The previous blog addressed the material scope of the Data Protection Directive 95/46 in determining that the processing activities carried out by the Jehovah’s Witnesses fall within its scope, even when taking account of the possible tension between the right to data protection and the freedom of religion. The present blog will discuss the meaning of the concepts of “filing system” and “controller” in that same context.
Firstly, the question what exactly must be understood under the concept of “filing system” laid down in Article 2(c) of the Data Protection Directive (see Article 4(6) GDPR). Also, recital 27 (see Article 2(1) GDPR) must be considered, in which it is stated that “files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of this Directive”. The restrictive formulation of this criterion can be explained by placing it into the historical context of the legislative process that took place prior to the adoption of the Data Protection Directive in 1995. Big data related issues, like they occur nowadays, i.e. the 50 million Facebook profiles that were harvested for Cambridge Analytica, were unimaginable. As we are dealing with the Jehovah’s, that still rely on manually assembled data, organized via paper files, the dated concept of “filing system” remains relevant.
Back to the Opinion of A-G Mengozzi, who first makes it very clear that the scope of data protection law may not depend on the techniques used, as that would create a serious risk of circumvention. Yet, the Directive only covers manual filing systems to the extent that they are structured according to i) specific criteria, ii) that relate to individuals and iii) which allow easy access to the personal data. The various criteria for determining the constituents of a structured set of personal data may be laid down by each Member State.
The A-G then continues in finding that the notes taken by the Jehovah’s when proselytizing may constitute a “filing system”, as areas are allocated geographically, thereby structuring the data of individuals, i.e. the name, address, and summary of the conversation, relating in particular to the religious beliefs and family circumstances. Indeed, such a system may support the planning of subsequent visits and thereby offer easy access to the data concerned. Consequently, all three criteria as mentioned above are met. However, A-G Mengozzi notes that under Finnish law, a higher degree of sophistication is required. A “filing system” must consist of lists, data sheets or any other comparable search system, which may impose an extra restriction. It will be interesting to see the finding of the Court of Justice and subsequently, the reasoning of the national court. In previous national cases, i.e. in Belgium and Sweden, on the Jehovah’s Witnesses, as well as on the Church of Scientology, it was found that paper files held by those organizations fall outside the scope of European data protection law.
Secondly, the A-G was required to give his opinion on the question whether the religious community, alone or together with its members, can be regarded as a “controller” within the meaning of Article 2(d) of the Directive (see Article 4(7) GDPR). Prior to the substantive analysis the irritation expressed by the Jehovah’s, based on a wrong understanding of the concept of “controller”, was addressed. The community pointed out the fact that its members neither act under its instructions, nor in response to divine command. After addressing this point, A-G Mengozzi primarily stated that the concept of “controller”, described as the one(s) determining the purposes and means of the processing of personal data, should be defined broadly under the Directive. A factual, rather than a formal analysis determines “why” and “how” processing takes place. In the present case, it must therefore be ascertained whether the Jehovah’s community decides the purposes and means of processing the data collected by its members. This seems to be the case, as areas are allocated among the various preachers, their activity is monitored and a record is kept of people who do not wish to be visited. Via this system “the community seeks to increase its number of the faithful through greater efficiency in evangelical activity by optimal preparation for visits”. The Jehovah’s are, for this purpose, provided with forms and instructions on note taking. The A-G mentions that the data controller must not have actual access to the data. Moreover, the fact that members of the religious community can have a practical effect on the means of processing does not exclude the possibility that, not only they, but also the community should be considered a controller. This so-called joint control may take various forms making the equal sharing of control unnecessary. It is for the Supreme administrative court of Finland to determine to what extent the community is in a position to exert influence de facto over the activity of collecting and processing the personal data, such as collected by the Jehovah’s, which would eventually make them a controller.
The analysis of the two concepts, as provided above, will now be addressed briefly in light of the GDPR. Firstly, if indeed the data collected by the Jehovah’s qualifies as a “filing system”, thereby falling within the scope of European data protection law, stringent requirements will apply under Article 8 of the Directive (see Article 9 GDPR). As it concerns sensitive personal data, the starting point will be a prohibition of the processing, unless one of the exceptions applies (Article 8(2) Directive and Article 9(2) GDPR). In the present case, processing could be allowed if the data subject gives explicit consent to the processing (Article 8(2)(a) Directive). Under Article 9(2)(a) GDPR that consent must even be given for one or more specified purposes. Lastly, the concept of “joint controllers” will be discussed, as newly laid down in Article 26 GDPR. The A-G referred to this concept when discussing whether the Jehovah’s religious community can be considered a “controller”. Under the GDPR, joint control means that two or more controllers jointly determine the purposes and means of processing. An arrangement between those controllers must be set up in which the roles and relationship between them and the data subjects is described. The essence of that arrangement shall be made available to the data subject.
Taking into account the actions that must be taken by the Jehovah’s Witnesses community in order to comply with the present, as well as the soon to be European data protection standard, the question arises whether indeed such compliance does not amount to an intolerable or disproportionate interference with the freedom of religion. One could call into question the necessity of applying the strict requirements under the GDPR and particularly the consequence of doing so for the freedom to proselytise. We shall wait and see whether the Court of Justice follows the Opinion of A-G Mengozzi and lets data protection law enter the door of the Jehovah’s Witnesses religious community.