Document Actions
Articles
1
The first data protection instrument that contained a household exception was the European Union (EU) 1995 Data Protection Directive (DPD). Previous national regimes [1] and the Council of Europe (CoE) Resolutions from 1973 [2] and 1974 [3] and its Convention108 [4] from 1981 did not. The reason for its introduction was that automated processing techniques until the 1990’s had by and large been in the hands of a few larger corporations and governmental agencies. Consequently, the earliest legal frameworks focussed primarily or even exclusively on the small number of parties that had the capacity to maintain and utilize them. The EU legislator was mindful that at the end of the 1980’s, citizens were also gaining access to automated data processing techniques and devices, such as a personal computer, and digital forms of communication, such as e-mail. Although the consensus was that citizens who process personal data about others should in principle fall under the data protection regime and respect the rights and obligations contained therein, the thought was also that some small-scale processing of personal data by citizens in the privacy of their homes might be excluded.
2
During the legislative process of the DPD, many views on the precise wording, scope and fields of application arose, without the parties suggesting these sometimes-conflicting views clearly entering a dialogue with one another. Consequently, the reasons behind the final wording of the relevant recital and article are unclear and difficult to grasp. The European Court of Justice (CJEU) subsequently interpreted the household exemption in a very narrow manner, while the Working Party 29 (WP29), and its successor, the European Data Protection Board (EDPB), have actively tried to nuance the rulings by the Court.
3
This article will provide a discussion of the household exemption. It will focus primarily on the legislative processes of the DPD and GDPR, CJEU judgements and opinions by the WP29, the EDPB and the European Data Protection Supervisor (EDPS). Literature on the point of the household exemption will not be discussed. The approach this article will adopt is a mainly textual analysis, assessing in detail specific sentences, phrases and words and their potential meaning. Doing so, critical thoughts and questions about potential unclarities will be highlighted throughout the article. The driving questions for this research are: What is the rationale behind the household exemption? What is its scope? And are the rationale and scope still viable in the 21st century?
4
To answer this question, section 2 will delve into the legislative process of the Data Protection Directive, the relevant opinions by the EDPS and the WP29 and the judgements of the CJEU. This will result in a thorough understanding as to why the household exemption was introduced and how it has been (re)interpreted since. Section 3 will assess the legislative process of the GDPR and its subsequent implementation in the legal regimes of Member States. This will result in an understanding as to which changes were and which changes were not made in the GDPR and how the household exemption under the GDPR has been interpreted. Section 4 will provide an analysis, also assessing potential arguments in favour and against omitting the household exemption from the data protection framework and assess how, should that option be chosen, the household exemption could be revised and reformulated.
5
Right from the initial proposal for a DPD by the Commission, the household exemption was included in the text. Throughout the legislative process, the provision underwent several small, but important changes. From the legislative history, no unified approach can be discovered with respect to the meaning, interpretation, rationale and scope of application of the exemption. Rather, it seems that while sometimes explicitly substituting its own wording for that of another party to the legislative process, most revisions are not the result of a critical dialogue, but rather of ad hoc and standalone suggestions and variations on a theme. Some of the most important aspects of the household exemption in the legislative process of the DPD will be discussed below to understand the ambiguity that later plagued its interpretation and meaning in jurisprudence and opinions. The text that was finally adopted in the Directive is:
|
Recital 12 |
Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses; |
|
Article 2 |
2. This Directive shall not apply to the processing of personal data: - by a natural person in the course of a purely personal or household activity. |
6
Examples: Both in the legislative history and in the relevant recital, several closely related, but distinct examples of when the household exemption would apply have been provided. The example given by the Commission in its initial proposal was that of keeping a personal electronic diary. [5] A diary is highly personal, and something normally not shared with third parties. It contains subjective interpretations and private emotions as well as objective facts, such as what a person did or whom they spoke to on a certain day. A diary may contain data about a person themself, but often also discusses the lives and behaviour of loved ones, friends, and family. It may also include statements or observations about public events and figures or personal effusions like ‘I’m in love with my boss’ or ‘I think the prime minster is a total creep’. A second example is that of a personal address file. [6] An address file is distinctly different from a personal diary. It contains far less information and in principle no sensitive data (though of course an example might be construed where a person lives in a brothel or similarly sensitive location). These addresses are usually already in the public domain; addresses, names and telephone numbers were traditionally made available through a phone book or similar catalogues. Normally, a person only holds an address book with people whom they are in contact with or plan to be; importantly, a person may keep an address book for both personal and professional reasons (especially as some colleagues may be friends). A third and final example, which was incorporated in the recital only late in the process, was that of correspondence. [7] Obviously, this example is directly related to keeping an address file. Still, it is distinct in that it entails acting on the data, engaging with persons outside the home or family sphere and that personal data of third parties may be disclosed. An e-mail addressed to a friend may, for example, concern the awkward behaviour of a mutual colleague, a friend, or the prime minister. This example, as well as the second example, is directly linked to Article 8 of the European Convention on Human Rights (ECHR), the right to correspondence, while the first example, that of keeping a diary, may be seen as linked to the right to private life. The first example was not, the latter two examples were incorporated in the recital of the DPD.
7
Rationale: The Commission favoured a household exemption because an “invasion of privacy was unlikely to occur” when data are used for private purposes only, [8] thus focussing on the potential impact of the data processing. [9] A second rationale was that household activities themselves were deemed to fall under the right to private life (Article 8 ECHR). [10] Because the data protection framework was set out to enhance the privacy of citizens, it should not intrude on the private sphere of individuals.
8
Scope: The standard approach to the household exemption is that if it applies, then the data protection framework is inapplicable. Another approach was suggested by the Economic and Social Committee (ESC), which stressed that it supported the household exemption, but that “the general principles of Convention108 should continue to apply to such processing to guard against improper use.” [11] The DPD, which is meant to provide for more and stricter rules than Convention108, cannot lead to a lower level of protection than provided by Convention108, which does not contain a household exemption.
9
Private/personal/household/domestic: The initial proposal for the Article did not refer to the household, but spoke of “private and personal”, while the initial recital referred to the exercise of a natural person’s right to privacy. This was changed only quite late in the legislative process, when it was suggested that the recital speak of “personal or domestic” and the article of “personal or household”. [12] No explanation was given for this amendment. It might be suggested that the revised wording makes clear that the private domain in which the processing takes place should be a central element, thereby excluding private activities that take place outside the home. But, if this were the correct interpretation, this raises a question concerning the relationship between private and personal and between personal and domestic. Why the recital speaks of domestic and the article of household was left unexplained.
10
And, or: The revision had another important effect, namely that it changed “and” for “or” [i.e. “personal or household” instead of “personal and household”]. With respect to “and”, it could be wondered whether it was meant as an exclusive or an inclusive term. Was it used in the sense of “I like to go on vacation to Paris and New York” or in the sense of “I like to go on vacation to a place warm and sunny”? This is important, because though “private” is replaced by the more specific and potentially more restrictive “domestic” and “household”, the term “personal” has a broad connotation and personal activities could extend far beyond the private sphere. The legislator seems to have made an end to this discussion by using the term “or” instead. Yet, the term “or” raises similar questions, as it can be used in an inclusive way, “I like to go on vacation to France or Spain”, or in an exclusive way, “I like to go on vacation to a place that’s very warm or ice-cold”.
11
Purposes/activities: The initial proposal spoke of private and personal purposes. Consequently, it was the goal or the reason for which personal data were processed that was determinative for the question of whether processing of personal data fell under the household exemption. Parliament suggested to change that to activities, without providing explanation. Perhaps it is because activities can be objectively assessed, while purposes are purely subjective. Although there is something to be said for this interpretation, and this line of is at times adopted by the CJEU, it would still be remarkable because the purpose for processing personal data is arguably the central element in the data protection framework.
