Bodil Lindqvist-part III.

This month E-Crime Expert is presenting relevant Case law and rulings regarding data protectionrights, law applicability and enforcement. Earlier, this blog presented what Social Networking Services and Internet are, how they work, possible risks and the European legal frameworkregarding privacy and personal data. The purpose of this new series is to show actually how the relevant law should be applied to the Internet and electronic environment in order to properly protect and enforce these fundamental (legal) rights of EU citizens: Privacy and Personal Data protection.

The first Case law presented it is the also the first of its kind: “Criminal proceedings against Bodil Lindqvist – Case C-101/01.”

The previous Blog posts presented the summary of this case and the applicable law, and the 7 seven questions addressed to ECJ.

Today’s post is presenting the Case analysis.

Case analyse:

The reference the Swedish Court of Appeal made to the ECJ was not under any obligations, it had a scope, a preliminary ruling in order to avoid differences of interpretation of EU law and its own ruling. Among other attributions, ECJ should offer preliminary rulings for cases which come before a national court involving an interpretation of EU law, when there is a doubt as to how that EU law should be interpreted.

“The ECJ will make a decision as to how the law should be interpreted or applied and will send that decision to the national court. The national court must then apply that decision to the case before it”.

Regarding weather the ECJ answered the questions adequately, in my opinion the European Union’s (EU) view on data protection is linked closely to the privacy issues, which is not always the right approach in dealing with data protection issues. The privacy concept as outlined in Art. 8 European Convention on Human Rights refers mainly to the right for private and family life, respect of private home and private correspondence. The data protection could include privacy issues but is not limited to them. Data protection means the right of a person to know which data were gathered in regards to her person, how the data are used, how the data are aggregated, where the data are transmitted, who and how the data are protected. Also has the right to have access to that data and to modify the data. In all cases the person has to accept for that data to be used by another person, government, or entity.

In this case, ECJ have seen the issue of disclosing medical information over the Internet as being just an issue of privacy. I will go further and say it is not just about this. For example, what if somebody posting on the Internet (on a social website for example) something which it is untrue regarding another person? It is not a privacy intrusion, but making information, which is not true, available to the public could do still harm. If someone writes an article on her personal Blog with untruthful information about another person, anyone searching for information on that person for a job interview for example, could not choose her based on that untrue information. This is the reason why I am saying that anyone has the right to know any information, data referring to her person, in order to allow her to accept the information, access it and to be able to modify it. In our case, what would have been the real harm done to the person with a broken leg, if for example her employer would have found out that the person is on a medical leave because she broke her leg dancing while being drunk, instead she got injured while walking on the street?

Regarding if the ECJ helped the Swedish Court of Appeal in deciding this case, in my view, ECJ addressed the referred questions in a limited and one-way manner, which this time may have had the right output for the interested parties. But what will happen next time when a very thin but fundamental difference could totally change the outcome of a legal ruling?

Though the ruling of ECJ in this case regarding data protection (in one the first of it’s kind), has important implications because it clarifies to individuals and companies that personal data has protection and no one can use it without prior authorization. Also, this case helped strengthen the position of the Supervisory Authority in data protection as outlined in the Directive 95/46/EC, by outlining that anyone has to consult this Authority in order to process personal data. Question number seven addressed to ECJ and its answer show that this Directive is rather broad and the Member States have difficulties in properly transposing it into their legislation with not much uniformity among them, because some Member States are applying it more strictly than others. The Directive 95/46/EC, if rigidly applied (through implementation of national laws) may have the effect of prohibiting what is regarded as a form of “legitimate activity”. Would be useful if the European Union could further stay involved and ensure if and how the Directive 95/46/EC is uniformly applied among the EU countries.

I am not sure how useful the answers to question number six was, because the Appeal Court was looking for an interpretation specifically in the applicability of two different legislative acts: The Directive 95/46 EC in contradiction with the European Convention on Human Rights. In my opinion the answer given by ECJ was not very useful because it was rather vague maybe in purpose. Also, I could understand the ECJ position as well, as long the question in discussion was in particular about this Directive 95/46/EC and not a legal lesson on how the EU legislation applies among the Member States in general.

In my opinion this was a useful warning given by ECJ to those interested in using, manipulating, accessing data, with no right or consent, but as I previously said, through the privacy perspective. At least it was a useful start, because since then more and more EU Countries used this Directive in the right direction. Also, it was a clarification given to those countries, which did not know what the Directive 95/46/EC meant by the transmitting of data to third countries. ECJ clarified that uploading personal information on a personal website, even though it could be accessible from a third country, is not qualified as transmitting data to those third countries. Based on this particular ruling, Sweden amended in 2004 its “Personal Data Act” by changing the everyday processing such as email correspondence and processing of personal data on the internet (“publication of running text on the internet”), to not fall anymore under processing personal data infringement.

This could be considered as a landmark decision in Data Protection and Privacy issues as ECJ ruled on a matter which has never been addressed until then. Why is a landmark Decision? Because since this ruling took place, almost all cases involving similar issues refer to this case: Case C-101/01, Bodil Lindqvist.

Last but not least it is worth it to be mentioned that the ECJ did not followed at all the opinion of the Advocate General Tizziano in this case (which is quite uncommon to not be taken into consideration at all). Also, in my opinion, ECJ tried to make a fair balance between fundamental rights and fundamental freedoms as well. Dealing with these sensitive issues, it is always hard to take a decision regarding fundamental rights and harm fundamental freedoms and vice-versa. It is very hard to find the proper balance in ruling in these matters. One cannot acknowledge one fundamental right over another in a categorical manner. In this particular case I guess the human rights “won” over human freedoms in the ECJ’s view.

Regarding if the Swedish Appeal Court followed the ECJ Judgment or not, I assume it did, because this was the purpose of referring those questions to it. Also, the amended their national law regarding Data Protection.

The value of the ECJ interpretation and of this Case analyses is that it clarifies and shows how the EU Data Protection should apply and enforce. Imagine the confusion coming from anyone pressing charges on their Facebook friends for posting photos, comments videos about other people (even their friends). This Case shows that the EU view of Data Protection does not consider processing when one post a picture of another on the Internet or transferring personal data when that picture is accessed from US for example on a SNS (Facebook). Because of this “limitation in scope” of the Directive, for us the Internet users is important to know how to properly use the Internet and stay safe. Awareness and education is the key in reaching this purpose!

Stay tuned for the next posts from this series.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

What do you think about this case? What do you think about ECJ’s interpretation? Should most of us be “guilty” based on the way we are using the Internet and SNS?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: