Bodil Lindqvist-part II.

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protection rights, law applicability and enforcement. Earlier, this blog presented what Social Networking Services and Internet are, how they work, possible risks and the European legal frameworkregarding privacy and personal data. The purpose of this new series is to show actually how the relevant law should be applied to the Internet and electronic environment in order to properly protect and enforce these fundamental (legal) rights of EU citizens: Privacy and Personal Data protection.

This month’s blog posts will focus on the most relevant rulings of the European Court Of Justice(ECJ) and the European Court of Human Rights (ECHR). Rulings that actually became a new source of EU Law by creating precedents of how the Directives, Regulations, Conventions should be read, applied and enforced within the all 27 EU Member States with regards to privacy and protection of personal data.

The first Case law presented it is the also the first of its kind: “Criminal proceedings against Bodil Lindqvist – Case C-101/01.”

The previous Blog post presented the summary of this case and the applicable law, here.

Today’s post is presenting the 7 questions addressed to the ECJ and the view of ECJ on this matter.

Questions addressed to ECJ:

1) “By its first question, the referring court asks whether the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46”.

The Court found that referring on the internet page to various persons and making them identifiable, giving their contact details, full names and phone numbers and even mentioning their hobbies, contravene to the Article 3(1) of Directive 95/46/EC because it constitutes processing of personal data by automatic means, without having permission or informing the Swedish Supervisory Authority. In other words the ECJ found appropriate the first ruling of the Swedish Court of District (the first National Instance which ruled on this case), in this particular matter of this case.

In my personal opinion, technically, we could consider that uploading, on your personal website, somebody else’s private information and details could constitute a violation of privacy and processing of personal data without authorization. I emphasize the word “technically” because I do not think that Mrs. Bodil Lindqvist had any idea that what she was doing was representing “processing of personal data”. She may have thought that what she was doing was funny and could be useful to her colleagues and also to the future candidates to her parish. On the other hand, not knowing the rule does not protected somebody against its consequences. As a summary I would like to say that every case should be considered on its own accord, not applying a general matrix without taking into consideration the human element in the equations.

2) “If the answer to the first question is no, can the act of setting up on an internet home page separate pages for about 15 people with links between the pages which make it possible to search by first name be considered to constitute the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system within the meaning of Article 3(1)”?

The answer for the first question was “yes” so the ECJ proceeded to answer the next addressed questions.

3) “Can the act of loading information of the type described about work colleagues onto a private home page, which is none the less accessible to anyone who knows its address be regarded as outside the scope of [Directive 95/46] on the ground that it is covered by one of the exceptions in Article 3(2)”?

After examining all the relevant information and input made available from all the parties involved in this case, ECJ answered that in this case, the uploading on a personal website somebody else’s private information and details represents a violation of privacy and processing of personal data without authorization, does not fall under any of the exceptions outlined in Article 8(1) of the Directive 95/46/EC.

4) “Is information on a home page stating that a named colleague has injured her foot and is on half-time on medical grounds personal data concerning health which, according to Article 8(1), may not be processed”?

The ECJ answered that in case of disclosure of personal data on the Internet referring in this case to an individual who had broken her leg and stayed at home on half-time medical leave, constitutes illegal traffic with personal data concerning health problems and it comes against to Article 8(1) of Directive 95/46/EC.

Again, in my opinion the ECJ ruling based on the Directive 95/46/EC, was correct but I am quite sure that Mrs. Bodil Lindqvist had no idea that she was dealing with “illegal traffic with personal data concerning health problems”.

5) “[Directive 95/46] prohibits the transfer of personal data to third countries in certain cases. If a person in Sweden uses a computer to load personal data onto a home page stored on a server in Sweden ─ with the result that personal data become accessible to people in third countries ─ does that constitute a transfer of data to a third country within the meaning of the directive? Would the answer be the same even if, as far as known, no one from the third country had in fact accessed the data or if the server in question was actually physically in a third country”?

ECJ found that loading personal data on a personal website stored on the Internet, does not represent transfer of data to a third country as stipulated in the Article 25 of Directive 95/46/EC.

In my opinion the ECJ ruling was fair by not interpreting the meaning of Article 25 of Directive 95/46/EC, ad literal this time. It should have applied the same interpretation in the three previous questions as well. Why was it fair: because if following the meaning of the “transfer of data to third countries (countries outside EU and EEA)” as outlined in the above mentioned Directive, then any person using the Internet and having her own website or even a social network account could be liable for doing this “transfer”. It is not sufficient to upload the data on a personal website in order to make that data available to “third countries” because somebody has to follow some steps (log in, log out), meet some requirements (geographical area), and also dispose of technical meanings (computer, Internet connection) in order to have access to the Internet where supposedly that data could be available. Even though, considering the globalization and spreadness of the Internet, it is hard to believe that somebody from the US for example would go directly to that data, which contains information referring to members of a certain parish, located in Sweden. In this case, the data was not “offered” on the Internet to someone interested in it.

6) “Can the provisions of [Directive 95/46], in a case such as the above, be regarded as bringing about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the EU and are enshrined in inter alia Article 10 of the European Convention on the Protection of Human Rights and Fundamental Freedoms”?

ECJ found that the National state should decide on matters which conflict between them as in this case the data protection and the freedom of expression are in conflict.

On one hand, an individual has to have protection for his personal data (Directive 95/46/EC) and also free movement of information among EU countries, on the other hand an individual has to have the liberty of expression of her religious believes for example, as provided by the Article 10 of the European Convention of Human Rights. In my opinion, here the ECJ was not very helpful by not offering a straightforward answer to the National Court. In a special situation like this, the ECJ should have given guidance to the National Court how to weight two Legislative acts, which come into conflict. The answer here would have been much simpler than to the other addressed questions, because someone cannot have granted her rights in case of doing an illegal activity. ECJ already gave its opinion on the previous five questions where it said that uploading personal data on the Internet constitutes illegal traffic with that data. Someone cannot be granted the right of freely expressing her religious or artistic beliefs when using, for example, stolen money (which was not the case here).

7) “Can a Member State, as regards the issues raised in the above questions, provide more extensive protection for personal data or give it a wider scope than the directive, even if none of the circumstances described in Article 13 exists”?

ECJ answered here that the Member State should provide the minimum level of protection as outlined in the Directive 95/46/EC, but it is not held liable if that level of protection goes higher, being adjusted to each Member State’s needs.

The answer of ECJ was fair enough because a Directive should be transposed into the National legislation by guaranteeing the application of what that Directive regulates.

A Directive does not go beyond what is necessary in order to achieve that particular objective that it was created for. But, if a Member State considers that for its national reality, the regulations that will be transposed into their national legislation from the Directive should be more rigid that will not be a problem.

Stay tuned for the next post that will present the Case analysis.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about the allegations and prosecution in this Case?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: