ECJ rules that Jehovah’s Witnesses must comply with data protection legislation

The European Court of Justice (“ECJ”) has ruled that the Jehovah’s Witness community must comply with data protection legislation as its members who conduct door-to-door preaching collect personal data through their taking of notes during their conversations with householders.  The decision comes following the Attorney General’s opinion earlier in the year.

The position put forward by the Jehovah’s Witness community was that such preaching should be considered as personal religious activity and consequently the personal data collected by members when taking notes during conversations with householders would be personal notes.  This could have brought the matter outside of the scope of the data protection regime.

However, the ECJ followed the Attorney General’s opinion finding that such collection and storage of information could not be classed as processing of personal data carried out in the course of a purely personal or household activity, as set out in the relevant exemption in Article 3(2) of Data Protection Directive (95/46/EC) (“Directive”). Considering the wording of this provision more closely, it was noted that the carve-out in Article 3(2) only covers activities that are carried out in the context of the private life of individuals. Reference was made to the fact that the preaching activity is, by its very nature intended to spread the faith of the Jehovah’s Witness Community.  The fact that some of the personal information is sent by the members to the congregations of the community to create lists of those who do not wish to be visited again means that, at least in part, some of the data is made accessible to a wider group of people.   An activity cannot be ‘purely’ personal  if the intention is that the personal data is accessible to an unrestricted number of people  or where there is some extension to a public space away from  the private setting of the individual member. 

The second question the ECJ was asked to confirm was whether the notes taken did in fact form a relevant filing system as defined under the Directive. The notes are taken as part of the members’ preaching in specific geographical areas and are collected for the purposes of preparing for future visits to individuals or noting those who did not wish to be visited again.  It follows that that the nature and format of the information collected (names, addresses, beliefs, wishes not to be visited again) are chosen in order that the information can be easily retrieved ahead of the next visit. As the notes were intended to be easily retrievable, it was found that they would constitute a relevant filing system under the data protection regime.

The ECJ was also asked to confirm the position of the wider Jehovah’s Witness Community in relation to this collection of personal data by its members. Article 2(d) of the Directive confirms that a data controller is a natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’.

The ECJ confirmed that a religious community will be regarded as a data "controller", jointly with its members who engage in preaching, for the processing of the personal data carried out by the members in the course of that activity. This is the case despite the fact that the personal information is not stored centrally and so the wider community may not have access to the data.  The key factor considered was that the wider Jehovah’s Witnesses Community is in a position to exert influence over its members by organising, coordinating and encouraging the door-to-door preaching and so therefore is in a position of determining the means of purposes of the processing of personal data of those householders visited.  Furthermore, the community has given guidelines on the collection of data in the course of that activity.

The personal information collected during the course of the door to door preaching falls within the scope of the GDPR and so religious communities carrying out such activities will need to consider their compliance with the current data protection legislation. This decision may have been made in relation to the old data protection regime but the ICO has made it clear that this ruling will be applicable in the new world of GDPR.