Out-Law News 2 min. read
07 Nov 2003, 12:00 am
Mrs Bodil Lindqvist was an active member of her church in the parish of Alseda in Sweden. As part of a computer course Lindqvist had to set up an internet home page, and chose to create a site giving information to church parishioners.
Unfortunately the pages included information about Mrs Lindqvist and 18 of her fellow church volunteers. This information included some full names, telephone numbers and references to hobbies and jobs held by her colleagues. In relation to one lady, Lindqvist also revealed that the volunteer had injured her foot and was working part-time on medical grounds.
Mrs Lindqvist was fined SEK 4,000 (approximately £300) for (a) processing personal data by automatic means without properly notifying the Datainspektion (the Swedish supervisory authority for the protection of electronically transmitted data); (b) transferring individuals' personal data, without consent, to countries not having similar levels of personal data protection; and (c) processing individuals' sensitive personal data (the information concerning the volunteer with the foot injury) without consent.
She appealed against the fine to the Swedish Göta Court of Appeal, which referred a number of questions to the European Court of Justice to clarify whether Mrs Lindqvist's activities were contrary to the provisions of the Data Protection Directive.
Lindqvist argued that it was unreasonable to suggest that simply mentioning a name or personal details on a web page was a breach of Data Protection rules. The European Court held otherwise, saying:
"that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of [the Directive]."
The reference on the web page to injury and part time work on medical grounds was a further breach of provisions relating to sensitive data (including health related data), said the European Court.
Exemptions available under the Directive for where data is processed for purely personal or domestic activities were ruled as not applying in this case. The European Court said that these exemptions had to be read as:
"relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people."
The Swedish Court of Appeal had also asked for guidance as to whether Mrs Lindqvist's actions breached the Directive's provisions concerning the cross-border transfer of personal data. The European Court said no. It reasoned that given the state of development of the internet at the time the Directive was drawn up and the absence of internet applicable criteria in the Directive's provisions addressing cross-border transfers, the Directive could not be construed as intending the expression "transfer of data to a third country" to cover the loading of data onto an internet page, despite this resulting in data being made available to persons in other countries.
Finally, the European Court considered whether the provisions of the Data Protection Directive created restrictions that conflicted with the general principles of freedom of expression or other fundamental rights. Again the Court said no, explaining:
"It is for the national authorities and courts responsible for applying the national legislation implementing [the Directive] to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order."
The case now goes back to the Göta Court of Appeal so that the court can apply the European Court's findings on how the Data Protection Directive should be interpreted.
The judgment is available here