DATA PROTECTION AND PRIVACY
This case arose out of a simple set of facts. A religious instructor for the Swedish Church, Bodil Lindqvist, posted up webpages on her home computer which were aimed to help parishioners prepare for their confirmation. The administrator of the Swedish Church’s website provided a link from their website to the defendant’s webpages at her request. The webpages contained information about colleagues of the defendant with first names and in some instances full names, address and telephone numbers. The defendant also remarked that one colleague was on half time work because of medical reasons – she had injured her foot. The web pages were mildly humerous but the defendant had not asked for permission from any of the parties featured. She also had failed to notify the Datainspektionen, the relevant Swedish supervisory authority, of her activities.
The Defendant was charged with (i) processing personal data by automatic means with notification to the relevant authority (ii) processing sensitive personal data without authorisation and (iii) transferring the data to a third party [via the internet].The Gota Hovratt (Court of Appeal, Gota) referred the case to the European Court of Justice for clarification of EC Directive 95/46/EC.
Article 3.1 provides that “The Directive shall apply to the processing of personal data wholly or partly by automatic means.” Here the data was processed by the defendant and was personal – names, addresses, jobs etc, and so 3.1 applied. Article 3.2 excludes data processing when it is outside the scope of EC law and in any case concerning “public security, defence and state security … or for purely personal activities”. 3.2 does not exclude data processed for religious or educational activities. The Defendant would therefore fall under this section: she had processed data, had no exclusion, it was not personal use and she had not notified the Datainspektionen.
Article 8 provides that “member states shall prohibit … the processing of data concerning health.” Again the defendant fell within this heading. She had used medical information regarding her colleague’s injury.
Article 25 provides that “Member states shall provide that the transfer to a third country of personal data shall only take place .. if the third party country in question ensures an adequate level of protection”. The ECJ held that by placing the data on a website the defendant had not transferred the data to a third party country. This is quite an interesting point and can be compared to the recent case of Gutnick -v- Dow Jones (where publication on the Internet was held to be ‘global’ publication).
The ECJ finally held that the provisions of Directive 95/46 did not fall foul of Article 10 of the European Convention of Human Rights (freedom of expression). Measures taken by member states to implement the Directive and to protect personal data had to be fair and must balance the right to protection of privacy with the freedom of movement of personal data.