12
Exclusivity: The Commission’s proposal referred to “solely”, both in the recital and in the article. Later, this was changed so that the recital speaks of “exclusively” and the article of “purely”. All words seem to mean more or less the same, and no discussion or explanation exists of why these words have been changed. Consequently, it might be suggested that they could be treated as interchangeable synonyms. At the same time, if these words mean the same, the question is why they are changed, and different wording is used for the recital and the article. An additional question that might be posed is whether the exclusivity clause only refers to “personal” and not to “household” activities (“exclusively personal” and “household”, instead of “exclusively personal” and “exclusively household” or “exclusively personal or household”), but from the changing of the order of the terms, it seems clear that this is not the case. [13]
13
Files/personal data: The initial proposal by the Commission referred to files held by an individual solely for private and personal purposes. The notion of data file, instead of personal data, was central throughout the initial proposal for the Directive by the Commission. This was changed on the suggestion of the ESC because the concept of data files seemed too narrow: “personal data can nowadays be processed in an expert system without necessarily having to be structured (integrated data-bases). Moreover, it is the “purpose” of the processing that is crucial in data protection and that establishes whether or not the collection of data is legitimate. Accordingly, the Committee feels that the concept “processing of personal data”, rather than the “file”, should be used to define the scope of the Directive. The term “processing” should therefore replace the term “file” in Articles 3, 4, 5, 7, 8(l)(c), 8(2) and 11.” [14]
14
Embedding: The initial proposal referred not only to the matters falling outside community law, but also, in paragraph 2 of Article 3, both to the household exemption and to non-for-profit-organisations holding files on its members, who have consented to their personal data being processed, where those data are relevant for the interests of these organisations and where the data are not transferred to third parties. Examples that were given related to political organisations, sport organisations, trade unions, religious organisations and, more generally, cultural, philosophical, and even leisure organisations. The reason to treat this exemption in the same paragraph as the household exemption was that in both situations, harm was thought to be unlikely. [15] This suggestion did however not make it to the final text. [16]
15
The EDPS has only in a small number of opinions referred to the household exemption, the WP29 in a substantial number of opinions. Several points stand out from their reflections.
16
Controllership: The WP29 treats the household exemption, in quite a number of instances in the context of controllership, as if the household exemption was an exemption to the notion of controllership instead of the data protection framework as a whole. [17] For example, it stressed that a citizen needs not assume the role of the data controller when using Social Network Sites (SNS), [18] when they can rely on the household exemption, [19] an approach which was repeated in its opinions on the concepts of data controller and processor, [20] search engines [21] and when assessing the quality of Quebec’s data protection legislation. [22] If a citizen relies successfully on the household exemption, and would have been the only controller, the question is what should be the legal status of the processor, which has to process data at the instruction of the data controller and, inter alia, has to report on potential leaks.
17
Joint controllership: By far most references by the WP29 and the EDPS in respect of the household exemption is to cases in which, would the household exemption not apply, there would be joint controllership. Such is the case with SNS, IoT devices and other products or services that a citizen may use for personal activities. Interestingly, both advisory bodies are often ambivalent as to whether the household exemption applies. [23] When the user can rely on the household exemption, both advisory bodies point out, such does not have an effect on the legal status of the joint controller (e.g. the SNS or the party to which the data of IoT devices are sent). This is understandable, because these parties process the data for their own interests, be it commercial, be it otherwise. Yet, it does raise the question where the boundary should be drawn. For example, suppose a non-for-profit-foundation was set up with the sole purpose of the processing personal data for personal activities by citizens, would such processing also not fall under the household exemption? In addition: to what extent can the joint controller (e.g. the social media platform) be held accountable for the activities of citizens relying on the household exemption?
18
Purposes: Contrary to the legislative choice, the WP29 generally focusses on purposes rather than activities when determining whether the household exemption applies. What is more, it has referred not only to personal purposes, but also to family affairs and recreational purposes. [24] This raises complex issues, because when assessing SNS sites, the WP29 stressed that if citizens use the sites not so much for fun, but for productivity, to advance commercial, political or charitable goals, the household exemption would not apply. [25] This yet again brings the question to the fore where the boundary is drawn. Is saying on Facebook “I really like Emmanuel Macron’s plans” personal or political and what about “Emmanuel Macron is sexy and hot” or “I think Emmanuel Macron has leadership skills”? All concern processing personal data of Emmanuel Macron, but the purpose behind the statement is not always clearcut. At least two rationales have played a role in the legislative process of the DPD (minimal harm for the “data subject” and the private sphere of the “data controller”, both between brackets because the data protection regime does not apply when the household exemption applies). Suppose A places a photo on a social network where a person’s child can be seen in an embarrassing situation and B states on a blog “I think we should vote for Emmanuel Macron”. If the rationale behind the household exemption should be understood as that no harm is typically done by private processing activities, then A’s expression seems potentially more harmful than B’s, but if it concerns activities that normally fall under the right to private life, it is A’s expression that could fall under the household exemption, while B’s would normally not. Interesting in this respect is the discussion of the WP29 on IoT devices, and the fact that it does not answer questions such as: [26] is a smart refrigerator that automatically orders a bottle of milk considered a (exclusively) household activity or a (partially) commercial activity?
19
Sphere: The WP29 does not exclude that when data are made available in open access databases for re-use, individuals that harvest that data for personal activities could rely on the exemption. [27] This is remarkable, because the CJEU has stressed that gathering personal data from the public domain does not fall under the household exemption (next sub-section). A bit puzzling as well is the remark by the WP29 on video surveillance. It points out that premises other than those related to one’s household—such as hotel rooms, offices, restrooms, cloakrooms, in-house phone booths, etc.—are to be regarded as private premises. It is unclear how this remark should be interpreted, whether it means, for example, that there are limits to putting camera surveillance in hotel rooms by hotel owners, or the other way around, that citizens monitoring a hotel room for private purposes (e.g. to protect their private property) fall under the household exemption. [28] If the latter, the question is how the situation in which a cleaning person might enter the room should be assessed. [29]
20
Other legal regimes: Time and again, the WP29 makes clear that even if the household exemption applies, other legal regimes will still need to be respected, such as “the general (civil law) provisions safeguarding personal rights, image, family life and the private sphere – one need only think, for instance, of the visual angle of a camera installed outside the door of a flat, which may allow systematically recording the clients of a medical clinic and/or law firm located on the same floor and thereby cause undue interference with professional secrecy.” [30] Although this seems obvious, at the same time, it echoes the statement by the ESC during the legislative process of the Directive. If interpreted strictly, the relevance of the household exemption might be significantly reduced as Article 8 ECHR would still be applicable as well as the tort law regime. For example, the WP29 stressed that if the household exemption does not apply to citizens that use SNS, the freedom of speech exemption in the data protection framework might. This could mean that legality of processing would be treated as a potential conflict between Article 8 ECHR and 10 ECHR. [31]
21
The CJEU has issued several rulings important to understanding the household exemption.
