CJEU holds that Jehovah’s Witnesses must comply with data protection legislation and obtain explicit consent from data subjects
E-newsletter Bulletin No 02/23
Judgment in Case C-25/17
Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta
The Jehovah's Witnesses decision deals with comprehensive and technical aspects of various core issues of Personal Data Protection Law. The CJEU addressed the following complex questions in detail in its decision:
- What kind of processing activities are covered by the exception of the processing of personal data by a natural person in the course of a purely personal or household activity (Article 28/1 of the law No. 6698 and Article 3/2 of the Directive numbered 95/46/EC)?,
- In which situations the concept of a ‘filing system’ covers a set of personal data collected otherwise than by automatic means?
- What kind of balance should be struck between the two fundamental rights in cases where the right to protection of personal data conflicts with the freedom of religion and conscience and freedom of association?
- What types of actors that take part in processing must be considered as concept of joint controller? More precisely, who is a data controller and when? Since this subject has been examined in detail in our previous article (CJEU Judgment in the Fashion ID Case: qualification as joint controllers of the Website Operator that Features a Facebook ‘Like’ Button), it will not be discussed in detail herein, but will be summarized.
FACTS
TheTietosuojavaltuutettu (Finnish Data Protection Board) prohibited the Jehovan todistajat — uskonnollinen yhdyskunta (Jehovah’s Witnesses religious community, Finland) from collecting or processing personal data in the course of door-to-door preaching by its members unless the requirements of Finnish legislation relating to the processing of personal data, i.e. only with the consent of data subjects, are observed.
The members of the Jehovah’s Witnesses Community take notes in the course of their door-to door preaching about visits to persons who are unknown to themselves or that Community. The data collected may consist of the name and addresses of persons contacted, together with information on their religious beliefs and their family circumstances. Those data are collected as a memory aid and in order to be retrieved for any subsequent visit without the knowledge or consent of the persons concerned. The Jehovah’s Witnesses Community and its congregations organise and coordinate the door-to-door preaching by their members, in particular by creating maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them.
Furthermore, the congregations of the Jehovah’s Witnesses Community maintain a list of persons who have requested not to receive visits from preachers and the personal data on that list are used by members of that community.
The Board prohibited the religious community from collecting and processing personal data in connection with door-to-door preaching without meeting the general prerequisites for processing personal and sensitive data, that is, without the unambiguous consent of the data subject. The Board noted that the definition of personal data was broad. According to the Board, when names, addresses and other personal information were noted down in connection with door‑‑to‑door preaching by Jehovah’s Witnesses that served, as argued by the applicant community, as a memory aid when revisiting people who had shown interest, personal data that could be retrieved were being collected. When, for example, a data subject’s religious affiliation or state of health was noted down, sensitive data were being collected.
After the appeal of the Jehovah’s Witnesses Community, Supreme Administrative Court decided to adjourn the proceedings and request a preliminary ruling from the CJEU concerning the issue of whether the applicant community should be considered a “controller” of the personal data collected and processed by its members in the course of their door-to-door preaching within the meaning of the Data Protection Directive. Reference was made, inter alia, to the fact that the applicant community and its congregations maintained territory maps for the purpose of dividing territories between members participating in door-to-door preaching, as well as a so-called “prohibition register”, which was a record of people who had requested not to be visited by members taking part in that activity.
The Court of Justice considered, in the first place, that door-to-door preaching by members of the Jehovah’s Witnesses Community is not covered by the exceptions laid down by EU Law on the protection of personal data. According to the Court directive seeks to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data (judgments of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 66, and of 5 June 2018, Wirtshaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 26). exceptions to the scope of application of the Directive 95/46/EC must be strictly interpreted (see, to that effect, judgments of 11 December 2014, Ryneš, C‑212/13, EU:C:2014:2428, paragraph 29, and of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraph 38). Furthermore, Directive 95/46 does not lay down any further limitation of its scope (judgment of 16 December 2008, Satakunnan Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727, paragraph 46)
The Court held that Article 3(2), second indent, of Directive 95/46 must be interpreted as covering only activities that are carried out in the context of the private or family life of individuals. In that connection, an activity cannot be regarded as being purely personal or domestic where its purpose is to make the data collected accessible to an unrestricted number of people or where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner (see, to that effect, judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraph 47; of 16 December 2008, Satakunnan Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727, paragraph 44; and of 11 December 2014, Ryneš, C‑212/13, EU:C:2014:2428, paragraphs 31 and 33).
The fact that door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union, does not confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.
In the second place, the Court states, however, that the rules of EU Law on the protection of personal data apply to the manual processing of personal data only where the data processed form part of a filing system or are intended to form part of a filing system. In the present case, since the processing of personal data is carried out otherwise than by automatic means, the question arises as to whether the data processed form part of, or are intended to form part of, such a filing system. In that regard, the Court finds that the concept of a ‘filing system’ covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.
With regard to who may be regarded as a controller of the processing of personal data, the CJEU stated that this concept may concern several actors taking part in that processing, with each of them then being subject to the rules of EU law on the protection of personal data. Those actors may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.
