Professor Steve Peers, University of Essex

Imagine you’re showering when the doorbell unexpectedly interrupts. Hoping it’s the anticipated Amazon delivery with a birthday gift for your daughter, you rush downstairs, only to find a pair of Jehovah’s Witnesses.

After dismissing their pleas, you close the door, putting the encounter out of your mind. However, they haven’t forgotten you. To maintain their focus on potential converts, they keep records of visited homes, categorizing residents as “Believer,” “Unbeliever,” or perhaps even “Satanist,” depending on your towel situation.

It’s not just religious groups collecting personal data at your doorstep. Businesses, charities, and political canvassers engage in similar practices. During the Brexit Referendum, even Professor Peers joined the local Labour party in canvassing efforts, categorizing voters as “Remain,” “Leave,” “didn’t say,” or “absent.”

These practices raise data protection concerns, attracting the attention of authorities. The central question: does data protection law apply to door-to-door activities? The Court of Justice of the European Union (CJEU) recently addressed this in a case involving the Finnish data protection board and Jehovah’s Witnesses.

Facts

The Finnish data protection board ordered the Jehovah’s Witnesses to cease processing personal data unless they adhered to Finland’s data protection laws. They argued that both the religious community and its members were “data controllers,” responsible for proper data protection practices. The Jehovah’s Witnesses challenged this, and the case escalated to the CJEU for interpretation of relevant EU law.

The Jehovah’s Witnesses’ practice involved recording information (names, addresses, religion, family status) from their interactions with residents. They also maintained a list of those who preferred not to be contacted. The dispute centered on whether this information gathering fell under EU law or was exempt under the “household exception,” security exceptions, or because the records lacked organization as a “filing system.” Additionally, if the law applied, were both the community and its members considered data controllers?

Judgment

The CJEU clarified that the state security exception didn’t apply to the Jehovah’s Witnesses as it’s intended for state actions. The household exception was also deemed inapplicable. Citing a previous case involving home security cameras, the court stated this exception doesn’t cover activities directed outward from the home. While proselytizing is protected under the EU Charter of Rights as religious freedom, this doesn’t exempt door-knocking from data protection regulations.

Next, the court addressed whether the note-taking constituted a “filing system.” They interpreted this concept broadly, stating the requirement for data to be “structured according to specific criteria” simply ensures easy retrieval. Specific formats or methods weren’t necessary to be considered a “filing system.” The Jehovah’s Witnesses’ data, structured according to their criteria, met the definition.

Finally, the court examined the issue of multiple data controllers. Referencing a recent judgment on Facebook fan pages, the CJEU reaffirmed a broad definition of “data controller,” acknowledging that not all controllers share equal responsibility or need data access. In this case, the coordinated approach of the Jehovah’s Witnesses community made both the community and its members responsible for data processing. This conclusion wasn’t affected by the autonomy of religious bodies under the Treaty, aligning with a recent judgment on discrimination law. Effectively, such autonomy doesn’t grant a blanket exemption from EU law.

Comments

The inapplicability of the household exception to Jehovah’s Witnesses is logical considering many residents don’t engage or even open their doors to them. The court’s expansive interpretation of “filing systems” aligns with their broad approach to EU data protection law and the definition of “data controller.” However, this contrasts with the narrower interpretation in UK case law. The emphasis on joint responsibility among data controllers echoes the Facebook fan page judgment.

This raises broader implications, particularly for political activities. The ruling likely extends to political canvassing given the similarities in data collection and interaction with residents. The Charter’s protection of freedom of expression wouldn’t exempt parties from data protection laws either. The concept of joint responsibility presents a challenge for both religious and political door-knockers, who must now familiarize themselves with the complexities of the GDPR.

While the ruling establishes the applicability of EU data protection law and shared responsibility, it doesn’t offer specific guidance on applying the law in such situations. Similar to the home security camera ruling, questions remain unanswered. The grounds for data processing, necessity of consent for specific purposes, and the justification of data processing based on legitimate interests or statutory regulations require clarification. It’s likely politicians will be motivated to address these legal ambiguities, especially when their own activities are implicated.

This judgment, combined with the Facebook fan page ruling, could impact both traditional and digital political campaigning. The UK Information Commissioner’s recent report on alleged data protection breaches during the Brexit Referendum, including issues related to Facebook and Cambridge Analytica, underscores this point. The ICO’s recommendations, alongside publications from the Electoral Commission and an Independent Commission on Referendums, highlight growing concerns about transparency and fairness in political processes, particularly in the digital age where online political messaging often lacks transparency, funding regulations, and honesty. These recent judgments and regulatory efforts are initial steps towards addressing these crucial issues.

Photo credit: JW.org