22
The case of Österreichischer Rundfunk was one of the first cases on the interpretation of the data protection framework. The question was posed how that framework should be understood. Is it to be regarded primarily as a framework that aims at providing protection to human rights and the interests of citizens, or is it primarily aimed at facilitating the free movement of data by removing the differences between national legal regimes in place before the Directive took effect? One of the common interpretations is that the DPD had its legal basis in the EU’s competence to adopt rules to further the four freedoms (freedom of goods, capital, services, and people). One of the arguments discussed by the Court was whether the Directive could apply to situations that do not have a sufficient relationship to either one of these four freedoms. It did apply to those cases, the Court affirmed, the primarily argument being that of legal certainty; it would be difficult to assess per case which data processing operation was intended to further either one of these freedoms and how direct the link should be to be deemed sufficiently strong. But it went on to stress that moreover, the applicability of the DPD to situations where there is no direct link with the exercise of the four freedoms is confirmed by the wording of Article 3; “Those exceptions would not, at the very least, be worded in that way if the directive were applicable exclusively to situations where there is a sufficient link with the exercise of freedoms of movement.” [32]
23
The classic case concerning the household exemption is the Lindqvist case, where a person posted information about others on a public website. Again, the argument was furthered that the data protection framework only applied to the processing of personal data for economic purposes. Interestingly, this argument was not only introduced by the defendant, but also accepted by the respondent state, Sweden. Although stressing that the publication of data on the internet would not fall under the household exemption strictly speaking, it found “that loading personal data on a home page set up by a natural person exercising that person's own freedom of expression and having no connection with any professional or commercial activity does not fall within the scope of Community law.” [33] Similarly, the Advocate General found that the processing by Mrs Lindqvist went beyond her personal and domestic circle, but he also agreed “with Mrs Lindqvist that the processing in question was carried out ‘in the course of an activity which falls outside the scope of Community law’. In that connection, I note that in fact the home page in question was set up by Mrs Lindqvist without any intention of economic gain, solely as an ancillary activity to her voluntary work as a catechist in the parish community and outside the remit of any employment relationship. [I]t seems to me to be abundantly clear that Article 3(2) of the Directive would be completely meaningless if all activities, even non-economic activities, for which people used telecommunications or other services were to be regarded as falling within the scope of Community law.” [34]
24
The Court, however, rejected that approach, essentially repeating its findings from Österreichischer Rundfunk. It also found that it was clear that the household exemption could not apply in this case, for which it gave no arguments, but only a staccato statement: “Charitable or religious activities such as those carried out by Mrs Lindqvist cannot be considered equivalent to the activities listed in the first indent of Article 3(2) of Directive 95/46 and are thus not covered by that exception.… That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.” [35] What makes the argument complex is that what is understood by the CJEU as activities carried out in the course of private life of individuals is very narrow and in sharp contrast with that the European Court of Human Rights (ECtHR), which has left the interpretation of the right to privacy as a negative right decades ago. The ECtHR has found that communicating with loved ones and expressing oneself in public and in work, among many other things, is part and parcel of a person’s private life.
25
In Tietosuojavaltuutettu, the CJEU stressed that the household exemption “must be interpreted as relating only to activities which are carried out in the course of private or family life of individuals. That clearly does not apply to the activities of Markkinapörssi and Satamedia, the purpose of which is to make the data collected accessible to an unrestricted number of people.” [36] Thus, the Court referred to family life, and not only private life, as a relevant determinant. While in the Lindqvist case, the CJEU referred to the household exemption not being applicable because the data were disclosed to an “indefinite number of people”, here it spoke of “an unrestricted number of people”. [37] The Working Party 29 has used an even broader term, namely a “high number of contacts”. [38]
26
It is not only remarkable that the distinct change in scope of the household exemption is explicitly mentioned in the DPD as an example of an activity where the household exemption applies but also that the example of communication of data through correspondence is provided. It could be argued that disclosing something on a publicly accessible internet page is something qualitatively different than normal correspondence, because such is traditionally addressed at a specific audience. But if a person sends an e-mail to 1000 of her friends in BCC, would that still fall under the household exemption? Or suppose that at a party of 500 guests, an electronic message board provides the marital status of the participants, at the volition of all of them, would such processing be considered falling inside the data protection directive? What if the party is open to anyone, i.e. not on invitation? [39]
27
Together with Lindqvist, the case of Rynes has had the biggest impact on the interpretation of the household exemption. It concerned a private person that made recordings of his home and the immediate surroundings after he had experienced a long period of aggression from unidentified individuals. The records indeed helped to identify the perpetrators. [40]
28
The AG found that the exemption must be narrowly construed and that personal activities are activities that are closely and objectively linked to the private life of an individual and which do not significantly impinge upon the personal sphere of others, although he agreed that these activities may take place outside the home: “‘Household’ activities are linked to family life and normally take place at a person’s home or in other places shared with family members, such as second homes, hotel rooms or private cars.” Interestingly, he marked a difference between the two activities when he noted “that the video surveillance of others, that is to say, the systematic surveillance of places by means of a device which produces a video signal which is recorded for the purposes of identifying individuals, even inside a house, cannot be regarded as purely personal, but that does not mean that it could not fall within the definition of household activity. Nevertheless, in my opinion, video surveillance which covers a public space cannot be considered to be a purely household activity, because it covers persons who have no connection with the family in question and who wish to remain anonymous.” [41] What is striking is yet again how narrow the interpretation of “personal” by the AG is. Personal activities apparently do not involve relational activities and engaging with other persons. A purely personal activity apparently is something done alone. [42]
29
The Court stressed that the household exemption must be seen in light of the Charter of Fundamental Rights (CFREU), especially Article 7 and 8, and that it followed from jurisprudence that the data protection framework must be interpreted as setting out a high level of protection of citizens. Consequently, the household exemption must be interpreted “only in so far as is strictly necessary”. This is an important shift vis-à-vis the Lindqvist case, which also dealt with the tension between the two goals of the data protection framework: the protection of individuals and facilitating the free flow of information. While in that case, there were serious pleas to keep all non-economic processing of personal data outside the scope of the data protection framework as a whole, and thus interpret the household exemption in a very wide manner, a few years later the Court takes a position on the other end of the spectrum, emphasizing only the goal of the protection of the rights and freedoms of data subjects, without mentioning the rationale of facilitating the free flow of information.
30
Interestingly, the CJEU admitted that correspondence and keeping of address books constitute a “purely personal or household activity” even if they incidentally concern the private life of other persons. The notion of “incidentally” is curiously left unexplained, but played a role later, both under the GDPR’s legislative process and its implementation. In a brief statement, the Court yet again rejected the applicability of the household exemption: writing instead, “To the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46.” [43] This is a peculiar finding, because it does not put emphasis on the purposes for processing, or the type of activities, but on the sphere from which data are gathered. It thus seems to introduce a third approach to the household exemption. Also, like the AG, it seems to find that personal activities by necessity may only take place in non-public settings. How this interpretation relates to the matters of correspondence and the keeping of an address book and the fact that correspondence will often include personal data about third parties or observations about facts taken from public sphere is unclear. Why is it that when a person accidentally films her neighbour passing by her house on her way to work, this does not fall under the household exemption, but when that person describes in detail in an e-mail to a friend how she saw her neighbour limp by after a very intense medical operation, such is included under the household exemption? Or should the judgement of the Court be interpreted as meaning that such processing also cannot fall under the household exemption because it entails gathering personal data about third parties from the public sphere and automated processing of the data? [44] That would essentially make the household exemption redundant.
31
The case of Jehovan todistajat revolved around door-to-door preaching. Interestingly, the defendants tried to use the emphasis on the spheres instead of the type of activities, adopted in the Rynes case, in their favour. They argued that door-to-door preaching concerns processing of personal data in the domestic sphere, namely of the person who is visited. This argument, perhaps unsurprisingly, was rejected: “The words ‘personal or household’, within the meaning of that provision, refer to the activity of the person processing the personal data and not to the person whose data are processed.” [45] Yet this line of argumentation might complicate matters even further. Suppose person A stays over at friend B and writes an e-mail to person C, describing what a mess it is at B’s home, would such not fall under the household exemption because A stays at B’s home and processes personal data about B? Why would this be different, as surely, the household sphere is also meant to have friends over? Or would the Court in such a case place emphasis on the activity again, instead of the physical sphere where the activity takes place, or on the type of relationship between A, B, and C?
32
The AG found that the household exemption could not apply in Jehovan todistajat. Like the WP29, who had suggested to treat online expression cases as a conflict between Article 8 and 10 ECHR, the AG suggests that this case should be interpreted as a conflict between the right to privacy and data protection on the one hand and the freedom of religion on the other. [46] It found that the limitations posed on the freedom of religion in light of the data protection framework, were set out by law, served an important interest and could be deemed necessary in a democratic society: “Therefore, the protection afforded by Article 10(1) of the Charter cannot call into question the finding that the doorstep proselytising of members of the religious community is not a purely personal or household activity for the purposes of the second indent of Article 3(2) of Directive 95/46.” [47] The Court, in fewer words, stressed that door-to-door-preaching may be covered by the freedom of religion, but should not be understood as a purely personal or household activity.
