---

On November 6, 2003, the European Court of Justice ("the ECJ") handed down a very important ruling [fn1] regarding the scope of the 1995 Directive on the protection of individuals with regard to the processing of personal data (hereinafter "the Directive").[fn2] The judgment illustrates the ECJ's willingness to adopt pragmatic solutions, and has far-reaching implications regarding the posting of information on a website, in particular whether such a posting amounts to a "transfer of data" to a third country within the meaning of Articles 25 and 26 of the Directive.

What This Case Means for Global Businesses

This judgment is a welcome clarification of the scope of the Directive: first, websites that display personal details (even if trivial in nature) in the context of personal/non-profit-making activity are caught by the Directive. Second, website operators are not subject to the legal regime regarding the "transfer of data to a third country" when posting personal data on a website unless: (i) they actually send the information to Internet users who did not intentionally seek access to the pages, or (ii) the server infrastructure is located in a non-EU country. In particular, the ECJ stated that "one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading [ ] of data onto an Internet page, even if these data are thereby made accessible to persons in third countries [outside the EU]." This is in stark contrast to the opinion of most national governments as expressed in the Article 29 Working Group (an advisory body on data protection issues which is composed of the Member States' data protection authorities and the Commission).

There are grey areas remaining, however. What exactly constitutes "sending" information from a website? The legal test is whether the website in question "sends information automatically to people who do not intentionally seek access to those pages". What about certain technical means that serve to solicit viewers' attention (e.g. popups, metatags, hyperlinks and banners that advertise the website in question on other websites, or a "search" function that leads to personal information)? Does the Directive also apply to intranets, where co-workers may access the information? There is a need for further guidance in this area.

Finally, the ECJ made it possible for individuals and organisations to challenge their national laws on the ground that they go further than prescribed in the Directive. This should be viewed as a positive development as it is clearly in the interest of legal certainty and coherence throughout the EU.

Factual Background

While directives emanate from the European legislature, the 15 EU Member States (which will be 25 Member States as of May 1, 2004) are responsible for transposing them into their national laws. Provisions of national law that are based on a directive must be interpreted in the light of the relevant directive, in order to ensure consistent application of European law throughout the Member States.

On the basis of Sweden's data protection law implementing the Directive, the Swedish authorities started proceedings against Mrs. Lindqvist, who had posted a "mildly humorous" text on her own website about her voluntary work in a local parish of the Swedish Protestant Church. The text mentioned the names and telephone numbers of some of her co-workers as well as information regarding their working conditions and hobbies. She also mentioned that one of her co-workers was working part-time because she had injured her foot.

Mrs. Lindqvist did not inform her colleagues about the existence of these pages, but removed the pages as soon as she was asked to do so by some of her colleagues. At the end of the initial court proceeding, the district court ordered her to pay a fine for having processed and transferred personal data by automatic means without having first obtained authorization from the Data Protection Authority and the individuals concerned.

On appeal, Mrs. Lindqvist argued essentially that: (a) posting information on a website does not amount to the "processing of personal data" within the meaning of the Directive; (b) posting information on a website does not amount to a "transfer of data to a third country"; (c) the Directive does not apply to non-profit-making activities because European law is in principle, in its simplest form, confined to regulating interstate commerce; and (d) the pecuniary sanctions she was facing for breach of the data protection law violated her freedom of expression. The Göta Court of Appeal ("the national court") referred several questions to the European Court of Justice requesting clarification on the correct interpretation of the Directive.

Placing Personal Data on a Website

The ECJ first determined that the posting of names and telephone numbers of individuals -- as well as information regarding their working conditions and hobbies -- on a website was in principle governed by the Directive.

Second, the ECJ considered the meaning of Article 8 of the Directive, which prohibits the processing of "sensitive" personal data such as race, religion, health and sex life -- unless the data subject expressly consents to it. Mrs. Lindqvist mentioned on her website that a colleague of hers had injured her foot. The ECJ held that disclosing even such a trivial piece of information constituted the processing of data relating to health within the meaning of Article 8 of the Directive (i.e. the information concerning the injured foot and working part-time on medical grounds) and thus was processing of sensitive information.[fn3]

The Transfer of Data to Third Countries

Articles 25 and 26 of the Directive prohibit the transfer of personal data to non-EU countries which do not ensure "an adequate level of protection". The Swedish government argued that placing personal data on a website necessarily amounts to a transfer of data to third countries, since the information is accessible to anyone who has access to the Internet, anywhere in the world. By contrast, the Dutch and the United Kingdom governments argued that the term "transfer of data to third countries" does not encompass the mere "accessibility" of data from third countries. The ECJ agreed with this, noting that:

• Mrs. Lindqvist's website did not contain the technical means to send information automatically to people who did not intentionally seek access to it;
• the view of the Swedish government would place extremely onerous obligations on both the Member States and businesses, since the accessibility to information on a website would entail the transfer of the data to all third countries where there are technical means to access the Internet; and
• Articles 25 and 26 of the Directive do not mention the use of the Internet, and in any event, the EU legislature cannot have intended the expression "transfer of data to a third country" to cover the mere loading of data onto an Internet page, even if those data were thereby made available to all viewers, because, at the time the Directive was drawn up, Internet use in Europe was still minimal.

Consequently, according to the ECJ, there is no "transfer of data to a third country" within the meaning of the Directive where an Internet page (which is freely accessible worldwide) contains personal data, provided that the webpage in question is stored on a hosting server located within the EU.

Does the Directive Apply to Processing of Data for Purely Personal and Non-Profit-Making Purposes?

In accordance with Article 3(2), the Directive does not apply to the processing of personal data in the course of an activity which falls outside the scope of European Community law, whose aim is to facilitate economic cohesion between the Member States. The fact that European law may only regulate economic activity is a constitutional requirement which is enshrined in Article 95 of the Treaty on the European Community (the Community legislature may only enact measures that "have as their object the establishment and functioning of the internal market", i.e. measures that affect interstate commerce).

Mrs. Lindqvist argued that the Directive did not apply to her, since she was "processing" personal data in the course of a non-profit-making activity, namely voluntary work for the Swedish Protestant Church. She argued that to hold otherwise would mean that the Directive was applicable to an activity that has no bearing on interstate commerce -- and that such an interpretation is unlawful under the Treaty.

The ECJ held that the Directive did apply, regardless of the fact that Mrs. Lindqvist was engaged in non-profit-making activities. The judges based this argument on the fact that the application of the Directive cannot be dependent on the particular circumstances of each case. The Treaty does not require the existence of an effect on interstate commerce in every situation covered by the Directive. For the Directive to be valid and applicable to both commercial activities and non-profit-making activities, it is sufficient that it was enacted to ensure the proper functioning of the internal market.

Protection of Personal Data Versus Freedom of Expression

The ECJ did not address Mrs. Lindqvist's claim that the fine she was facing was disproportionate and did not strike the right balance between the protection of personal data and her freedom of expression. Noting that the Directive gave the Member States room to find the appropriate balance between the protection of data and freedom of expression, the ECJ ruled that it was up to the national court to ensure that the fines provided for in the national law transposing the Directive were proportionate.

This article appeared in the December 2003 issue of World Internet Law Report , No. 12, and is reprinted by permission. © 2003, BNA International Inc.

---

Footnotes

1: Case C-101/01, Criminal proceedings against Bodil Lindqvist, European Court of Justice, November 6, 2003 - not yet reported.

2: Directive 95/46/EC, [1995] O.J. L 281/31.

3: It is important to note that, under the Directive, processing sensitive data is prohibited unless certain strict requirements are met.