On July 10, 2018 the Court of Justice of the European Union (CJEU) published an opinion finding that the General Data Protection Regulation (“GDPR”) applied to the collection of personal data during “door-to-door” preaching by the Jehovah’s Witnesses religious community. This data included the name and addresses of individuals contacted, and in certain cases, the individuals’ religious beliefs and family circumstances. Members of the Jehovah’s Witnesses community used this data to coordinate preaching efforts across territories and to maintain lists of individuals who did not wish to be visited.
The judgment in this case (CJEU C-25/17) highlights the broad scope of the GDPR in several ways. First, it shows the limitation of the “personal or household” exception to the GDPR. Generally speaking, Article 3(2) of the GDPR exempts some data collection methods from its rules, such as data collection for a “purely personal or household activity”, like personal address books. Despite the highly religious and personal nature of the Jehovah’s Witnesses’ activities, the CJEU noted that these activities did not fall within the “personal or household” exemption. The court noted that “proselytising, by its nature, involves entering into a relationship with persons who are, as a matter of principle, unknown and do not share the preacher’s faith. Unlike the holding of a record of addresses, for example, preaching necessarily leads to a ‘confrontation’ with the world beyond home and family unit.” This opinion follows the logic of the CJEU in a 2003 case (C101-01 Bodil Lindqvist), which found that the Data Protection Directive – the precursor to the GDPR – applied to the publication of names, hobbies and telephone numbers of parish workers on a personal website.
Second, the CJEU opinion interprets Article 3(1) of the GDPR, which states that the GDPR rules only apply to the processing of personal data which form part of a filing system or are intended to form part of a filing system. The Jehovah Witnesses’ argued that its members collected information manually, without an organized database or filing system, and so did not fall under the GDPR. The CJEU was not convinced by this argument, however. It noted that Article 4 of the GDPR defined a filing system as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. Since the Jehovah’s Witnesses used consistent objectives for collecting information (i.e. geographical allocation of preachers) and this information was easily accessible to the religious community, the Court of Justice determined that their data collection methods constituted a simple filing system.
Third, this decision out of the Court of Justice highlights a major difference between European and North American privacy laws. Most federal and state privacy and cybersecurity laws in the United States provide carve-outs for religious and non-profit organizations (HIPAA is a notable exception). Similarly, Canada’s main privacy law, PIPEDA, only applies to private sector organizations. GDPR, in contrast, governs all natural or legal persons, public authorities, agencies or other bodies other than Union institutions, bodies, offices and agencies.
The CJEU judgment provides a harsh reminder of the breadth of European privacy laws. Even loosely associated religious, philanthropic, and hobby organizations need to be aware of their potential coverage under the GDPR. Furthermore, private sector organizations should be familiar with the C-25/17 with respect to their manual data collection efforts.
Lily Li is a privacy lawyer and owner of Metaverse Law. Learn more about our GDPR and privacy law services here.