Statutory Data Protection Authorities (DPAs) who act as the guardians of data protection across the European Economic Area (EEA) have faced unprecedented interpretative challenges as a result of the explosion of indeterminate publication by individuals in the form of blogs, social networking and other online forums. Through both a questionnaire and systematic review of EEA DPA websites, this article finds that these regulators have generally adopted a strict interpretation of the law here, although considerable internal variation is also present. Almost all see data protection as engaged, around half argue that publication in the general social networking context requires data subject consent and even when individual publication is targeted towards the collective public many DPAs demonstrate some reluctance to apply the special expressive purposes (aka the journalistic) derogation. This article argues for an alternative tripartite approach under the forthcoming Regulation which accommodates the competing free expression rights and also the limited capabilities reasonably to be expected of private individuals on a sounder and more consistent basis. The law's personal exemption should cover individual publication so long as this does not pose a serious prima facie risk to privacy or other fundamental data protection rights. The special expressive purposes derogation should protect individuals who are disseminating a message to the collective public without discrimination. Finally, the Regulation's new freedom of expression clause should ensure that individual publication which principally instantiates self-expression is subject only to the core of data protection's substantive and supervisory provisions.