33
Though arguably, preaching and expressing one’s faith to others is, at least to the persons concerned, a very personal activity, sharing their deepest convictions with specific others, the Court rejected this interpretation. Instead, it made a very explicit connection between the personal or household activity and the purpose of the processing and between the activity of the processing and the sphere from which data were gathered and in which it is disclosed, finding that “an activity cannot be regarded as being purely personal or domestic where its purpose is to make the data collected accessible to an unrestricted number of people or where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner.” [48]
34
The CJEU emphasised that the preaching was directed at people that do not share the faith of the preachers, meaning that they did not form a religious community, and that data were collected of people that had indicated they did not want to receive a visit anymore (though again it should be stressed that the preaching was intended to precisely form that sort of community). The Court made a remarkable reference to the fact that the data were also disclosed to an unlimited number of persons, which “is also clear from the order for reference that some of the data collected by the members of that community who engage in preaching are sent by them to the congregations of that community which compile lists from that data of persons who no longer wish to receive visits from those members. Thus, in the course of their preaching, those members make at least some of the data collected accessible to a potentially unlimited number of persons.” [49] Is the argument here that potentially everyone could become a Jehovah’s Witness and thus have access to the list of people that do not want to receive house visits, meaning that the data are disclosed to a potentially unlimited number of people? [50] That would seem a far stretch.
35
Before turning to the concrete analysis of the legislative process of the GDPR, it is important to recount two detailed assessments of the household exemption that provided the basis of the discussion, namely the Impact Assessment and an opinion by the WP29.
36
The Impact Assessment distinguished between three core problems with the data protection framework, one of which were the difficulties for individuals in exercising their data protection rights effectively. One of the solutions it offered was to introduce legislative amendments to reinforce responsibility of data controllers, which could be done, inter alia, by clarifying the household exemption: “In this case, when the processing has no gainful interest and concerns a ‘definite’ number of individuals they would be totally exempted from data protection rules.” [51] One of the main challenges identified was the unclarity of the legal status of citizens using SNS and their obligations within the data protection framework. It was recounted that the yardstick used by the CJEU, whether the data were disclosed to an indefinite number of people, meant that the data protection framework would apply in full, “even if the processing relates to purely non-economic, charitable and religious purposes.” In practice, it found, Member States (MSs) limited the obligations of the users or even simply ignored their obligations when processing personal data on SNS, instead focusing on the responsibilities of the SNs. This meant that although there was a formal rule following from the CJEU judgement, in practice, it was not or only marginally enforced.
37
The WP29 devoted no less than 10 pages explaining why it thought the household exemption should be revised. It focussed on the relation of the household exemption vis-à-vis the rules regarding the freedom of expression and stressed that although historically, both exemptions had their clearly defined and demarcated scope, this was no longer the case: “Rather than relating to individuals’ correspondence or their holding of records of addresses, for example, the queries and complaints DPAs receive increasingly concern individuals’ publication of personal data, either about themselves or about other individuals. It would be wrong to say that all of an individual’s personal online activity is being done for the purposes of journalism or artistic or literary expression. However, the advent of ‘citizen’ bloggers and the use of social networking sites to carry out different forms of public expression, mean that the two exemptions have become conflated.” [52]
38
It stressed the variations in the implementation of the DPD by MSs, inter alia highlighting that some laws exempted personal processing from the data protection principles but not from the Data Protection Authority (DPA)’s powers of investigation. But, in par with the impact assessment, it noted that DPAs had focused their attention almost exclusively on processing done by corporate entities or by natural persons acting in a professional capacity—for example, financial advisors or doctors. It also questioned whether the rationales for introducing the household exemption were still applicable. It stressed that since the adoption of the Directive, citizens’ access to information technology had expanded enormously. Consequently, while the processing of personal data by citizens used to be very limited both in terms of the amount of data, the sensitivity of the data and the potential impact of the data processing, this had radically changed, if only because data that are processed and kept privately can be instantaneously spread to an indefinite number of people with the click of a button.
39
Consequently, it suggested to revise the household exemption. One approach is to let all personal data processing fall under the scope of the data protection regime, or to have a specific set of requirements be applicable when citizens process personal data about other citizens, such as implementing light security measures, respecting some of the data subject rights, the data quality principle, the requirement of having a legal basis, and the transparency requirement. Although it saw merits in these more clear-cut approaches, it also acknowledged that it might put too high a burden on citizens, it may be undesirable for citizens to have a public authority scrutinize their dealings in private settings (one of the two original rationales for introducing the household exemption) and it might be difficult to envisage how DPAs could police individuals’ affairs as the logistical and practical issues might be insurmountable.
40
That is why it favoured leaving the household exemption intact but granting DPAs the authority to assess whether it applied in specific cases. The WP29, consisting of representatives of all national DPAs, thus suggested to enlarge the powers of the DPAs. The DPAs should perform that assessment on the basis of a list of criteria, none of which were to be understood as determinative in and of themselves: (1) Are the personal data disseminated to an indefinite number of persons, rather than to a limited group of friends, family members or acquaintances? [53] (2) Are the personal data about individuals who have no personal or household relationship with the person posting it? [54] (3) Does the scale and frequency of the processing of personal data suggest professional or full-time activity? [55] (4) Is there evidence of a number of individuals acting together in a collective and organised manner? [56] (5) Is there potential adverse impact on individuals, including intrusion into their privacy?
|
Recital |
Article |
|
|
Directive |
whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses; |
by a natural person in the course of a purely personal or household activity. |
|
Regulation |
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities. |
by a natural person in the course of a purely personal or household activity. |
41
The legislative process of the GDPR is relevant because, although only the relevant recital has been revised, the household exemption was one of the main battlegrounds when drafting the Regulation. Discussions under the DPD were revived and new ones introduced. [57]
42
Gainful interest: The initial proposal of the Commission both in the relevant recital and in the article suggested that the household exemption to apply, the activity in question should be both for exclusively personal or household activities and be without gainful interest. This would introduce a new criterium (the interest), seemingly very closely aligned to the purposes for which data are processed, a commercial purpose generally meaning the pursuit of a gainful interest. This suggestion, however, received quite some criticism, both from the WP29 and from Parliament. The latter, for example, made clear that there may be gainful interests involved with the processing of personal data, such as when selling private belongings to another person. [58] The examples given by the WP29 are especially illustrative, such as “where an individual sells their unwanted birthday presents on an e-commerce site is an obvious example of ‘personal’ gainful interest. Another example might be where a child uses the internet to raise sponsorship money for a charity run”. [59] These examples seem to run counter to the CJEU judgements. When a person sells a book of Dan Brown through a website, she will process the personal data of Dan Brown and make those data available to an unlimited number of people.
43
Professional or commercial activity: The recital of the Commission’s proposal after its reference to the gainful interest included the text, “and thus without any connection with a professional or commercial activity”. Again, it met resistance and again the WP29 provided an example of why this clause should be omitted, which undermined the CJEU’s jurisprudence, namely when “an individual blogs about his day to day experience of working in a floristry shop, perhaps talking about customers and other staff members. WP29 does not accept that the processing of personal data done for a purpose such as this should necessarily fall outside the exemption, simply because any internet user can read the blog. It might be better to amend the wording to say ‘in pursuit of a professional or commercial objective’, rather than ‘in connection’ with it. Thought should also be given as to whether non-commercial, non-personal activity – such as running a political campaign – also needs to be addressed. We also need to consider whether a natural person’s keeping of professional contacts – ones that will not be shared or used by anyone else – is an activity that should fall outside the exemption.” [60]
44
Although the introduction of the gainful interest was rejected from the final text of both the recital and the provision, the reference to “no connection to a professional or commercial activity” was retained in the recital. This is remarkable because it seems redundant. If an activity is to be for purely personal or household activities, it cannot also be, even partially, for professional or commercial activities. An activity can logically speaking not be fully and only A but also B, if B is not a subset of A. The new clause could perhaps have made sense when different wording was chosen; for example, the Committee on Civil Liberties, Justice and Home Affairs (CCLJHA) had suggested to refer to a professional or commercial objective. Then, it would mean that purely personal or household activities which have a professional commercial objective fall outside the household exemption. But the final recital uses “activity” with respect to both personal and household and with respect to professional and commercial. Perhaps the added value of the clause lies in the “connection”, as some activities could in and by themselves be understood to be purely personal or household activities, but still have a connection to a professional or commercial activity. But what example the drafters of the GDPR had in mind remains unclear. [61]
45
Examples: The CCLJHA suggested to refer to, besides keeping an address file and correspondence, “the personal use of certain electronic services”, without explaining which electronic services. Parliament members suggested, inter alia, to provide, after the example of “correspondence’”, “independently by the medium used”, [62] perhaps thinking of personal correspondence through SNS. A suggestion was to speak of “purely personal or family matters”, [63] another amendment spoke of “exclusively personal, family-related, or domestic” [64] and a final text made mention of both family related activities and private sale. [65] All of these were rejected, which is remarkable in the case of reference to “family”, because it played an important role in the interpretation of the DPD by both the WP29 and the CJEU.
