s membership of the EU, its recent GDPR directive offers a similar weapon for those looking to silence the media. The law, which Parliament implemented in May, means that news organisations could soon find themselves in a similar Private Eye shaped trap, peppered with expensive litigation suits until one eventually sticks.

GDPR governs the retention of personal data by any organisation, including media companies. While there is supposed to be a journalistic exemption, there are currently hordes of privacy lawyers bouncing like velociraptors charging an electric fence looking to find precedent-setting holes in this journalistic defence.

The main area of weakness in the defence is twofold; can journalists justify retaining all the data for any upcoming stories they are planning to publish, and once the story is published can they still hold on to all these pieces of data?

These gaps offer potential litigants an opportunity to ask if individual pieces of data gathered by a news organisation are bound by the provisions of the journalistic defence, and swamp their defences accordingly. Stories would have to be weighed up versus the probability of a subject access request (being required to hand over all the data you have on an individual), the chances of defending it, and ultimately the cost of defending it.

Private Eye has already told how one businessman who got wind of their investigation has started to bombard them with so-called subject access requests, that is being required to hand over all the data you have on an individual. When IPSO’s own practice code means that journalists have to put allegations to those they are investigating, it’s not hard for wealthy wrongdoers to find out who is doing the digging. It is also easy to see the probable chilling effect on investigative journalism in all except the wealthiest of newspapers.

Just such a case has happened in Romania, another EU member state now subject to GDPR, where the new law is being used to silence an investigation.

Liviu Dragnea is the leader of Romania’s Social Democratic Party. He is also accused by the EU’s own investigators of embezzling €21million from EU structural funds earmarked to pay for Romania’s roads to be upgraded.

The funds were originally given to a company called Tel Drum SA whose ownership is obscured through bearer shares and which, unbelievably given this opaque structure, has so far received €400 million of EU money. Dragnea denies these charges and rejects any connection with Tel Drum SA or the corporation’s business.

However, the RISE Project, a collective of Romanian investigative journalists has started drawing the links between Dragnea and the businessmen associated with the company, including photographs of them on holiday together. After posting pictures of Dragnea on holiday in Brazil, RISE Project were hit with the aforementioned subject access request demanding to know “who their source was, how they stored the documents, and what other personal information RISE Project has on Dragnea.”

The writ comes from Romania’s Data Protection Authority, the national body the GDPR requires each EU member state to set up to process and administer requests under the new rules. In a sign perhaps of just how useful this authority will be to people who don’t want journalists to look into their affairs too closely, the president of the Romanian Data Protection Authority, Ancuța Gianina, was appointed by Dragnea’s Social Democratic Party, and is herself under investigation for corruption.

Thanks to GDPR, the RISE Project now faces daily fines of €650 per day until it complies with the subject access request. Entertainingly the journalists at least have one defence in that under GDPR they are not allowed to reveal confidential sources for fear of breaking their own data protection rights. Although one imagines defending these charges in court and allowing judges to weigh what data can be handed over to those they are investigating is not going to help this collective with their future investigations.

Activists have cried foul over this case and complained that the use of GDPR as a backdoor privacy law is not how the law was envisaged. However, another view is that GDPR is a typical EU piece of legislation. It favours those with money over those who do not. It is trying to shoehorn the same standards across 28 different countries with remarkably different attitudes to corruption and the law.

When push comes to shove, as amply illustrated by an EU court order preventing the publication of MEP’s expenses, the EU prefers privacy to scrutiny. One wonders if it would have been enough to make Sir Jimmy back Remain.

Henry Williams is a writer based in London.