PRESS RELEASE No 96/03
6 November 2003
THE COURT RULES FOR THE FIRST TIME ON THE SCOPE OF THE DATA PROTECTION DIRECTIVE AND FREEDOM OF MOVEMENT FOR SUCH DATA ON THE INTERNET
Referring to various persons on an internet page and identifying them either by name or by other means constitutes processing of personal data by automatic means within the meaning of Community law
Mrs Lindqvist was involved in preparing people for Communion in the parish of
Alseda (Sweden). At the end of 1998 she set up internet pages on
her personal computer at home to enable parishioners preparing for Confirmation to obtain
easily the information they were likely to need. Those pages contained information on
Mrs Lindqvist and
18 of her colleagues in the parish, including their first names and sometimes their full names. Mrs Lindqvist also described the work done by her colleagues and their hobbies in mildly humorous terms. In several cases their family circumstances, their telephone number and other information were given. She also mentioned that one of her colleagues had injured her foot and was working part-time on medical grounds.
Mrs Lindqvist was fined SEK 4 000 (approximately EUR 450) for processing personal
data by automatic means without notifying the Datainspektion (Swedish supervisory authority for the
protection of electronically transmitted data) in writing, for transferring data to third countries
without authorisation and for processing sensitive personal data (a foot injury and part
time work on medical grounds).
She appealed against that decision to the Göta hovrätt, which asked the Court
of Justice of the EC whether the activities with which Mrs Lindqvist is
charged are contrary to the provisions of the data protection directive which is
intended to ensure the same level of protection in all the Member States
for the rights and freedoms of individuals in that regard.
The Court has held that the act of referring, on an internet page,
to various persons and identifying them by name or by other means (giving
their telephone number or information about their working conditions and hobbies) constitutes "the
processing of personal data wholly or partly by automatic means". Moreover, reference to
the state of health of an individual amounts to processing of data concerning
health within the meaning of the 1995 directive.
Such processing of personal data does not fall within the category of activities for the purposes of public security nor within the category of purely personal or domestic activities, which are outside the scope of the directive.
The Court points out that the directive also lays down specific rules intended
to allow the Member States to monitor the transfer of personal data to
third countries. However, given the state of development of the internet at the
time the directive was drawn up and the absence of criteria applicable to
use of the internet, it takes the view that the Community legislature did
not intend the expression "transfer of data to a third country" to cover
the loading of data onto an internet page even if such data are
thereby made accessible to persons in third countries.
The provisions of the directive do not in themselves entail a restriction contrary to the principle of freedom of expression or other fundamental rights. It is for the national authorities and courts responsible for applying the national legislation implementing the directive to ensure a fair balance between the rights and interests in question, including those fundamental rights.
Available languages: All.
The full text of the judgment can be found on the internet (www.curia.eu.int ).
In principle it will be available from midday CET on the day of delivery.
For additional information please contact Christopher Fretwell:
Tel: (00352) 4303 3355 Fax: (00352) 4303 2731
Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (OJ 1995 L
281, p. 31).