46
The final version of the recital provides, besides a reference to correspondence and keeping an address book, “or social networking and online activity undertaken within the context of such activities.” [66] This addition again seems to be confusing rather than clarifying. Apparently, there is a difference between correspondence and holding addresses on the one hand and social networking and online activities on the other, and apparently, the two mutually exclude each other signified by the “or”. “Fishing or sporting activities” implicitly means that fishing is not a sporting activity, while e-mailing, just to provide a basic example, seems a matter of both correspondence and an online activity. What is additionally confusing is that the social networking and online activities can be performed “in the context” of the personal and household activities, perhaps similar to when a professional karate sportsman is sent on a Siberian fishing expedition by his trainer to practice endurance and patience. The fishing activity is not performed for its own sake, but is an ancillary activity, performed in the context of a karate training. Perhaps chatting with family members is a household activity and social networks can be used in the context of that activity.
47
Indefinite number of people: The unofficial leaked version of the GDPR codified the CJEU’s Lindqvist doctrine by including a reference to the dissemination of data to an indefinite number of people. The first official draft, however, did not. Parliament members made many attempts to reintroduce this clause, in various wordings, and the CCLJHA suggested to provide in the article: “This exemption also shall apply to a publication of personal data where it can be reasonably expected that it will be only accessed by a limited number of persons”. [67] These suggestions were all rejected, perhaps again due to the strong intervention by the WP29, who found it “difficult to accept that the fact that an individual makes his blog or her social networking profile available to the world at large is – in itself – a factor that means that any processing of personal data done in connection with necessarily falls outside the scope of personal or household processing.” [68] The fact that indeed, no reference is made to this factor in either the recital or the article arguably means that the GDPR overrules the CJEU judgements on this point. At the same time, it is important to note that the WP29 did suggest including a reference to this element, for example in the recital, along with the other factors it had indicated as relevant but not determinative when assessing whether the exemption applies. [69]
48
Data gathering: It is remarkable that there was considerable discussion on the potential codification of the Lindqvist doctrine, but virtually none concerning the Rynes doctrine. There was one unsuccessful suggestion by a member of Parliament making an indirect reference to the question where data are gathered, suggesting to make reference in the recital to “purely personal or family matters that have been disclosed to them by the data subject himself or that they have received in a lawful manner.” [70] It seems to imply that when data are gathered lawfully in the public domain, that is on the basis of consent or one of the other legitimate grounds for processing, such could fall under the household exemption. This would create a difficult loop, because in order to assess whether the gathering of data was legitimate, the requirements from the data protection framework would have to be assessed, and when these are met, the consequence would be that the data protection framework would not apply. Perhaps unsurprisingly, the proposal was rejected.
49
Third parties: The WP29 had underlined time and again that the fact that a citizen may lawfully invoke the household exemption should not have implications for third parties. This led to the inclusion in the recital of the following phrase: “However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.” Though the reason for adopting this clause seems to be to regulate situations in which, would the household exemption not apply, there would be two or more joint controllers, such as with SNS, the recital also mentions processors. Such could be relevant, for example, when a cloud provider merely stores data on behalf of a citizen, who pursues a household activity. This would mean that there would be no controller, but a processor, who has to abide by the GDPR. This complicates matters, because most obligations in the GDPR are directed at the data controller. Also, data subject rights can be invoked vis-à-vis the data controller and some of the obligations directly applicable to processors indirectly concern the data controller, such as that when a data breach has occurred, the processor must notify the data controller. [71] The recital does not provide any further clarification on this point, neither does it explain the extent to which the joint data controller can be held accountable for the actions of the natural person that can invoke the household exemption. [72]
50
The implementation laws in the MSs mostly either adopt the wording of the GDPR or simply refer to the GDPR when it comes to the scope and limitations of the data protection regime. Inter alia dealing with the implications of the Rynes case, a number of countries have implemented special rules in their implementation laws concerning video surveillance or have adopted official guidelines on video surveillance. Some of these have chosen to follow the Rynes judgements, others seem to nuance the outcomes of that case.
51
In the first group, Austrian and Croatian data protection law deserve mention. Austria provides special rules for recording images, meaning observing occurrences in public or non-public space for private purposes, using technical devices for the processing of images. It provides that recording images is permitted if: (1) it is necessary in the vital interest of a person, (2) the data subject has consented to the processing of the data subject’s personal data, (3) it is ordered or permitted by special statutory provisions, or (4) there are overriding legitimate interests of the controller or a third party in a particular case. In the latter case, relevant factors to determine the legitimacy are: (a) whether it serves the protection of persons and property, whether the recordings focus on privately owned land “except when it includes public traffic areas, which may be unavoidable to fulfil the purpose of the image recording”, or (b), perhaps thinking of drones used to make landscape recordings, whether it serves a private documentary interest and does not aim to record uninvolved persons to identify or to record them, in a targeted manner, or (c), directly referring to the Rynes judgement, when “it is required for the precautionary protection of persons or items in publicly accessible places that are subject to the controller’s right to undisturbed possession because that right has already been infringed or because the place, by its nature, has a special risk potential”. [73]
52
Croatian law provides that the processing of personal data through video surveillance may be carried out only for the purpose necessary and justified for the protection of persons and property, if the interests of respondents who are in conflict with the processing of data through video surveillance do not prevail. Video surveillance may include premises, parts of premises, external surface of a building, as well as internal space in public transport. [74] Both the Croatian and the Austrian law follow the GDPR and the Rynes doctrine in the sense that these types of video surveillance in the public domain are said to fall under the scope of the data protection regime but can still be deemed legitimate when certain criteria are met.
53
A different approach is taken by the Latvian legislator, providing that the data protection regime shall not apply to data processing that natural persons conduct by using automated data recording facilities in road traffic, for personal or household purposes. It does clarify, nevertheless, that it shall be prohibited to disclose the records obtained in road traffic to other persons and institutions, except for the cases when any of the grounds for data processing specified in the data protection legislation are present. Secondly, it provides that the data protection regime shall not apply to data processing which natural persons conduct by using automated video surveillance facilities for personal or household purposes: however, “Surveillance of public space on a large scale or cases when technical aids are used for structuring of information shall not be considered as data processing for personal or household purposes.” [75] The latter negation seems to imply, a-contrario, that when the public domain is not monitored on a large scale or when no technical aids are used for structuring the data, the data protection regime would not apply. A similar approach seems to be taken in the official guidelines on camera surveillance in the Netherlands: “A person that wants to attach a camera to his jacket (a so-called 'bodycam') and use it to film the environment for himself when he is walking on the street. Other people will also be portrayed on these images. This is for personal or household use only, because this person does not pass on the camera images to third parties. The provisions of the [Dutch Data Protection Framework] therefore do not apply.” [76]
54
In an opinion, the EDPB reaffirmed all of the relevant factors set out by the WP29. It also gave illustrative examples: “A tourist is recording videos both through his mobile phone and through a camcorder to document his holidays. He shows the footage to friends and family but does not make it accessible for an indefinite number of people. This would fall under the household exemption. Example: A downhill mountainbiker wants to record her descent with an actioncam. She is riding in a remote area and only plans to use the recordings for her personal entertainment at home. This would fall under the household exemption. Example: Somebody is monitoring and recording his own garden. The property is fenced and only the controller himself and his family are entering the garden on a regular basis. This would fall under the household exemption, provided that the video surveillance does not extend even partially to a public space or neighboring property.” [77] It seems that the EDPB, like the WP29, tries to nuance the Rynes judgement by suggesting that when personal data are gathered from the public domain, but not made accessible to an indefinite number of people, such could still fall under the household exemption. [78]
55
Finally, there was a petition for information from the Commission on the household exemption. The petitioner argued in favour of broadening the scope of application of activities of a purely personal or domestic nature so as to include all acts carried out by natural persons that by their nature do not intend to violate the rights of a data subject without a valid reason and to allow data processing by natural persons in all cases as required for the purpose of reasonably reporting breaches or offences under the laws of MS. Remarkably, the Commission again focussed on the notion of controllership and linked this to commercial and professional activities: “Situations in which natural persons could act as controllers are when they process personal data in connection with their professional or commercial activities. Examples would be a medical doctor in private practice documenting treatment administered, or a sole trader processing personal data as part of delivering the services they offer.” [79] Thus, while the CJEU in Österreichischer Rundfunk and Bodil Lindqvist, found that the data protection also applied to situations in which personal data are processed for non-commercial or non-economic activities, now, at least with respect to data controllers that are natural persons, the Commission seems to find exactly that. It does not adopt the wording of the GDPR, namely that the household exemption does not apply in case data processing has a connection to a commercial or a professional activity, but stresses that a natural person can only be a data controller when they process personal data in connection with their professional or commercial activities.
