Authors: Petrus Partene, Catalin Veliscu - WH Simion & Partners
In a recent sanctioning decision, the Romanian Data Protection Authority (“ANSPDCP”) applied multiple administrative fines to a natural person, amounting to a total of EUR 10,000. While the total sum exceeds the standard level of fines generally applied by ANSPDCP, it may be considered a rather surprising amount fora natural person. Moreover, the facts of the case themselves are particularly noteworthy.
ANSDPCP investigated the situation after having received two complaints about personal data being published on a website which was, in essence, dedicated to exposing scammers. The amount of the sanction was reached based on multiple infringements which refer to cooperation failure with the authority, lack of legal basis for the processing activities, transparency breaches vis-à-vis the data subjects, violation of data subject rights, especially right to erasure, and publication of sensitive data of sexual and criminal nature.
The decision matters especially because it shows that ANSPDCP is willing to pursue all controllers equally, irrespective of them being individuals or companies. Even more important than that is the fact that the decision is part of a larger practice against the misuse of publicly accessible personal data, which does not constitute lawful processing. In the context of a name & shame platform such as the website in this case, the problem here may also be relevant for similar phenomena which declaratively aim to protect consumers. Such exposure platforms may rarely be justified under the GDPR given that no legal basis seems to be applicable for their purposes.
The facts are clear-cut in this particular decision. Nonetheless, a small caveat must be made in relation to the imperative balance between the protection of personal data and safeguarding freedom of expression. The conclusions of the authority might have changed in a more borderline context, where the owner of the website might have argued for journalistic exemption, for instance, or where the website was a blog or an investigative publication.
Although being a rather unique case, the decision issued by ANSPDCP brings to the spotlight certain basic principles related to the scope of application of the GDPR. First and foremost, the case highlights the fact that, despite that it is more frequent that companies play the role of controllers, it is not impossible for individuals to be responsible under the provisions of the GDPR (I). Furthermore, the question of individuals’ liability under the GDPR inevitably raises the question of whether there are certain cases when individuals may be exempted from the scope of the Regulation, such as the household activity exception (II).
I. Natural persons as controllers
As a rule, the GDPR attempts, and sometimes succeeds, to protect natural persons and their rights related to their personal data, while also ensuring the free movement of such data. Because the “controller” concept is of high interest herein, it is also important to mention that Article 4(7) of the GDPR defines it as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Therefore, from these two elements, we can conclude that the GDPR protects natural persons even from other natural persons. The strong position here is clear, given that the Regulation chooses an express reference to all categories of persons which might be qualified as controllers.
Even more important, although a tempting argument, the natural person’s activity does not need to be economic in nature. The owner of the website did not seem to obtain any financial advantage from running the platform (and from publishing personal details of those individuals). In any case, the owner would not have needed to gain any income from this activity. The assessment in such cases should regard the nature of the processing and the degree to which this may fall within the exemption provided by Article 2(2)(c) of the GDPR.
II. The restrictive interpretation of the household exemption
According to Article 2(2)(c) of the GDPR, “this Regulation does not apply to the processing of personal data: (…) by a natural person in the course of a purely personal or household activity”. The question therefore arises: could the owner of the website argue that this was a purely personal endeavour driven by an overwhelming sense of righteousness? The short answer is no.
As for all exceptions in EU law, household exemption must be interpreted in a very restrictive manner[1]. Pursuant to the Court of Justice of the European Union, the exception must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”[2]. The interpretation is thus based on the purpose of the processing.
As a result, the systematic nature of the processing, and the fact that the data were published on the Internet make it so the household exemption could not have been used as an argument by the owner. In this sense, the lack of a commercial dimension to any type of processing is not sufficient to conclude that the household exemption is applicable.
Here, the Court of Justice of the European Union made an important qualification, in that it does not suffice for the activity to be personal and domestic in nature, but the exemption is only applicable to “data processing carried out in relation to an activity that is ‘purely’ personal or household in nature”.[3]
A classic example for the nuance of the exemption is the case of a surveillance system of one’s own home. If the system only captures the personal data of the regular people visiting that home, then the exemption is more than likely applicable. However, if the cameras are also monitoring a public space (such as the sidewalk in front of the property), then the owner of the house may be qualified as a controller and may be subject to possible sanctions if the processing infringes the GDPR.
In conclusion, as a rule, controllers of any type should generally avoid publishing identifiable data about third parties online or disclosing allegations of criminal or sexual nature. This is especially relevant for natural persons, such as the one in the analysed case, but the observation may also be useful for occupations such as influencers or overall online marketers. Here, given the inherent blurred lines of responsibility, GDPR compliance is just another facet of the multi-layered approach necessary for online personalities in search of a mature and compliant digital ecosystem.
[1] Case C-25/17, Jehovan todistajat, 10 July 2018, para. 37.
[2] Case C-101/01, Lindqvist, 6 November 2003, para. 47; Case C-25/17, Jehovan todistajat, 10 July 2018, para. 42.
[3] Case C-212/13, Ryneš, 11 December 2014, para. 30; Case C-25/17, Jehovan todistajat, 10 July 2018, para. 40.