This week, the European Court of Justice (ECJ), the highest court in the EU, upheld a Finnish court decision requiring the Jehovah’s Witnesses to abide by European data privacy law when going door-to-door to preach to prospective converts.
We view this as a positive sign that the EU will allow member states to use the General Data Protection Regulation, the comprehensive privacy law enacted in May of this year, to restrict Scientology’s activities. We published an extensive article in May that showed how Hubbard’s sacred “admin tech” mandated actions that could never be in compliance with GDPR, providing an easy way for critics and former members to affect the operations of Scientology inside the EU.
While the JWs may be able to modify their data collection practices to comply with the EU rules, we believe that Scientology will not, because all of its self-help practices depend on collection of large amounts of personal data, and there is no way for a former member to insist on return or destruction of files such as pre-clear folders.
Jehovah’s Witnesses Case Details
In 2013, the government of Finland ordered the Jehovah’s Witnesses (JWs) to stop collecting personal data about the people they were preaching to. JWs had collected names, address, religious affiliation and notes from conversations to use in follow-up visits.
The Jehovah’s Witnesses had claimed exemption from Finnish data protection law because the collection of data was a “person-to-person” activity, where the church members writing down information were doing it on a “personal” basis and not as part of official church policy. Of course, this argument ignored the fact that the Jehovah’s Witnesses had an extensive infrastructure in place such as pre-printed forms, filing systems and storage space in its facilities for these records.
The court correctly ruled that the JW organization is a “controller” of data, and thus is required to implement stringent GDPR controls going forward. Controllers make decisions about how to collect data, what it is to be used for, and where it is stored and how it is disposed of. Note that there are no blanket religious exemptions from GDPR restrictions on data as there would be in the US; the JWs did not try to raise a religious argument in their defense.
According to one news report about the decision, the ECJ specifically said that paper data collection is not exempt from the law. Thus, Scientology can’t claim exemption from the paper-based methods that have been enshrined in Hubbard’s policies for decades.
However, the ruling also says that religious groups may be exempt in some respects from rules about data collection from members. The UK government’s Information Commissioner’s Office has said “If, as an organization, you have an existing relationship with someone, for instance that person is part of your church congregation or volunteers for your sports team, you would not need their consent to use basic personal information.” This still leaves open the issues of information such as secrets spilled in auditing.
Note that while the GDPR law provides for significant fines for organizations with a history of willful non-compliance with GDPR, this case was filed before GDPR took effect. Any fines that might be levied on the JWs are likely to be far lower than the levels in the GDPR which would be applicable to new cases brought against Scientology after the GDPR law took effect.
Interestingly, other religious groups are working hard to ensure compliance with all the details of GDPR. Apparently, the Church of England (the Episcopal Church in the USA) has asked members not to include personally identifying information in prayer requests.
Implications for Scientology
Hungary has investigated Scientology extensively for data protection violations, as we detailed in our GDPR article. We think that Hungary may not be a perfect predictor of the actions in the rest of the EU, since Hungary is run by an increasingly authoritarian prime minister, who has made anti-immigrant and anti-foreign sentiment a major part of his message. Thus, it is reasonable to discount Hungary’s aggressive pursuit of Scientology as at least partly motivated by larger political concerns.
However, Finland is not particularly anti-immigrant or anti-US groups, so we view them as a potentially more relevant bellwether to look at governments’ willingness to challenge smaller organizations and also to take on religious groups.
Scientology is almost certain to be targeted by authorities for wholesale GDPR violations as their practices depend on collecting immense quantities of deeply personal information, particularly in the “pc folders” of people receiving auditing. Because the Scientology model includes extensive review of auditing sessions by “case supervisors” and many other people, auditing simply can’t take place without this data. And because Hubbard’s holy writ says that this must take place on paper forms, it is inherently insecure.
Scientology may attempt to buy time by claiming that members in good standing have signed blanket consents for the cult to collect any personal data it deems necessary, but the GDPR expressly prohibits blanket approvals of that sort, so even if no one inside the cult complains about misuse of personal data, Scientology may still be in violation. There are some exemptions for religious groups, but it’s unclear whether those exemptions will extend to the type and amount of data that Scientology collects.
However, outsiders can trigger investigations, particularly if former members receive mailings or believe that their PC folders are still at the cult (which is, of course, virtually certain unless they somehow find a loophole in Hubbard’s “holy writ” to get them to be able to store disused PC folders offsite in some sort of storage facility).
I can’t find the reference at the moment, but one observer noted that Scientology’s OSA dirty tricks squad could be subjected to the law for information that they have collected on opponents such as politicians and activists against Scientology.
We continue to believe that regulatory scrutiny such as GDPR or such as attention from the authorities to quack practices at Narconon can be the most effective way to affect Scientology’s operations in Europe and in the rest of the world.
We believe the much broader exemptions from regulations for regulatory organizations in the US will mean that Scientology can operate with relative impunity in the US. We believe that regulatory pressure, particularly to the extent that it reduces the ability of Scientology to hire from outside the US, will be the most effective means to slow the cult down.