The European Court of Justice (the "ECJ") recently handed down a significant ruling which clarified the application of the European Data Protection Directive (the "Data Protection Directive" or "Directive")1 to the posting of personal data on Internet websites. The ruling in Case C-101/01 Criminal Proceedings against Bodil Lindqvist ("ECJ Case C-101/01")2 has important implications for all individuals and companies that post personal data on the Internet. It also serves as a reminder that the Data Protection Directive has a very broad scope and, at least in some European countries, is being enforced vigorously by the local data protection authorities.
The European Data Protection Directive was passed on October 24, 1995 and came into effect on October 25, 1998. The Directive is extremely comprehensive legislation that concerns the processing of all "personal data," a term which is defined very broadly as "any information relating to an identified or identifiable natural person."3
The Directive addresses the protection of personal data from a number of different perspectives. At its most basic level the Directive establishes certain conditions that must be met in order to process any personal data in the first place. In addition to these general preconditions that are applicable to all kinds of personal data, the Data Protection Directive places heightened restrictions on the collection and use of "special categories" of personal data which consists of "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and. . . data concerning health or sex life."4
The Data Protection Directive also has significant notice requirements. Under the terms of the Directive, entities processing personal data must notify their operations to the data protection supervisory authority of the Member State in which they are operating. It also provides individuals who are subjects of personal data processing with significant rights, including the right to know who is processing their data and to request a correction and/or deletion of such data. The Directive also requires data controllers and processors to implement appropriate security measures to protect personal data. Finally, one of the most notable aspects of the Data Protection Directive is the section concerning transfers of Personal Data to countries outside of the European Economic Area. Article 25 of the Directive prohibits the transfer of Personal Data to third countries that do not provide adequate protection to Personal Data unless one of several limited exceptions apply.
ECJ Case C-101/01 arose after Bodil Lindqvist, a Swedish woman, posted text concerning her volunteer work at a Swedish church on her own website. Lindqvist's writings included identifiable information, including names and phone numbers, about some of her colleagues. She also included some information about her co-worker's hobbies and, in at least one instance, even health-related information.
Lindqvist did not obtain her co-workers' permission to post information about them on her website. In fact, she did not even tell them about the postings beforehand. She did, however, remove the web pages as soon as she received a request from her colleague to do so.
Nonetheless, the Swedish data protection authorities commenced proceedings against her and she was eventually ordered to pay a fine for having had processed personal data by automatic means and transferred such data without having prior permission from the Swedish data protection authorities and the individuals concerned.
Lindqvist appealed. During her appeal, she contended that posting information on an Internet web site does not amount to "processing personal data" within the meaning of the Data Protection Directive and that posting information on a web site does not amount to a transfer of data to a third country. She also contended that the Data Protection Directive does not apply to non-profit activities and that the sanctions she was facing for violating the data protection requirements violated her freedom of expression. On appeal, the Gota Court of Appeal of Sweden referred several questions to the ECJ, requesting that the European court clarify the correct interpretation of the Data Protection Directive.
In considering the questions that were posed to it by the Gota Court of Appeal, the ECJ determined that posting individuals' names and telephone numbers (as well as information regarding their working conditions and hobbies) on a web site did indeed constitute the "processing" of personal data for the purposes of the Data Protection Directive.
Having made this initial determination, the ECJ then moved on to consider whether posting personal data on an Internet web site could be construed as "transferring" such data to a third country. On this point, the ECJ supported the arguments made by Lindqvist, concluding that web site operators posting personal data on line are not subject to the legal regime governing the transfer of personal data unless (i) they actually send the personal information to Internet users who did not intentionally seek access to the web pages, or (ii) the server infrastructure is located on a non-EU country.
While this conclusion is somewhat surprising since it is inconsistent with what many commentators - and even national data protection authorities - had previously concluded, it does offer very useful guidance as to what will be considered as a "transfer" within the context of Internet postings.
The ECJ then went on to examine the application of the Data Protection Directive to the non-profit sector. The court ruled that the Directive did apply to Lindqvist's postings even though she was engaged in non-profit making activities. The ECJ did not address Lindqvist's claims that the restrictions imposed by the Data Protection Directive limited her freedom of expression.
ECJ Case C-101/01 has important implications for the posting of personal data on the Internet. Through this case, the court has clarified that posting personal data on the Internet amounts to processing personal data for the purposes of the Data Protection Directive. The court's finding highlights the fact that Europe's data protection regime is extremely far reaching.
The enforcement action that was launched against Lindqvist, and validated in large part, by the ECJ, is not likely to be the last of its kind. In fact, Norway's data protection authorities recently announced that they would be pursuing web site operators that display photos that were taken of individuals without their prior consent. Accordingly, the activity of the local data protection authorities, along with the ECJ's decision should serve as a wake-up call to all entities and individuals that process personal data in Europe and/or about Europeans, including by posting such data on an Internet website.1 Council Directive No. 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, O.J. L 281/31 (1995) [hereinafter "Directive"].
2 European Court of Justice, November 6, 2003.
3 Directive, supra note 1, at Art. 2(a).
4 Id. at Art. 8(1).
Jacqueline Klosek is a Senior Associate with Goodwin Procter LLP, where she practices in the Intellectual Property Practice Area. She is the author of The Legal Guide to e-Business (Praeger, 2003) and Data Privacy in the Information Age (Greenwood, 2000).