56
It is clear from the previous two sections that the household exemption could merit either an authoritative explanation or a textual revision. There are three paths forward. One is leaving the current formulation of the household exemption intact, a second is deleting the household exemption altogether, and a third is maintaining a household exemption, but under a revised form. The first option, as explained in this article, does not seem to be preferable. The recital and provision in the GDPR are plagued by ambiguity, incoherence, and legal ambivalence.
57
The second option is one that should be considered. The ease with which data can be transferred from the private domain to the public domain and from one person having access to the data of millions are factors that support the deletion of the household exemption. This possibility was not foreseen when introducing the household exemption under the DPD. More generally, the classic idea of separate spheres of life has lost part of its appeal because the reality is no longer that private and personal matters only take place at home and the public sphere is exclusively utilised for professional and public activities. In addition, citizens now often possess very sensitive data about others, while in the situation in the 1990s, the envisioned data consisted mostly of address books or personal diary notes. Hence, both rationales (that of the right to privacy and the minimal harm) for introducing the exemption are not as forceful now as they used to be.
58
In addition, it might be wondered whether with the introduction of new processing techniques, there is a case to be made for more regulation in the private sphere. Suppose a person stores private photographs of his ex-girlfriend on his computer, with which he then produces a deepfake video in which she performs all kinds of perverse sexual acts. He tells his friends about it, who also communicate this to her. This is just one of the many possible examples of deepfake applications that cannot be addressed under the GDPR. The production of compromising material and the possession of it are not covered by the GDPR. Once the material is on the internet or distributed to large groups of friends it is, but by then it is too late. The damage has already been done; compromising videos can attract thousands or millions (in the case of celebrities) of viewers within hours. It may often be impossible to take that video down permanently, because of the ease with which a copy of the video can be produced. Consequently, it could be considered to limit the household exemption, both because such behaviour is deemed intrinsically immoral and because it might prevent damage from materialising and allow DPAs to address potentially harmful material at the source.
59
On the other hand, however, it is questionable how realistic it is to ask of DPAs to monitor the private sphere of citizens, as they already suffer from a lack of manpower and resources. Omitting the household exemption might lead to an even bigger enforcement gap, as DPAs will generally choose not to monitor the private lives of citizens in detail. If they would in fact monitor the private lives of citizens, the cure might be worse than the disease, as the government would start monitoring in detail the behaviour of its citizens. Finally, as to the harm, it might be argued that there is no harm done with processing of personal data, as long as the data stay in the private sphere and limited to a limited number of people. Creating a deepfake porn of someone else, for example, might be likened to a person fantasizing about another or making an explicit drawing of her.
60
A third option would be revising the household exemption. This option could again be subdivided in three potential strategies.
-
Focussing on likely harm and potentially requiring a pre-DPIA;
-
Focussing on one of the five factors distinguished or using a combination between two or more of those factors;
-
Making a list of relevant but non-decisive factors that should be taken into account when assessing whether the household exemption applies.
61
A rudimentary formulation of these alternatives could take the following form:
|
Recital |
Article |
|
|
GDPR |
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities. |
by a natural person in the course of a purely personal or household activity |
|
Alternative 1 |
- |
- |
|
Alternative 2a |
This Regulation does not apply to the processing of personal data by a natural person when such is unlikely to cause harm. The natural person shall make an assessment of the likely harm before commencing the data processing personal data. |
by a natural person when such is unlikely to cause any harm; |
|
Alternative 2b |
This Regulation does not apply to the processing of personal data by a natural person or SME when such is unlikely to cause harm. The natural person or SME shall make an assessment of the likely harm before processing personal data. |
by a natural person or SME when such is unlikely to cause any harm; |
|
Alternative 3a |
This Regulation does not apply to the processing of personal data by a natural person for personal purposes. |
by a natural person for personal purposes; |
|
Alternative 3b |
This Regulation does not apply to the processing of personal data by a natural person for personal activities. |
by a natural person in the course of personal activities; |
|
Alternative 3c |
This Regulation does not apply to the processing of personal data by a natural person in her private sphere. |
by a natural person in her private sphere; |
|
Alternative 3d |
This Regulation does not apply to the processing of personal data when such data are gathered from and processed in her private sphere. |
by a natural person when such data are gathered from her private sphere and processed in that sphere; |
|
Alternative 3e |
This Regulation does not apply to the processing of personal data when such data are not disseminated to a large group or unlimited number of people. |
by a natural person when such data are not disseminated to a large group or unlimited number of people; |
|
Alternative 3f |
A combination between two or more of the alternatives 3a-3e |
A combination between two or more of the alternatives 3a-3e |
|
Alternative 4 |
This Regulation does not apply to the processing of personal data when personal data are processed by a natural person for a personal activity. In order to determine whether this exemption applies, the following elements should be taken into account:
|
by a natural person for a personal activity; |
62
A final assessment of the desirability of these alternatives should be made by the EU legislator. However, from the arguments and examples that have been discussed in this article, the following tentative conclusions can be drawn:
-
Data controller and processor: Maintaining the reference to the applicability of the data protection regime does not seem preferable, inter alia, because in the case of a processor that processes personal data for a citizen that can invoke the household exemption, the processor would have duties vis-à-vis a non-existent controller.
-
Purely: There are few activities/purposes that are “purely” household or personal; mostly, they are an amalgam of various types of activities and/or purposes. Consequently, it could be considered to omit this element from the final wording of the revised household exemption.
-
In the course of: The formulation in the GDPR speaks of data processing “in the course of” personal or household activities. It is unclear what this term means precisely, how direct the link should be between the activity and the processing of personal data and whether processing data should be necessary for that activity. That is why it may be better to opt for a clearer formulation, such as “for”.
-
Personal, household and family: The GDPR speaks of personal or household activities. In addition, the CJEU and WP29 have made reference to the family sphere/activities. It has never been clear what precisely the difference is between personal and household activities. It seems as though personal activities would include household activities, if the broader interpretation of the ECtHR is followed. In addition, it appears the very term and concept of “household” is too archaic to serve as an important legal concept. Consequently, in light of legal clarity and textual efficiency, it should be considered to only speak of personal and make clear in a recital, an explanatory memorandum or opinion what activities/purposes are regarded to be “personal”.
