EU Directive 95/46, the so-called Data Protection Directive, was promulgated by the European Union in 1995 to protect the privacy rights of its citizens by limiting unauthorized “processing” and transfer of personal data. The directive contains a number of exemptions, including one for “purely personal or household activity” and another for “journalistic purposes or . . . artistic or literary expression . . . [when] necessary to reconcile the right to privacy with the rules governing freedom of expression.”At the end of 1998, the defendant, a Swedish woman, created web pages at her home to provide information about her church parish. She included, without their consent, the first and/or last names of eighteen colleagues along with personal information regarding their jobs, hobbies, family circumstances, telephone numbers, and, in one case, a recent injury necessitating medical leave. After learning of displeasure at her posting of this personal information, the defendant took down the pages.
She was charged by a public prosecutor with three violations under Sweden’s 1998 national directive-implementing legislation: (1) processing “personal data by automatic means without giving prior written notification,” (2) processing “sensitive” personal data (in this case, concerning the recent injury) without authorization, and (3) transferring personal data to a third country without authorization. The defendant was found guilty by the Swedish district court and fined 4,300 SEK (approximately 550 USD).
Uncertain about the correct application of the law, the Swedish court of appeals sought guidance from the European Court of Justice on seven issues, including: (1) whether the mention of a person on a web page and/or statements about them qualifies as “processing” of personal data; (2) whether if such web page was “private” in the sense that its URL was not advertised, it would fall under the data protection directive’s exemption for data processing “by a natural person in the course of a purely personal or household activity”; (3) whether a comment regarding a colleague’s recent injury and medical leave constitutes “personal data concerning health” under the directive; (4) whether the availability of data on a web page housed on a Swedish server to persons outside Sweden constituted a “transfer of data to a third country,” and whether actual access to the data by persons in a third country must be shown; (5) whether the directive conflicted with the fundamental rights of EU citizens, particularly freedom of expression; and (6) whether an EU member state might provide protection for personal data beyond the scope of the directive.
The Court of Justice held that any “set of operations,” manual or automatic, performed on “information relating to an identified or identifiable natural person” fell within the scope of the directive. The defendant’s reference to a colleague’s injury and medical leave was also found to be in violation of the directive, the court ruling that “data concerning health . . . must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual.” The court further found that posting data on the web could not be considered a “purely personal or household activity” because that information was made “accessible to an indefinite number of people.”
Noting that internet transfer was not directly addressed in the directive, however, the court declined to find unlawful transfer of data to a third country, “where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.”
Denying that the directive intrinsically violated freedom of expression, the court emphasized the duty of member states to find “proportionality” and “balance” between privacy and free expression in its implementation. “[I]t is for the authorities and courts of the Member States not only to interpret their national law in a manner consistent with Directive 95/46 but also to make sure they do not rely on an interpretation of it which would be in conflict with the fundamental rights protected by the Community.” Member states were further found free to expand the directive’s scope in national implementation legislation, consistent with its privacy protections and with regard for fundamental rights.