The Court also stated that no provision of EU Law supports a finding that the determination of the purpose and means of processing must be carried out by the use of written guidelines or instructions from the controller. However, a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller of the processing of personal data.
The joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned. In the present case, it appears that by organising, coordinating and encouraging the preaching activities of its members the Community participates, jointly with its members who engage in preaching, in determining the purposes and means of processing of personal data of the persons contacted.
The most interesting aspect of the Jehovah's Witnesses decision is undoubtedly that it involves an area where the right to freedom of religion and belief conflicts with the fundamental right of personal data protection. Freedom of religion and belief, guaranteed in Article 9 of the ECHR and Article 10 of the EU Charter of Human Rights, is a concept that has been widely interpreted.
It must be recalled that the right to freedom of conscience and religion implies, in particular, the freedom for everyone to manifest his religion or belief, in worship, teaching, practice and observance.
Both the ECHR and the Charter adopt a broad understanding of the concept of ‘religion’ covering both the forum internum, that is the fact of having a belief, and the forum externum, that is the manifestation of religious faith in public (judgment of 29 May 2018, Liga van Moskeeën en Islamitische Organisaties Provincie Antwerpen VZW and Others, C‑426/16, EU:C:2018:335, paragraph 44 and the case-law cited).
Furthermore, the freedom to manifest one’s religion individually or collectively in public or in private, since it may take various forms such as the teaching, practice and performance of rites, includes also the right to attempt to convince other persons, for example by means of preaching (ECtHR, 25 May 1993, Kokkinakisv. Greece, EC:ECHR:1993:0525JUD001430788, § 31, and ECtHR, 8 November 2007, Perry v. Latvia, CE:ECHR:2007:1108JUD003027303, § 52).
Nevertheless, according to the CJEU the principle of organisational autonomy of religious communities which derives from Article 17 TFEU does not release a religious organization from the obligation for every person to comply with the rules of EU law on the protection of personal data since it cannot be regarded as an interference in the organisational autonomy of those communities (see, to that effect, judgment of 17 April 2018, Egenberger, C‑414/16, EU:C:2018:257, paragraph 58).
Thus, when it comes to compliance with data protection law, no exemption can be made for the denomination which exempts itself from military service and blood transfusions.
CJEU refrain from providing a detailed framework regarding the determination of correct balance between that right and the right to privacy of data subjects and freedom of thought, conscience and religion, in particular the freedom to manifest one’s faith.
European Court of Human Rights (ECtHR), on the other hand, was ready to accept that the application of the consent requirement to the collection and processing of personal and sensitive data in the course of door-to-door preaching, a religious activity intended to manifest or spread the faith of the Jehovah’s Witnesses constituted an interference with the applicant community’s rights under Article 9 of the Convention. The Strasbourg court reiterated its well established case law according to which such an interference must be “prescribed by law”, have one or more legitimate aims and be “necessary in a democratic society”.
It is undisputed that the impugned interference had a legal basis in the Personal Data Act which transposed the Data Protection Directive into Finnish law, as in force at the material time.
It is clear that the interference with the applicant community’s right to freedom of religion pursued the legitimate aim of protecting “the rights and freedoms of others”, data subjects in the present case, within the meaning of Article 9 § 2 of the Convention.
The core question in the instant case is whether the interference with the applicant community’s right to freedom of religion (see paragraph 80 above) was “necessary in a democratic society” and whether, in answering this question, the domestic courts struck a fair balance between that right and the right to respect for private life of data subjects.
The ECtHR further held that the Board’s order prohibiting the applicant community from collecting and processing personal and sensitive data in the course of door‑to‑door preaching without the unambiguous consent of data subjects had not been made in an attempt to hinder the religious practices of individual Jehovah’s Witnesses; rather, it had been made for reasons having to do with the processing of personal data”. The Court concurs with national authorities that data subjects had a reasonable expectation of privacy with regard to personal and sensitive data being collected and processed in the course of door‑to‑door preaching.
The requirement of consent by the data subject is to be considered an appropriate and necessary safeguard with a view to preventing any communication or disclosure of personal and sensitive data inconsistent with the guarantees in Article 8 of the Convention in the context of door‑to‑door preaching by individual Jehovah’s Witnesses. In the absence of any convincing arguments by the applicant community, the Court cannot discern how simply asking for, and receiving, the data subject’s consent would hinder the essence of the applicant community’s freedom of religion. The applicant community failed to present any supporting evidence of the alleged “chilling effect” of the Board’s order.
That leads us to the broader implications of the judgment: its potential impact on politics. There’s no reason to doubt that the judgment applies equally to political canvassing, as the collection of data and relationship with householders is similar, and the protection for freedom of expression would by analogy not protect parties from the application of data protection law either. The insistence on joint responsibility of data controllers poses a possible complication for door-knockers of either type: they must be aware not only of the inspiring words of Jesus Christ or their political leader, but also the infinitely drier text of the GDPR.
† CASE OF JEHOVAH’S WITNESSES v. FINLAND (Application no. 31172/19) For full text of the decision: https://hudoc.echr.coe.int/eng#{%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-224559%22]}