The First ECJ Interpretation of the Data Privacy Directive

Introduction

On Nov. 6, 2003, the European Court of Justice (ECJ) handed down its first judgment interpreting the substantive provisions of the European Data Privacy Directive (Directive 95/46/EC). The judgment (Case C-101/01, In re Bodil Lindqvist) is important because it clarifies several ambiguous provisions of the Directive and has impact beyond the facts of the case.

The defendant in the case was a Swedish woman (Mrs. Lindqvist) who had set up a home page using her home computer. The basic purpose of the website was to allow parishioners at her church where she worked to obtain information about the church and church events. The church had its own website which contained a hyperlink to Mrs. Lindqvist’s website. Without realizing that she was doing anything wrong, Mrs. Lindqvist included on her website, the names of some of her colleagues at the church, their positions, hobbies and telephone numbers. In one instance, she mentioned that one of her colleagues had injured her foot and was working only part-time. Once several of her colleagues expressed their objections to the website, Mrs. Lindqvist removed the offending pages.

Nonetheless, the Swedish public prosecutor brought an action against Mrs. Lindqvist for breach of the Swedish data privacy law transposing the European Data Privacy Directive. The Swedish court asked the ECJ to clarify several issues.

The EU Data Privacy Directive only applies to the "processing" of "personal data". The ECJ confirmed that the term "personal data" includes the types of information that Mrs. Lindqvist published on her website. This conclusion confirms that publicly accessible data such as telephone numbers may qualify as personal data for purposes of the Directive. Regarding the issue whether Mrs. Lindqvist was engaged in "processing", the ECJ confirmed that the concept of processing is very broad. In this case, by the loading of the webpage onto the server constituted "processing" according to the ECJ.

In her defense, Mrs. Lindqvist argued that even if she was engaged in processing personal data, she was not doing so as part of a commercial activity. One of the exceptions enumerated in the Data Privacy Directive is for "natural persons[s] in the course of a purely personal or household activity." The ECJ held that this exception did not apply once Mrs. Lindqvist published the personal data on the Internet making it available to an indefinite number of people. To qualify for this exception, access must be limited to family members.

For U.S. companies, the most important issue decided by the ECJ was whether Mrs. Lindqvist was transferring the personal data to a third country by simply placing it on her webpage. In one of its most contentious provisions, the European Data Privacy Directive precludes the transfer of personal data outside the EEA to countries (such as the U.S.) which do not adequately protect personal data. In her defense, Mrs. Lindqvist argued that merely placing the data on the webpage (which used a server in the EEA) did not constitute a transfer of data outside the EEA. At most, she transferred the data to the website host. Without deciding the issue whether the conduct of the website host constituted a transfer to a third country, the ECJ agreed with Mrs. Lindqvist on this point: "one cannot presume that the Community legislature intended the expression ‘transfer of data to a third country’ to cover the loading, by an individual in Mrs. Lindqvist's position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them."

Having determined that the Directive did not consider the conduct of Mrs. Lindqvist to constitute a transfer of personal data to a third country, the final issue, which addresses a major practical concern for companies operating throughout the EEA, was whether Sweden could provide for a higher level of protection for personal data than that required by the Data Privacy Directive. Sweden essentially argued that just because the transfer in this case was not prohibited by the Directive, the express terms of the Directive allow Member States to adopt a higher level of protection than required by the Directive. The ECJ recognized that a Member State may extend the scope of the Directive. In doing so, however, it must maintain a balance between the freedom of movement of personal data and the protection of personal privacy. This conclusion is noteworthy because it clarifies that there is a limit on the ability of Member States to prohibit the processing of personal data. Member States are required to recognize that there is a right of freedom of movement of personal data which must be balanced against the right of privacy. The ECJ left it up to the courts of the Member States to make that balance.

This recent judgment by the ECJ provides some clarity to those attempting to comply with the somewhat vague provisions of the European Data Privacy Directive. It illustrates that the ECJ is prepared to adopt a pragmatic approach to data privacy by recognizing that the privacy rights codified in the Directive are not absolute. In general, this is good news for businesses.