THE DATA INSPECTOR CALLS: MRS LINDQVIST AND THE BROKEN FOOT

IPKat’s friend Jordgubbar writes to tell us about Case C-101/01 Bodil Lindqvist, in which the European Court of Justice (ECJ) delivered its judgment on the interpretation of the Data Protection Directive (Directive 95/46) and the Swedish Personuppgiftslag (SFS 1998:2004), which implemented that Directive.

Background to the reference

In 1998, Mrs Lindqvist set up internet pages at home in order to allow parishioners of her church preparing for their confirmation to obtain information they might need. Those pages contained information about Mrs Lindqvist and 18 colleagues which included some family circumstances and telephone numbers. She stated that one colleague had injured her foot and was working part-time on medical grounds. She did not however tell her colleagues of the existence of those pages or obtain their consent. Nor did she notify the data inspectorate of her activities. The public prosecutor proceeded against Mrs Lindqvist, charging her with breach of the Personuppgiftslag in that (i) she had processed personal data without prior written notification; (ii) she had processed sensitive personal data without authorisation and (iii) she had transferred personal data to a third country (by placing it on an internet site accessible outside the EEA) without authorisation.

Article 1 of the Directive sets out the basic protection of the fundamental rights and freedoms of natural persons with respect to the processing of personal data. Article 3 sets out the scope of the Directive: the processing by any means of personal information which forms part of a filing system or is intended to do so. It sets out situations in which the data protection legislation does not apply, including public security and defence purposes. Further, the Directive does not apply to the processing of personal data by a person in the course of purely personal or household activities. By virtue of Article 8, certain types of information are "sensitive personal data", which includes information concerning health.

Summaries of the questions to which the ECJ responded

Question 1: Does the mention of a person (by name or with a name and telephone number) on an internet home page constitute the processing of personal data for the purposes of the Directive?

The term "personal data" covers any information relating to an identified or identifiable natural person. This includes the name of a person in conjunction with his telephone co-ordinates or information about his working conditions or hobbies. To do anything with such data constitutes "processing", so the loading of personal data on an internet page must be considered processing.

Question 2: The Court did not need to answer this question

Question 3: Does loading such information on to a private homepage fall within one of the exceptions in Article 3(2)?

The Court considered the exceptions specifically set out in Article 3(2) and held that the list of activities is exhaustive. Charitable or religious activities cannot be considered equivalent to the activities set out in that list. Further, the Court held that the exception in respect of activities which are exclusively personal and domestic must be interpreted as relating only to activities which are carried out in the course of private or family life. Mrs Lindqvist submitted that private individuals who make use of their freedom of expression to create internet pages in the course of a non-profit or leisure activity are not carrying out an economic activity and are thus not subject to EC law. Citing Österreichischer Rundfunk, the ECJ held that recourse to Article 100(a) of the EC Treaty (the legal basis for the Directive) does not presuppose the existence of an actual link with free movement between Member States in every situation referred to by the Directive. The Court considered that a contrary interpretation would go against the essential objective of approximating the laws of Member States in eliminating obstacles to the functioning of the internal market.

Question 4: Is information that a person has injured his foot and is on half time on medical grounds "sensitive personal data" for the purposes of Article 8(1).

The ECJ held that such data clearly constitutes personal data concerning health within the meaning of Article 8(1) and is therefore sensitive personal data for the purposes of the Directive.

Question 5: Is the placing personal data on a website a transfer of the data within the meaning of the Directive and does it makes a difference if no individual from a third country has accessed the site?

To obtain the information appearing on the internet, an internet user would have to connect to the internet and to carry out the necessary actions to access those pages. In other words, Mrs Lindqvist's internet pages did not contain the technical means to send the information automatically to people who did not intentionally seek access to them. Where personal data is loaded on to a website in one country and then appears on the computer of a person in another country, such data is not directly transferred between those two people but goes through the computer infrastructure of the hosting provider where the page is stored.

Since the Directive contained no criteria applicable to the use of the internet, the ECJ did not presume that the legislature intended the expression "transfer of data to a third country" to cover the loading of data on to an internet page, even if such information is thereby made accessible to persons in third countries with the technical means to access them.

Question 6: Does the Directive restrict freedom of expression or other freedoms and rights applicable within the Community (in particular, those enshrined in Article 10 of the European Convention of Human Rights)?

The ECJ considered that the provisions of the Directive do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms or rights. It is for national authorities and courts responsible for applying the national legislation implementing the Directive to ensure a fair balance between those rights and interests.

Question 7: Can a Member State provide more extensive protection for personal data or give it a wider scope that the Directive?

Measures taken by Member States to ensure the protection of personal data must be consistent with the provisions of the Directive. They must also be consistent with the objective of the Directive of maintaining a balance between freedom and movement of personal data and protection of private life. However, the Court held that a Member State is not prevented from extending the scope of national legislation implementing the provisions of the Directive to areas not included by its scope, provided that no other provision of Community law precludes it.

The IPKat wonders whether data protection laws are going to be used as a back-door to protecting personal privacy rights. In Douglas and Zeta-Jones v Hello! the UK High Court awarded damages for breach of data protection rules, in addition to regular damages for breach of confidence, in an action for damage to the claimants’ “commercial privacy” interests (see IPKat blog, 12 November).

Famous injured feet in history here, here and here


THE DATA INSPECTOR CALLS: MRS LINDQVIST AND THE BROKEN FOOT THE DATA INSPECTOR CALLS:  MRS LINDQVIST AND THE BROKEN FOOT Reviewed by Jeremy on Sunday, November 16, 2003 Rating: 5

No comments:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.