The Paradise Papers leak following last year’s data breach at law firm Appleby is certainly noteworthy, and no doubt many will be applauding its disclosures. But some will equally be considering whether an individual’s investment in offshore vehicles can legitimately be made public by journalists, even when that investment is completely bona fide and legal, and the information has come from an illegal hack.
Under existing data protection laws, as well as GDPR, there is an exemption from privacy principles where the right to freedom of expression and information, in effect, overrides the privacy of the individual, specifically in the journalistic context. In the UK (which after the US was the country most identified in the leak), section 32 of the Data Protection Act 1998 (“DPA”) sets out this exemption, which by and large is transcribed in full in the new Data Protection Bill will enact GDPR next year (Part 5 of Schedule 2).
The exemption requires three elements to be fulfilled:
(i) the processing must be undertaken with a view to the publication of journalistic material;
(ii) the publisher reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and
(iii) the publisher reasonably believes that, in all the circumstances, compliance with a data protection provision is incompatible with the purposes of journalism.
In the UK, the ICO’s guidance on what is in the public interest is not definitive, but in the context of the Panorama programme, the BBC’s own editorial guidelines are the place where its journalists are obliged to start:
Private behaviour, information, correspondence and conversation should not be brought into the public domain unless there is a public interest that outweighs the expectation of privacy. There is no single definition of public interest. It includes but is not confined to:
- exposing or detecting crime
- exposing significantly anti-social behaviour
- exposing corruption or injustice
- disclosing significant incompetence or negligence
- protecting people’s health and safety
- preventing people from being misled by some statement or action of an individual or organisation
- disclosing information that assists people to better comprehend or make decisions on matters of public importance.
There is also a public interest in freedom of expression itself.
When considering what is in the public interest we also need to take account of information already in the public domain or about to become available to the public.
When using the public interest to justify an intrusion, consideration should be given to proportionality; the greater the intrusion, the greater the public interest required to justify it.
Whilst exposing an individual for legitimate investments in offshore vehicles does not seem to obviously fit in any of the seven bullet points, the BBC might likely point to the fact that the information was about to become available to the public in any event. This means that the public interest outweighs privacy where privacy is in any event lost, other than by the actions of the BBC (in this case).
As the ICO’s own guidance says: “organisations must be able to explain why complying with the relevant provision of the DPA is incompatible with the purposes of journalism”. However, and critically, the incompatibility is not an absolute measure. Instead, it is measured by the reasonable belief of the publisher.
In the current case, it might be argued that one reason for concluding compliance was incompatible with journalism was, once again, that the information was about to be put in the public domain.
Finally, has there been a criminal offence? Section 55 of the DPA provides that a person must not knowingly disclose personal data without the consent of the data controller (the original data controller here would have been the law firm, Appleby). Usefully, the provision provides a defence if the disclosing was justified as being in the public interest. Again, the usefulness of a prosecution is further diluted by the prospective bringing into the public domain of the information.
This is cold comfort for those who have nothing to hide, but yet don’t want their private financial matters made public. The best advice for these people is to use professional advisers who take their privacy seriously and ensure their personal data is properly protected in the first place.3