On 20 November 2020, the Austrian Federal Administrative Court issued a judgement. Contrary to the decision of the Data Protection Authority (“DPA“), the Court found a violation of the data subject’s rights. The judgement has shown how two different authorities can come to opposite conclusions based on the same facts and methodology.
Background
The judgement concerns an ex-convict’s processing of a prison guard’s personal data. Upon his release from prison, the ex-convict exposed the bad conditions in the prison through his television appearances and activity on his Facebook page. On the Facebook page, the ex-convict shared with the public a video link of his television interview. He also wrote in the Facebook post that he was thankful to the prison guard for input regarding the bad prison conditions and mentioned the prison guard’s affiliation to a trade union. Upon the prison guard’s complaint to the DPA, the DPA found that there was no violation of the complainant’s rights. However, the Court disagreed, determined violation of the prison guard’s rights, and ordered the ex-convict to delete the Facebook post.
Data processing (not) for journalistic purposes
The DPA and the Court dealt with the question of whether the ex-convict’s Facebook post amounted to data processing for journalistic purposes. If the processing was performed for journalistic purposes, it would be exempt from the application of certain chapters of the GDPR. Article 85 of the GDPR and § 9 of the Austrian Data Protection Act provide for these exemptions in the context of freedom of expression and information.
The ex-convict argued that his Facebook post was made for journalistic purposes. The ex-convict stated that he is the publishing director and journalist of a magazine whose articles are available online, and that the Facebook page was connected with the magazine. However, the DPA’s stance, which was later confirmed by the Court, was that the ex-convict processed the prison guard’s personal data in his capacity of a private person. The Facebook page had no recognizable reference to the magazine, and the ex-convict had not received an order from the magazine (as the employer) to write the post. The DPA also referred to the consistent case law of the Court of Justice of the European Union, according to which any exceptions and restrictions with regard to protection of personal data should be limited to what is absolutely necessary.
Limits to the processing of publicly available data
In the Facebook post, the ex-convict mentioned the prison guard’s affiliation to a trade union. The ex-convict obtained this information through the official website of the trade union, where the prison guard is designated as the deputy chairman of the organisation. The ex-convict argued that, because the prison guard himself appears in public in his capacity of the deputy chairman, he has made his personal data publicly available and thereby waived his right to data secrecy.
According to the DPA’s decision, publicly available personal data are not ipso facto excluded from the scope of data protection law. The Court further emphasized that the prison guard’s data appeared on the website in connection with his trade union activities. The purpose of making the data publicly available was making the composition of the trade union known and providing contact details in the context of trade union activities. Any use outside of the context of employee representation was out of scope of the purpose for which the data were made publicly available.
Balancing test – freedom of expression vs. protection of personal data
Since the processing of personal data, including publicly available personal data, requires a valid legal basis, the DPA examined the ex-convict’s legitimate interest to freedom of expression as such potential basis. The DPA concluded that the ex-convict’s interests overrode the prison guard’s interest to the protection of personal data. In weighing the conflicting interests, the DPA used the criteria which the European Court of Human Rights formulated for determining if processing for journalistic purposes occurred. According to the DPA, these criteria may also be used for the balancing of the parties’ legitimate interests. Specifically, the DPA and the Court assessed the following:
- Does the data processing contribute to a debate of general interest?
- How prominent is the person in question?
- What is the subject of the publication?
- What are the content, form and effects of the publication?
- In which manner and under which circumstances was the information obtained? and
- Is the data accurate?
The Court used the same method of balancing the interests but reached a different result: the Court concluded that the prison guard’s interest to data protection prevailed and ordered the ex-convict to delete the Facebook post.
The main points of divergence were the criterion of contribution to a debate of general interest and the criterion of the data subject’s prominence. With regard to the former criterion, the DPA determined that addressing bad conditions in a prison is undoubtedly a contribution to a debate of general interest. However, the Court pointed out that the question is, in fact, whether the use of personal data about the prison guard contributes to the debate – and the answer to that question is negative. With regard to the latter criterion, the DPA stated that the prison guard should be resilient to public criticism as his role of a functionary at the trade union is analogous to the position of a politician. The Court disagreed and stated that it can be assumed that the prison guard is a barely known person, and that the scope of criticism he is expected to suffer is not as wide as in the case of politicians.
Comment
The result of balancing test was decisive for the Court’s determination that, contrary to the DPA’s decision, the prison guard’s rights were violated. As the divergences between the DPA and the Court show, balancing test in the assessment of legitimate interests can be highly fact specific.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]