-
Harm: The approach focussing on harm seems difficult to uphold for at least two reasons. First, one of the original rationales for introducing the household exemption was the minimal harm that processing of personal data in the private sphere did, while this rationale has moved more and more to the background, inter alia, given the technological tools that are now in the hands of ordinary citizens. Second, it would require of citizens an assessment of the likely harm entailed with their data processing operation, perhaps a pre-DPIA. It is questionable whether citizens would do such an assessment; an additional element that would need to be determined is whether such a pre-DPIA should be formalised and put on paper. If not, it is likely that citizens will use post-hoc explanations for their decisions. In addition, this alternative would require a more precise indication of what harm is. Is psychological harm enough and who decides whether such harm has been inflicted, on the basis of which criteria? What is the threshold for harm in light of the household exemption? Finally, focussing on the harm to determine the applicability of the data protection regime runs counter to the foundation of the data protection framework. Though over time, the ECtHR has expanded the scope of the right to privacy in order to include many modern-day data processing operations, the material scope of the right to privacy (Article 8 ECHR) is still different from that of data protection law. The data protection regime has a wider scope of application, for at least two reasons. First, the material scope is dependent on the definition of “personal data” which is particularly wide; though the term “private life”, contained in Article 8 ECHR is also wide, the scopes of the two notions do not always overlap. That is: not all processing of personal data will be considered affecting a person’s “private life”. Second, in human rights framework, a claim is assessed on both the ratione materiae (does the matter complained of fall under the material scope of the article invoked?) and the ratione personae principle (can the applicant claim to be a victim?). With respect to that second question, there is a significant threshold, as applicants must be able to show that they have suffered from direct, individualizable, and substantial harm. Under the data protection framework, both principles are merged. This means that any processing of personal data, however mundane and small, even writing in a blog post “Emmanuel Macron has blue eyes”, is considered processing personal data, to which the GDPR applies. Thus, using harm as an element for determining the applicability of the data protection regime would undermine one of the core differences separating the right to data protection (Article 8 CFREU) from the right to privacy (Article 7 CFEU).
-
Focussing on the sphere from which data are gathered/in which data are processed: Only allowing the household exemption to apply when data are gathered from/processed in the private sphere of a person herself, as was suggested by the CJEU, would run counter to the very idea behind the household exemption, as it would disallow for many forms of private correspondence and writing a personal diary, namely when such is done in the private sphere of others or when such regards data taken from the private sphere of others.
-
Focussing on the sphere from which the data are gathered: Disallowing the household exemption to apply when data are gathered from the public sphere again seems to run counter to the very idea of the household exemption, as it would disallow writing observations in a diary about public events or the behaviour of people in public. Both the WP29 and MS have tried to nuance the outcome of the Rynes decision.
-
Relevant but non determinative factors: Alternative 4 may seem appealing at first sight, but may result in legal uncertainty and unclarity, as a significant risk may be that various national courts and DPAs may further their own interpretation.
-
Multiple determinative factors: The same applies, though to a lesser extent, to Alternative 3f.
-
SMEs: Although it is true that the inclusion of certain organisations under the household exemption was discussed both when the DPD and the GDPR, it seems to be a better option to leave the household exemption for private individuals and instead extent the exemptions for SMEs or micro-organisations form the obligations of the GDPR when deemed necessary.
63
Given these considerations, four options seem worth contemplating are:
-
Alternative 1: Deleting the household exemption. If this alternative is adopted, there should be additional provisions that relieve data controllers from obligations if they process a minimal amount of non-sensitive data. This could be done through extending the rules for SMEs already in the GDPR and by applying them to natural persons.
-
Alternative 3a (This Regulation does not apply to the processing of personal data by a natural person for personal purposes): Focussing on the type of activities. If this alternative is adopted, a list should be adopted, either by the Commission, by the EDPB or by the EU-legislator, indicating the type of activities that are typically considered personal.
-
Alternative 3b (This Regulation does not apply to the processing of personal data by a natural person for personal activities): Focussing on the purpose for processing. Again, if this alternative is adopted, a list should be adopted, either by the Commission, by the EDPB or by the EU-legislator, indicating the type of purposes that are typically considered personal.
-
Alternative 3c (This Regulation does not apply to the processing of personal data by a natural person in her private sphere): Of the alternatives 3a, 3b and 3c, perhaps 3c would be the most elegant. The only question would be whether the data are processed in the private sphere of any natural person and stay there. This would align with the two new rationales for the household exemption, namely that DPAs do not have the capacity to enforce the GDPR in the private sphere of all citizens and that even if they would, such would be undesirable. In addition, it aligns with the first rationale for introducing the household exemption, namely the protection of privacy. Finally, it may be argued that if data are indeed only processed in the private sphere, the harm is usually only minimal. If harm arises nevertheless, other legal regimes, such as tort law and criminal law would apply. Still, choosing for this alternative would defy the fact that the public and the private sphere are no longer strictly separable. Indeed, many public activities are taking place at home and that data can be transferred from the private domain to a worldwide audience with the click of a button.
*by Bart van de Sloot, Associate professor, Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, Netherlands
[1] U. Dammann, O. Mallmann & S. Simitis (eds.), ‘Data protection legislation: an international documentation’, 1977.
[2] Resolution (73) 22 on the protection of the privacy of individuals vis-a-vis electronic data banks in the private sector (26 September 1973).
[3] Resolution (74) 29 on the protection of the privacy of individuals vis-a-vis electronic data banks in the public sector (20 September 1974).
[4] Convention for the protection of individuals with regard to automatic processing of personal data, 1981.
[5] COM(90) 314 final ~.sYN 287 and 288 Brussels, 13 September 1990.
[6] I CC)M(90) 0314 — C3-0323/90 SYN 287.
[7] 92 /C 311 / 04 COM (92) 422 final — SYN 287.
[8] Supra (5).
[9] It is good to note that the harm is linked to the right to privacy and not to the right to data protection.
[10] Supra (5).
[11] 91/C 159/14 Opinion on: the proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data.
[12] 95/C 93/01 Common position (EC) No 1 /95 on 20 February 1995 adopted by the Council,.
[13] As was later confirmed by the AG in Rynes.
[14] Supra (11).
[15] Supra (5).
[16] Parliament also unsuccessfully suggested to extend the list to (1) data held by journalists and journalistic media; (2) data held under an obligation laid down by statute on condition that the personal data are not communicated to third parties; (3) held in archives either for purposes of reconstruction or for use as evidence; (4) held in compliance with a legal obligations; (5) from sources or registers whose object is to ensure publicity for such data; and (6) held for payroll, pensions and accounts purposes.
[17] 5035/01/EN/Final WP 56.
[18] The question is here how much a SNS resembles a household. The focus of the WP29 on SNS seems to signify a shift from the focus on the protection of privacy/private sphere to a focus on harm, as the key determinant becomes the number of people to which data are disclosed.
[19] 01189/09/EN WP 163.
[20] 00264/10/EN WP 169.
[21] 0737/EN WP 148.
[22] 14/EN WP 219.
[23] <https://edps.europa.eu/sites/default/files/publication/10-03-19_trust_information_society_en.pdf>.
[24] 11580/03/EN WP 82.
[25] 01189/09/EN WP 163.
[26] 14/EN WP 223.
[27] 1806/16/EN WP 239.
[28] 11750/02/EN WP 67.
[29] Additionally, the WP29 suggests that if multiple houses share one common entrance, the household exemption would not apply to cameras monitoring that entrance. This means, apparently, that monitoring closed and private spheres that are co-shared by people from different households, will not fall under the household exemption. The WP29 has also stressed that the household exemption could apply to cars, as long as no personal data of third parties are processed. 17/EN WP 252 .
[30] 11750/02/EN WP 67.
[31] 01189/09/EN WP 163.
[32] ECLI:EU:C:2003:294.
[33] ECLI:EU:C:2002:513.
[34] ECLI:EU:C:2002:513.
[35] ECLI:EU:C:2003:596.
[36] ECLI:EU:C:2008:727.
[37] This may be a matter of translation. The French text speaks of indefinite. The authoritative version of the judgement is Finish and speaks of ‘määrittelemättömän’, meaning unspecified, indefinite, indeterminate or undefined.
[38] 01189/09/EN WP 163.
[39] In the Google Spain case, the AG seemed to go one step further and suggested that when reading a newspaper on a tablet, the data protection framework applied, unless the reading of the news is exercised by a natural person in the course of a purely personal or household activity. This would mean that if a person reads a newspaper on her tablet at home in the course of a professional activity, for example because the financial news is relevant for her job as accountant, the data protection framework would apply in full. Opinion of Advocate General Jääskinen delivered on 25 June 2013. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. Request for a preliminary ruling from the Audiencia Nacional. ECLI:EU:C:2013:424.
