6 November 2003
Judgment of the Court in Case C-101/01
The Court rules for the first time on the scope of the data protection directive and freedom of movement for such data on the internet
Referring to various persons on an internet page and identifying them either by name or by other means constitutes processing of personal data by automatic means within the meaning of Community law
Mrs Lindqvist was involved in preparing people for Communion in the parish of Alseda (Sweden). At the end of 1998 she set up internet pages on her personal computer at home to enable parishioners preparing for Confirmation to obtain easily the information they were likely to need. Those pages contained information on Mrs Lindqvist and 18 of her colleagues in the parish, including their first names and sometimes their full names. Mrs Lindqvist also described the work done by her colleagues and their hobbies in mildly humorous terms. In several cases their family circumstances, their telephone number and other information were given. She also mentioned that one of her colleagues had injured her foot and was working part-time on medical grounds.
Mrs Lindqvist was fined SEK 4 000 (approximately EUR 450) for processing personal data by automatic means without notifying the Datainspektion (Swedish supervisory authority for the protection of electronically transmitted data) in writing, for transferring data to third countries without authorisation and for processing sensitive personal data (a foot injury and part time work on medical grounds).
She appealed against that decision to the Göta hovrätt, which asked the Court of Justice of the EC whether the activities with which Mrs Lindqvist is charged are contrary to the provisions of the data protection directive which is intended to ensure the same level of protection in all the Member States for the rights and freedoms of individuals in that regard(1).
The Court has held that the act of referring, on an internet page, to various persons and identifying them by name or by other means (giving their telephone number or information about their working conditions and hobbies) constitutes "the processing of personal data wholly or partly by automatic means". Moreover, reference to the state of health of an individual amounts to processing of data concerning health within the meaning of the 1995 directive.
Such processing of personal data does not fall within the category of activities for the purposes of public security nor within the category of purely personal or domestic activities, which are outside the scope of the directive.
The Court points out that the directive also lays down specific rules intended to allow the Member States to monitor the transfer of personal data to third countries. However, given the state of development of the internet at the time the directive was drawn up and the absence of criteria applicable to use of the internet, it takes the view that the Community legislature did not intend the expression "transfer of data to a third country" to cover the loading of data onto an internet page even if such data are thereby made accessible to persons in third countries.
The provisions of the directive do not in themselves entail a restriction contrary to the principle of freedom of expression or other fundamental rights. It is for the national authorities and courts responsible for applying the national legislation implementing the directive to ensure a fair balance between the rights and interests in question, including those fundamental rights.
(1)Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).