District Court of Central Netherlands in Utrecht rendered a decision on 8 January 2021 concerning the “naming and shaming” scheme published on a Dutch website. The court provided valuable insights into a conflict between the legitimate interests of data controller and third parties, on the one hand, and fundamental rights and freedoms of data subject, of the other, under Article 6.1(f)of the GDPR). The court applied an instructive list of criteria for a balance of interest test, which can also be applied in other similar cases.
The website in question listed nearly 900 doctors and other health care professionals (nurses, dentists, psychologists, etc.), who were registered in the state health care registry with a reprimand, suspension, or cancellation of practice. The blacklist also included health care professionals whose disciplinary measures was deregistered, as well as those against whom no disciplinary measure was registered at all. Against those non-registered individuals, the website published various allegations, such as “caused serious medical malpractice and nearly killed a patient”, “committed fraud in medical records, guilty of forgery, and left behind a patient in need”, or similar. The blacklist contained individual’s name and photo, and the healthcare entity where the blacklisted individual worked
The collision of interests
The court had to weigh against each other the right to privacy and / or honour and good name, protected by Article 8 of the European Convention on Human Rights, and the right to freedom of expression and information, protected by Article 10 of the same Convention. The website stressed that the blacklist serves the public interest because it informs and protects patients while holding the doctors accountable. On the other hand, the plaintiff (Stop Online Shaming Foundation) emphasized the importance of respecting the honour and reputation of the doctors by not exposing them to facile or frivolous allegations.
The court’s criteria for balance of interests
The court set out a detailed list of criteria which should be assessed when performing a balance of interest test in the case such as this. The relevant criteria, some of which are more important than the other in a specific case, are the following:
- the nature of the published statements and the seriousness of the anticipated consequences for the person to whom those statements relate;
- the seriousness of the wrongdoing that is denounced, viewed from a public interest perspective;
- the extent to which the available factual basis supports the statements;
- the manner in which the statements are formulated and presented;
- the degree of probability that, even without the publication of the blacklist, the pursued public interest objective would have been achieved by other less harmful means with a reasonable chance of success;
- the authority of the medium on which the statements are published; and
- the social position of the person concerned.
The data subjects’ rights are more important
The court took a stance that the importance of respecting the integrity and reputation of the doctors overrides the interests pursued by the website and third parties. The court ordered the website operator to cease publishing statements which associate the doctors with medical malpractice, under the threat of payment to the plaintiff of a penalty in the amount of EUR 10,000 per each day of not complying with the order (capped at EUR 150,000 in total).
In relation to the nature of, and the factual support for, the published statements (criteria 1-3), the court stressed that the public generally associates the term “blacklist” with prohibition to perform professional activities, and that the term therefore implies a serious accusation. The public was led to believe that all “blacklisted” doctors were responsible for serious wrongdoing, because the list failed to make distinctions among the disciplinary sanctions (e.g., a reprimand is by its nature a very different sanction from a suspension or removal). Also, it was not clear to the public that the list at issue was a privately maintained, non-official blacklist. In actuality, most of the blacklisted doctors were allowed to carry out their work as usual. The court concluded that most of the accusatory statements were without factual basis.
The court was not explicit in “tying” its seven general criteria with the specific facts in the matter. It is not entirely clear, then, which criterion the court had in mind when it determined, against the website, that removal from the list was almost impossible, so the doctors ran the risk of remaining on the list for a considerable length of time. Not only that, but the website also published information about the patient’s treatment, while the blacklisted doctors could not defend themselves due to the duty of medical confidentiality vis-à-vis the patients.
The court pointed to the fact that the defendant had already been convicted several times, even criminally, for publication of certain contents on its website. This presumably was of relevance in the assessment of the authority of the medium publishing the statements (criterion no. 6).
According to the court, the defendant could have achieved its goal with a high degree of probability and with a reasonable chance of success via another method, which could have been less harmful for the data subjects’ rights (criterion no. 5). However, the court did not further specify what would be such other method allowing the defendant to remain compliant with the GDPR.
Blacklisting impermissible when outside the control of official authority
The website fell well short of the requirements for lawful processing of personal data which occurs with the creation and maintenance of a “blacklist” of doctors. To get closer to being GDPR-compliant, the defendant should have avoided using the term “blacklist”, made it clear that it was not an official blacklist, distinguished among sanctions of various gravity, removed the statements not supported by evidence, and put reasonable conditions for removal from the list. But would all that be sufficient to outweigh the practitioners’ rights? Probably not.
The allegations against the doctors were allegations about serious wrongdoing, potentially amounting to criminal offences. Article 10 of the GDPR requires the processing of personal data related to criminal convictions and offences to be carried out “under the control of official authority”. That was not the case here. As the court notes almost in passing, in paragraph 4.11 of the decision, the processing of personal data involved was contrary to Article 10 of the GDPR.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]