[40] When assessing the applicability of the household exemption, the Czech, Italian, Polish and UK Governments felt that the exemption did and the Office, the Austrian, Portuguese and Spanish governments as well as the Commission argued that the exemption did not apply. The AG stressed with regard to the purpose of the processing that ‘the scope of an EU legal instrument cannot depend on the subjective purpose of the interested party — in this case, the data controller — since that purpose is neither objectively verifiable by reference to external factors nor relevant with respect to the data subjects whose rights and interests are affected by the activity in question.’ ECLI:EU:C:2014:2072. This seems to confirm the most plausible explanation for the explicit change made on this point in the text of the Directive.
[41] Opinion of Advocate General Jääskinen delivered on 25 June 2013. ECLI:EU:C:2014:2072.
[42] It seems as though the AG’s interpretation, in line with jurisprudence of the CJEU and the WP29’s opinions, tilts towards an inclusive ‘and’ instead of an exclusive ‘and’ (even if the text mentions ‘or’), meaning that in order to fall under the household exemption, it must concern both a personal and a household activity, just like for person B to enjoy her vacation, it must be both sunny and warm.
[43] ECLI:EU:C:2014:2428.
[44] ECLI:EU:C:2014:2428.
[45] ECLI:EU:C:2018:551.
[46] ECLI:EU:C:2018:57.
[47] ECLI:EU:C:2018:57.
[48] ECLI:EU:C:2018:551.
[49] ECLI:EU:C:2018:551.
[50] In the Buivids case, finally, the Court reaffirmed its previous position by stressing that Article 3 of Directive 95/46 must be interpreted as meaning that the recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a website, on which users can send, watch and share videos, are matters which come within the scope of that Directive. This, it found, was the case both because the video was disclosed to an unlimited number of people and because the data were gathered in a non-private setting. It used the terminology applied in the Lindqvist case, namely referencing ‘an indefinite number of people’ and not the wording used in Tietosuojavaltuutettu, namely ‘an unrestricted number of people’. ECLI:EU:C:2019:122
[51] Brussels, 25.1.2012 SEC(2012) 72 final.
[52] <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2013/20130227_statement_dp_annex2_en.pdf>.
[53] Apparently, disclosing personal data to a limited group of strangers is a borderline case.
[54] Note the focus on the type of relationship between the discloser and the receivers.
[55] The focus on “full-time” seems peculiar, as it seems to exclude the possibility of a person being full-time responsible for household activities and structurally using data processing operations to assist in that respect.
[56] The question that has remain unresolved is whether this would include family members acting together.
[57] As a small textual change, under the Directive, the article spoke of household activities, while the recital spoke of domestic activities. Though this had never led to confusion or debate, and although during most of the legislative process of the GDPR, this duality was not challenged, the Council suggested to speak of household activities in the recital as well. Brussels, 8 April 2016 (OR. en) 5419/1/16 REV 1. There was a suggestion by Parliament members to change ‘personal’ to ‘private’ again, just like it had originally been proposed under the Directive, in the article (remarkably, not the recital), but this amendment was not adopted. Amendment 369+677.
[58] 2012/0011(COD) 16.1.2013.
[59] <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2013/20130227_statement_dp_annex2_en.pdf>.
[60] <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2013/20130227_statement_dp_annex2_en.pdf>.
[61] With respect to both elements, that of a gainful interest and that of professional and commercial activities, many amendments were suggested by Parliament members. One suggestion was to include as examples of exclusive processing for personal or domestic activities not only correspondence and the holding of addresses, but also private sale. Another was to fully revise the household exemption to hold ‘by a natural person for a purpose which cannot be attributed either to his trade or to his self-employed professional activity’. A third suggestion was to have a separate indent in the article providing that the Regulation did not apply when personal data were processed ‘by small enterprises in the course of its own exclusively activity and strict and exclusively internal use’ and a recital providing ‘This Regulation should not apply to processing personal data by small enterprises which are using personal data exclusively for its own business such as offers and invoices. If there is no risk for the processed personal data that no one else than the enterprise itself is handling the data, there is no need for an additional protection than securing the data for access. This exemption should not apply for Articles 15, 16 and 17.’ Finally, there were proposals to add to the list of exemptions references to the processing of personal data by micro companies when in the course of their own activity and strictly for internal use, by the employer as part of the treatment of employee personal data in the employment context, by sport organisations for the purposes of prevention, detection and investigation of any violations of sports integrity linked with match fixing and doping (amendment 688), and by churches and religious associations or communities.
[62] See e.g. Amendment 368.
[63] Amendment 369.
[64] A7-0402/2013 21.11.2013.
[65] P7_TA(2014)0212.
[66] Recital 18 GDPR.
[67] A7-0402/2013 21.11.2013.
[68] <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2013/20130227_statement_dp_annex2_en.pdf>.
[69] An approach that was also suggested by some of the members of Parliament (amendment 368)..
[70] Amendment 369.
[71] Article 33(2) GDPR.
[72] A related point is that there were suggestions to provide that even if the household exemption would apply, certain minimum data protection standards should be adhered to. <https://ec.europa.eu/justice/article-29/documentation/other-document/files/2013/20130227_statement_dp_annex2_en.pdf>. Later, members from Parliament suggested to adopt a similar clause, amendment 677. The WP29 made an interesting remark about the proposed e-Privacy Regulation, when it said that it ‘should be made possible to process electronic communications data for the purposes of providing services explicitly requested by an end-user, such as search or keyword indexing functionality, virtual assistants, text-to-speech engines and translation services. This requires the introduction of an exemption for the analysis of such data for purely individual (household) usage, as well as for individual work related usage.’ 17/EN WP 247. Thus, it seemed to advocate for a broader scope of the household exemption, at least for the e-Privacy regime, also covering work related usage.
[73] <https://www.jusline.at/gesetz/dsg/paragraf/artikel2zu13>.
[74] <https://narodne-novine.nn.hr/clanci/sluzbeni/2018_05_42_805.html>.
[75] <https://likumi.lv/ta/en/en/id/300099-personal-data-processing-law>.
[76] Cameratoezicht Beleidsregels voor de toepassing van bepalingen uit de Wet bescherming persoonsgegevens en de Wet politiegegevens.
[77] <https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf>.
[78] In addition, it seemed to accept that cameras that monitor places that family members pass by regularly, could also fall under the scope of the exemption; whether this implicitly means that this is also the case when third parties do so irregularly was left open. This point was later extended when it discussed processing of personal data by ‘smart’ cars, which will typically also be used to transport third parties, but still could be considered to fall under the household exemption. <https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202001_connectedvehicles.pdf>. How this relates to taxi drivers was left open. The example also raises the question whether, when a person is using spyproducts in her home, the household exemption would apply when a friend comes over. Although some of the CJEU’s statements would suggest that ‘personal’ is per definition ‘alone’ and ‘household’ is per definition restricted to ‘family members’, the WP29 and the EDBP seem to adopt a broader approach. Some DPAs have taken a strict approach to the household exemption. See e.g.: <https://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Iceland)_-_2021010073&mtc=today>. <https://edpb.europa.eu/sites/ default/files/article-60-final-decisions/es_2010_10_right_to_erasure_transparency_and_information_decisionpublic_redacted.pdf>.
[79] <https://www.europarl.europa.eu/doceo/document/PETI-CM-719902_EN.pdf>.
Fulltext ¶
-
Volltext als PDF
(
Size
390.9 kB
)
License ¶
Any party may pass on this Work by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing License. The text of the license may be accessed and retrieved at http://www.dipp.nrw.de/lizenzen/dppl/dppl/DPPL_v2_en_06-2004.html.
Recommended citation ¶
Bart van de Sloot, Home is where the heart is: the household exemption in the 21st century, 14 (2023) JIPITEC 34 para 1.
Please provide the exact URL and date of your last visit when citing this article.
