European data protection law, such as the Data Protection Directive 95/46 (hereinafter: Data Protection Directive or the Directive), and the freedom of religion, as laid down in Article 10 Charter of Fundamental Rights of the European Union (hereinafter: EU Charter) and Article 9 European Convention on Human Rights (hereinafter: ECHR) do not coincide frequently. They did, however, in the recent Opinion of Advocate-General (hereinafter: A-G) Paolo Mengozzi on the preliminary questions raised by the Supreme administrative court of Finland.
It is well known that Jehovah’s go preaching door-to-door and, when doing so, they are often prompted to take notes recording the content of their interviews and, in particular, the religious affiliation of the people they visited. This brought to the surface the interesting question whether, in this specific situation, compliance with the Data Protection Directive eventually amounts to an intolerable or disproportionate interference with the freedom of religion.
This question is even more interesting, when taking into account the fact that we will soon enter unknown legal territory when on 25 May 2018 the General Data Protection Regulation (hereinafter: GDPR) will become fully applicable, thereby uncovering state-of-the-art rules in the field of data protection. The Opinion at hand helps in defining important concepts in decisive provisions that will remain relevant under this new legislative framework.
The discussion below will offer insights on three elements of the Data Protection Directive: i) what is the material scope of the Directive; i.e. to what processing activities does it apply?, ii) what is the meaning of the concept of “filing system” in the specific context of the Jehovah’s Witnesses? and iii) how should the concept of “controller” be addressed in a multi-layered context involving several controllers? This blog addresses the first question, while the remaining two will be answered in the second part (to be published).
In the first place, as to the material scope of application, A-G Mengozzi concludes that Article 3(2) of the Data Protection Directive does not apply, as the present situation falls under neither of the two exceptions.
The first indent of Article 3(2), mentions exceptions, such as processing operations relating to public security. The A-G rightly states that it must undoubtedly concern activities of the State or of State authorities. Reference is made to one of the earliest cases to consider the Data Protection Directive, Lindqvist, rendered in 2003, which dealt amongst others with the freedom of religion. Already in this case the Court implicitly accepted that the charitable or religious activities such as carried out by Mrs Lindqvist did not fall within the scope of Article 3(2), as they were more concerned with the “field… of activity of individuals” than with “activities of the State or of State authorities”. The A-G adds that with the inclusion of Article 17 Treaty on the Functioning of the European Union (hereinafter: TFEU) under the Lisbon Treaty, which provides that the Member States have exclusive competence to regulate religious organisations, this situation has not altered. It is unclear to A-G Mengozzi, and I think understandably, how, in the circumstances of the present case, the exclusion of religious organisations from the scope of Article 3(2) of the Directive could threaten the “status” of religious communities as defined by Member States. Making the door-to-door proselytising subject to the requirements under the Data Protection Directive in no way prevents States from regulating religious organisations, such as the Jehovah’s Witnesses, under their national laws.
As regards the second indent, purely personal or household activities are excluded from the scope of the Directive. The A-G starts by rejecting the argument of the Jehovah’s that, as the preaching members enter the homes of the “visited” persons, it concerns a household activity. All restrictions under the Directive should be interpreted rigidly and proselytising necessarily means that a relationship with persons is established, who do not share the preacher’s faith. This is per se not comparable to for example the holding of a telephone book for private use, which is classified as a purely personal and household activity, thereby falling under Article 3(2), second indent. On the other hand, the situation in this case leads to a confrontation with the “world out there”, thereby not qualifying as an exception.
What remains is the question whether such an interpretation runs counter to other fundamental rights, such as the freedom of religion, of which the freedom to proselytise is a corollary. The latter is not absolute and therefore a balancing act between both rights should take place. The core argument brought forward by the A-G in the present case is that compliance with the rules in the Data Protection Directive will not amount to an intolerable or disproportionate interference with the freedom of religion. Particularly considering the behaviour at stake, the taking of notes and their transmission within the religious community for further analysis, which, by its nature, is very different from preaching. Article 10(1) of the EU Charter, read in the light of Article 9 ECHR, therefore does not alter the fact that Article 3(2) does not apply and the activities should fall within the scope of the Data Protection Directive.
However, I do not find this reasoning entirely convincing, due to two reasons. Firstly, to what extent is preaching to be considered the same as proselytising? Both fall under the scope of Article 9 ECHR, which enshrines the right to attempt to convince and convert other people. However does this mean that both should be considered as two sides of the same coin? In the second place, the restrictions that follow from the Data Protection Directive, soon to be GDPR, do not only influence the manner in which the collected data can be used within the community. The legal guarantees provided may as well have a consequence for the conditions under which proselytising is carried out, thereby eventually making it more difficult. The latter point will be clarified in the second part of this blog, when discussing the concepts of “filing system” and “controller” under the Directive, as well as the GDPR, in the specific context of the Jehovah’s.